The Resource Newsletter for Home and Hospice Care March Home Care The Law

Transcription

1 The Resource Newsletter for Home and Hospice Care March 2010 & Home Care The Law LEGAL HOT TOPIC: Employee Monitoring: Know the Risks or Risk Major Liability by Robert W. Markette, Jr., CHC. This issue s legal hot topic focuses on monitoring employees and communications monitoring policies and procedures. Know the pitfalls before you begin monitoring employees to avoid this becoming an even larger source of liability. Employers who have failed to do so have found themselves being sued for violating not only federal laws, but also employee privacy. pgs Published by Indiana Association for Home and Hospice Care, Inc G Rucker Road Indianapolis, IN n (317)

2 LEGAL HOT TOPIC/Robert W. Markette, Jr., CHC Employee Monitoring: Know the Risks or Risk Major Liability Employers who have failed to do so have found themselves being sued for violating not only federal laws, but also employee privacy. Home health and hospice employers face a rising trend of lost productivity due to the misuse of the Internet in the workplace. Employees spend time engaged in numerous non-productive activities such as surfing the web, reviewing non-work related websites, instant messaging, updating their status on Facebook. According to one recent Gallup poll, the average employee spends over 75 minutes a day using office computers for non-business activity. All of this unproductive activity occurs while the employee is being paid by you to discharge their job duties. For home health and hospice providers, this trend impacts your office and administrative staff. It may also impact your field staff, when they use company issued lap tops and PDAs to surf the Internet, send and receive personal , send personal texts from company cell phones, etc. Employees can also waste time with personal phone calls at the office or on company issued cell phones. For field staff, the risk may even be greater, as there is no one around to monitor their usage. Because of this trend, employers are considering, and implementing, policies, procedures, and technology to monitor employees. Employers are choosing to monitor, because eliminating the Internet at work is no longer feasible. Companies rely upon for communications, web-based portals for billing, networked calendars for scheduling, and many other legitimate business purposes. This leads employers to pursue a strategy of monitoring and discipline to reduce time lost to the Internet. When employers implement these policies, procedures, and technologies, they do not always consider a very important countervailing interest their employees right to privacy. Employees are suing employers who have intercepted personal communications as part of an employee monitoring program. Employees are bringing claims under the federal Wiretap Act and Stored Communications Act, as well as state law invasion of privacy claims. It is important to understand how these laws apply and to implement your policies and procedures accordingly. If you do not, you risk being sued by your employees as a result of your efforts to protect your bottom line from employee waste. Page 2

3 Laws Impacting Employer Monitoring There are two federal statutes that are implicated by employer s efforts to monitor their employees. The first statute is Title III of the Omnibus Crime Control and Safe Streets Act of 1968, more commonly known as the Wiretap Act. The second is the Stored Wire and Electronic Communications Act, more commonly known as the Stored Communications Act, which was part of the Electronic Communication Privacy Act of Federal Wiretap Act The federal Wiretap Act was passed to restrict the interception of phone calls and similar wire communications. It contains both criminal and civil penalties. The Act prohibits individuals or entities from intentionally intercepting or attempting to intercept any wire, oral, or electronic communication. It also prohibits individuals or entities from using a third party to do the same things. The three types of communication wire communication, oral communication, and electronic communication are each specifically defined. The term wire communication is defined as any aural transfer made in whole or in part through the use of facilities for the transmission of communications by the aid of wire, cable, or like connection This term includes telephone calls, voice mail and other aural transfers. An electronic communication is any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic, or photooptical system. This definition has several exceptions, including any wire or oral communication. According to one recent Gallup poll, the average employee spends over 75 minutes a day using office computers for non-business activity. Although the application of this statute to telephone calls and voice mail has been straightforward, the way an message travels across cyberspace has led to some confusion over when the Wiretap Act applies to intercepting messages. During transmission across the Internet, messages are broken down into packets and moved from server to server across the Internet. They are then transferred from server to server until they reach the server where the recipient s account resides. Except for very brief periods of actual transmission, the messages spend most of their time in storage on one intermediate server after another until arriving at their destination. At that point, the packets are reassembled into a message and placed in the recipient s box. Along the way, the message may be stored and retrieved several times. The message does not simply go from the sender s computer to the receiver s computer, in the way a telephone call goes from phone to phone. This means that when an message is diverted by an individual, it is copied out of this intermediate storage. It is not diverted as it crosses the wires connecting two computers. This has led some courts to conclude that e- mail cannot be intercepted as defined by the wiretap act. They conclude that the allegedly intercepted s where not intercepted, because they were simply copied from a hard drive while in storage during transmission. Page 3

