Testimony of Kenneth C. Segarnick, Esquire
before the
Subcommittee on the Constitution
of the
Committee on the Judiciary
United States House of Representatives
H.R. 4908, the "Notice of Electronic Monitoring Act"
September 6, 2000
Kenneth C. Segarnick, Esquire
United Messaging, Inc.
1161 McDermott Drive, Suite 300
West Chester, PA 19380
(610) 425-2817
ken.segarnick@unitedmessaging.com
Mr. Segarnick is Assistant General Counsel of United Messaging, Inc., a Philadelphia-based e-mail outsourcing company providing consulting and managed messaging services to businesses worldwide. As chair of United Messaging's in-house legislative and policy development staff, Mr. Segarnick engages in a broad array of monitoring, advisory and analytical activities relating to the electronic messaging industry. He also consults clients of United Messaging on how to formulate comprehensive office e-mail usage and securitization policies, and conducts seminars on legal issues surrounding Internet and e-mail usage in the workplace. Before joining United Messaging this year, Mr. Segarnick was an attorney with the Philadelphia law firm of Dilworth Paxson LLP, where he practiced in the firm's e-commerce and litigation practice groups. He also served as Legal Advisor to the Wharton School Small Business Development Center from 1999-2000.
Testimony of Kenneth C. Segarnick, Esquire
H.R. 4908, the "Notice of Electronic Monitoring Act"
September 6, 2000
Mr. Chairman, and Members of the Subcommittee. Thank you for inviting me to testify about e-mail monitoring in the workplace and H.R. 4908, the "Notice of Electronic Monitoring Act" (hereinafter "NEMA").
Electronic communication, e-mail in particular, has quickly become a predominant (and preferred) method of communication for companies around the nation. (An estimated 130 million workers are projected to transmit more than 2.8 billion e-mail messages this year alone!)1 And most experts agree that e-mail has changed the workplace for the better. With its capacity for instantaneous transmission and widespread dissemination, as well as a broad range of functionality, e-mail is an essential tool for increasing productivity and efficiency in the workplace.
Yet the same attributes of e-mail that have vastly enhanced corporate communication have also led to a multitude of unexpected difficulties for employers, including exposure to various forms of legal liability. In addition to traditional work environment issues (i.e., sexual harassment, discrimination, and the like), e-mail has introduced a whole host of new issues ranging from employee privacy rights to economic espionage. For some companies, e-mail has been the key to a Pandora's box, opening the door to some of the darkest and most guarded secrets of corporate America. Workplace e-mail has also raised concerns about security of sensitive information and potential waste of corporate computer resources.
Several major U.S. companies have recently engaged in a corporate crackdown on improper use of e-mail and the Internet. For example, last year the New York Times Company fired more than 20 employees for sending e-mail the company deemed inappropriate and offensive. Xerox also terminated 40 employees last year for inappropriate use of the Internet. Just last month, Dow Chemical Co. fired about 50 workers for sending explicit pornographic images through the company's e-mail system and disciplined another 200 workers for distributing, downloading or saving pictures that were either pornographic or violent in nature. Similarly, Merck & Co. had recently taken action against an unspecified number of employees as part of an ongoing corporate investigation on improper use of e-mail and the Internet.
In an ongoing effort to safeguard against the many pitfalls arising from office e-mail usage, many companies have instituted automated monitoring programs. Statistics show that about 17% of FORTUNE 1,000 companies, along with a handful of federal agencies, presently employ software that enables them to monitor their employees' overall computer activity.2 That figure is expected to increase to 80% by 2001.3 The share of major U.S. companies checking employee e-mail messages has jumped to 27% in 2000 from 15% in 1997, according to a survey conducted by the American Management Association.4 And about 16% of those companies that monitor e-mail do not notify their workers that they check.5
Computer monitoring comes in many shapes and forms; ranging from content-filtering – designed to block messages containing a specified set of terms – to programs that log every single keystroke of an individual's computer. Some companies might be surprised to learn that state-of-the-art virus and spam blockers should also be regarded as computer monitoring.
The advent of monitoring e-mail and computer usage in the workplace has spawned a debate over the propriety of such practices, pitting employers' interests in preventing misuse of their computer resources against employees' expectations of privacy in their electronic communications. The debate over computer surveillance has been further fueled by the covert nature of most monitoring programs; most corporate monitoring programs are capable of accomplishing their surveillance without detection by individual users. Employers maintain that there are compelling reasons to monitor employee e-mail, varying from supervising employee productivity to preventing hostile work environments. Employees, however, claim that without some restrictions on an employer's ability to monitor e-mail, privacy protection will all but disappear from the workplace, resulting in an "electronic sweatshop" where constant monitoring takes place.6
Presently, the case law on point has resolved this debate in the company's favor, leaving employees with little recourse against employers who snoop through their e-mail. Specifically, courts in various jurisdictions have ruled that an employee does not have a reasonable expectation of privacy in e-mail communication voluntarily made over a company e-mail system. One District Court went so far as to hold that an employee does not have a reasonable expectation of privacy in his workplace e-mail notwithstanding company assurances that such communications would not be intercepted.
In Smyth v. Pillsbury Company,7 the plaintiff filed suit against his former employer claiming that he was wrongfully discharged from his position as a regional operations manager. The plaintiff was terminated after the defendant intercepted certain private e-mail messages transmitted by the plaintiff containing what it deemed to be inappropriate and unprofessional comments. The plaintiff claimed that he relied on assurances from the defendant that all e-mail communications would remain confidential and privileged and that such communications could not be intercepted and used against him for termination or reprimand when he transmitted the e-mail at issue. As such, the plaintiff claimed that the defendant encroached upon his right to privacy and his termination was therefore improper.
In dismissing the plaintiff's complaint, the District Court held, in part, that the plaintiff had no reasonable expectation of privacy when using the company's e-mail system despite assurances from the company to the contrary. Specifically, the Court stated:
Once plaintiff communicated the alleged unprofessional comments to a second person (his supervisor) over an e-mail system that was apparently utilized by the entire company, any reasonable expectation of privacy was lost. … Rather, plaintiff voluntarily communicated the alleged unprofessional comments over the company e-mail system. We find no privacy interest in such communications.
[E]ven if we found that an employee had a reasonable expectation of privacy in the contents of his e-mail communications over the company e-mail system, we do not find that a reasonable person would consider the defendant's interception of these communications to be a substantial and highly offensive invasion of his privacy. … [T]he company's interest in preventing inappropriate and unprofessional comments or even illegal activity over its e-mail system outweighs any privacy interest the employee may have in those comments.8
Similarly, in another recent decision, the Court of Appeals of Texas held that a plaintiff did not suffer a tortious invasion of privacy when his employer reviewed and disseminated e-mail messages that were stored in a "personal folders" application on his office computer.9 Despite the fact that the plaintiff stored his e-mail messages under a private password and in his "personal folders," the court concluded that the plaintiff had no reasonable expectation of privacy in such messages. Notably, the court's analysis honed in on the misconception that an employee's personal workstation is the equivalent to his personal property:
[The plaintiff's] workstation was provided to him by [the defendant] so that he could perform the functions of his job. In connection with that purpose…part of his workstation included a company-owned computer that gave [the plaintiff] the ability to send and receive e-mail messages. Thus, contrary to his argument on appeal, the e-mail messages contained on the company computer were not part of [the plaintiff's] personal property, but were merely an inherent part of the office environment.10
At least one court, however, has declined to dismiss the common-law claims of two former employees terminated for writing disparaging messages about their employer. In Restuccia v. Burk Technology,11 the president of a company was alleged to have spent approximately eight hours accessing and reviewing his employees' e-mail messages. The plaintiffs sent e-mails that included disparaging nicknames for the president and allegations that he was having an affair with another co-worker. The company had no policy prohibiting personal e-mail messages, but did prohibit excessive on-line chatting. The employees were never advised that their supervisor could access their computer files or that their messages were automatically saved on back-up files to which their supervisor had access.
The employees sued under a Massachusetts statute that prohibited the interception of wire communications and also alleged common-law claims of negligent infliction of emotional distress, invasion of privacy, wrongful termination and loss of consortium. The court first held that an employer's storing and reviewing of e-mail messages on a company server did not violate the wiretapping statute. The court did, however, deny the employer's motion for summary judgment on the employees' common-law claims, holding that issues of material fact remained unanswered. In rendering its decision, the Restuccia court emphasized that there was no company policy against using the e-mail system for personal messages and that the company never disclosed to its employees that all e-mail messages were automatically stored on the computer's backup system and were accessible by management.
Seeking to bring uniformity to the patchwork of inconsistent rules that presently extend to e-mail, NEMA has been introduced with bi-partisan support in both houses of Congress. NEMA is intended to impose a fair and reasonable check on monitoring activities, and afford employees the right to know whether, when, and how their employer is watching them. Although the Act is aimed at enhancing employee privacy rights, it does not deprive an employer of its right to monitor. However, NEMA acknowledges that, while employees should not have an expectation of privacy in e-mail voluntarily sent, stored, or received on the company's system, they are entitled to clear notice from employers who choose to exercise their monitoring rights. In essence, NEMA recognizes the pervasiveness of e-mail and accords a higher sense of "dignity" to this form of communication.
In particular, NEMA requires employers to notify their employees of any monitoring of communications or computer usage. It covers reading or scanning of employee e-mail, keystroke monitoring, or programs that monitor employee Internet use. The requisite notice must be clear, conspicuous, and given annually and whenever policies change. The notice must also specify the frequency of the monitoring, the kinds of information likely to be monitored, how the monitoring will be accomplished, and how the information will be stored and used.
If an employer engages in secret monitoring in violation of the notice requirements under the Act, they are subject to suit for up to $20,000. While such suits are thought to be few and far between based on the "modest terms" of the Act12, the notice requirement may be more of an onerous burden for an employer to sustain than intended.
Section (3)(b) of the Act states:
(b) NOTICE - A notice meeting the requirements of this subsection is a clear and conspicuous notice, in a manner reasonably calculated to provide actual notice, describing—
(1) the form of communication or computer usage that will be monitored;
(2) the means by which such monitoring will be accomplished and the kinds of information that will be obtained through such monitoring, including whether communications or computer usage not related to the employer's business are likely to be monitored;
(3) the frequency of such monitoring; and
(4) how information obtained by such monitoring will be stored, used, or disclosed.
Initially, the Act does not define the form in which notice is required to be given to employees. Although section (3)(b) specifies "clear and conspicuous notice, in a manner reasonably calculated to provide actual notice," it is unclear as to whether such notice must be in written form. Arguably, even verbal notification of a company's monitoring practices passes muster under the Act, provided that such notice encapsulates the remaining requirements of section (3)(b). In fact, no one could argue that an employer who grabs the shirt collar of an employee and spouts out every detail of the company's monitoring program failed to provide notice in a way "reasonably calculated to provide actual notice." However, verbal notification of monitoring is undesirable, as it is subject to varying interpretations and it cannot be reproduced in the event a dispute arises between employer and employee. This problem can be easily remedied by requiring employers to provide written notice either on paper or through a "click-wrap agreement" where a company's notice appears online. Therefore, I would suggest amending the Act accordingly.
Another, and perhaps more complex, problem arises from section (3)(b)(3) of the Act, under which an employer must disclose the "frequency" of its monitoring practices. By disclosing the frequency of its monitoring activities, an employer may unwittingly raise the standard of care owed to an employee, particularly if a high frequency of monitoring is specified. Under certain circumstances, if a company asserts that it is engaging in continuous monitoring of its e-mail system, but does not have the resources to maintain this frequency level or for whatever reason chooses not to extensively monitor the system, it may nonetheless be bound by its representation that it was engaging in a high level of monitoring. In other words, the company may be imputed with having constructive notice of certain harassing or discriminating or other inappropriate comments being transmitted over its e-mail system, thereby increasing the company's standard of care.
For example, assume that a company asserts that it will engage in the highest frequency of monitoring by utilizing a keystroke-monitoring program that will log an employee's every move on the computer. Some employees may rely on the employer's assertion of continuous monitoring and, as a result, expect the employer to be aware of unprofessional or inappropriate content or illegal activity occurring over its network. Consequently, it may be reasoned that the employer had constructive notice of a sexually explicit e-mail message, for example, transmitted over the company's network, even if the employer never actually implemented any monitoring program at all.
A company can avoid this scenario by specifying its actual level of monitoring, i.e., random or responsive only, but it would then lose some of the deterrent effect of its monitoring policy. Another way to avoid altering the employer's standard of care would be to insert a corrective amendment in the Act stating that nothing in section (3)(b)(3) will be construed as imputing the employer with constructive notice of any activity occurring on its network. Finally, removing the frequency disclosure requirement altogether would alleviate the constructive notice/standard of care issue without undermining the spirit and intent of the Act.
Section (3)(b)(2) of the Act requires an employer to specify the sphere of information that will be targeted by its monitoring regimen. This requirement, however, may actually mislead employees into believing they have a reasonable expectation of privacy in the types of information not targeted by the employer. It also leaves open the question of whether an employer retains the right to review information not defined as "the kinds of information that will be obtained through … monitoring."
If section (3)(b)(2) forces an employer to identify the types of information that can be legally monitored, it may impede one of the few positive trends occurring in corporate e-mail and computer use policies today – sanctioned personal usage. Because most employees will occasionally write a personal e-mail or use the Internet to do a personal search, many employers are expressly allowing such personal use in their written policies, provided that it does not interfere with the business purposes of the company or the employee's job responsibilities. Rather than banning personal use outright, many corporate policies simply provide guideposts regarding personal use of computer resources, i.e., restricting such use to specific times (breaks, meals, after hours, etc.). However, a statement of whether an employer is "likely" to monitor e-mail or other Internet use "not related to the employer's business" may put an end to permitted personal usage. Especially in light of the fact that most monitoring programs target non-business related communications, employers would be in the awkward position of consenting to personal e-mail, for example, and explicitly stating that the very same e-mail will likely be monitored. Under such circumstances, authorized use of personal e-mail no longer appears as a sincere gesture and will eventually likely fade away from corporate policies.
In conclusion, the private sector, as with law enforcement, has a manifest need for increased privacy rights associated with e-mail and computer usage. Limitations on an employer's current unfettered right to monitor employee e-mail would certainly be a step in the right direction. The difficulty is counterbalancing an employer's legitimate interest in monitoring its computer resources with an employee's expectations of privacy. Unfortunately, NEMA's notice requirements may prove too much by enhancing employee rights at the expense of the employer. Of course, the subtle inequities of NEMA that I have alluded to in this testimony can be easily rectified with corrective amendments. With these modifications, I wholeheartedly support this bill.
Once again, I would like to express my appreciation for having this opportunity to appear and testify before the Subcommittee. I am available to field questions now or at your convenience.
In accordance with the terms of House Rule XI, clause (2)(g)(4), I hereby certify that no federal grant, contract or subcontract has been received by me or United Messaging, Inc. in this or in the preceding two fiscal years.