4 The SCA was intended to protect the privacy of individuals who used Internet service providers, because the act prohibited unauthorized access to information stored on computers. These courts hold that copying s out of intermediate storage is subject to the Stored Communications Act. Other federal courts, including those with jurisdiction over Indiana, have found the Wiretap Act applies to , even though storage of the is part of the transmission. Courts that have applied the Wiretap Act to have found that the key issue is whether the interception was contemporaneous with the transmission. For example, in one case, an IRS agent was able to access an server owned by his employer and alter the mail delivery system so that copies of every addressed to his boss were also sent to him. When the mail server received the , it would make an additional copy it and forward it to the Defendant. The court held that even though the interception occurred while the was on the server s hard-drive, it was contemporaneous with the transmission and therefore a violation of the Wiretap Act. Stored Communications Act The Stored Communications Act ( SCA ) was passed by Congress as part of the Electronic Communications Privacy Act of The ECPA was passed to extend the protections of the wiretap act to other forms of electronic communications. The SCA was intended to protect the privacy of individuals who used Internet service providers, because the act prohibited unauthorized access to information stored on computers. The SCA specifically prohibits: intentionally access[ing] without authorization a facility through which an electronic communication service is provided; or intentionally exceed[ing] an authorization to access that facility and thereby obtaining, altering, or preventing authorized access to a wire or electronic communication while it is in electronic storage in such system... The terms wire and electronic communication have the same definitions as in the Wiretap Act. The term electronic storage is defined as any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof; and any storage of such communication by an electronic communication service for purposes of backup protection of such communication. In other words, the act protects electronic communications in storage on your service provider s server and in storage on any other servers during the process of transmitting the electronic communication across the Internet. In addition to applying this statute to interceptions of s, courts have applied this statute to situations where employers accessed an employee s personal account. In one case, an employee stopped working for a company, but left his company computer configured to automatically log into his personal account. When the employer turned on the computer and started the web browser, the employer was automatically logged into the employee s personal account. The employer used this access to gain information on the employee s efforts to unfairly compete with the employer. The employer was found to have violated the SCA, because the employer did not have authority to access the employee s personal account. Page 4

5 Invasion of Privacy Another potential source of liability in employee monitoring is being sued by a current or former employee for breach of privacy. Indiana, like many states, recognizes the tort of invasion of privacy. Invasion of privacy comes in four distinct forms, but only one form is of any concern for employers who monitor their employees. This is known as invasion of privacy by intrusion into seclusion. To prevail on an invasion of privacy by intrusion claim, the plaintiff must show that the defendant intruded upon the plaintiff s physical solitude or seclusion, as by invading his home or other quarters and the intrusion would be considered offensive or objectionable to a reasonable person. One example of an offensive or unreasonable search is an illegal search. Indiana Courts have applied the intrusion by seclusion rationale in a number of contexts, but they have not yet addressed how this tort applies to cyberspace. In fact, one court noted that thus far, every intrusion by seclusion case in Indiana has involved a physical invasion of the plaintiff s space or property. This does not mean an Indiana court will not apply this tort in cyberspace, but it leaves open the question of what the courts might do. Even though Indiana Courts have not specifically addressed this cause of action, providers need to be aware that it is a possible response. Invasion of privacy comes in four distinct forms, but only one form is of any concern for employers who monitor their employees. This is known as invasion of privacy by intrusion into seclusion. Exception: Consent Although these laws would appear to make it illegal to implement an employee monitoring program, both the Wiretap Act and the SCA contain exceptions for consent. If at least one party to the communication consents to the interception, there is no liability. The first thing to consider here is that the employer is not a party to the communication unless the employer is communicating with the employee. In most instances the employer is the provider of the communications equipment, computers and/or Internet access. The employee is using these items to engage in improper communications. The employee and whomever they are communicating with are the parties to the communication. This means the employee or the other party must consent to the interception or access for it to pass muster under the Wiretap Act or the SCA. If either the employee or the other party has consented, either expressly or by implication, the monitoring is not a violation. The tort of invasion of privacy does not rely upon consent, instead an employee s right to privacy can be eliminated by removing their reasonable expectation of privacy. An employee can only raise an invasion of privacy claim if he or she can argue that they had a reasonable expectation of privacy in the communication. If the employee is put on notice that they have no expectation of privacy in your computers, phones, etc., they cannot claim that their privacy was invaded. The most efficient and effective way to address the consent/expectation of privacy issue is through properly drafted and implemented policies and procedures. When done properly, policies and procedures put the employee on Page 5

6 notice of the monitoring, provide proof of the employee s consent to the monitoring, and undermine claims that an employee expected privacy. Drafting effective policies If you have the means to monitor employee phone calls, you must determine the scope of the monitoring. Your personnel policies should put your employees on notice that you can and will monitor their communications. Your policies should address monitoring telephone calls, cellular phones, , etc. Your policies should be in place before you start any monitoring program. Telephone Monitoring In order to monitor your employees telephone calls, you must have a method in place to do so. Some companies have a system that allows them to listen in on every telephone call that comes into or goes out the office. One example of such a system is the quality assurance monitoring system some companies put into service for customer service purposes. If you have the means to monitor employee phone calls, you must determine the scope of the monitoring. For example, will you monitor all employee phone calls, including personal calls or will you only monitor business calls. This decision will depend upon a number of factors, including your specific concerns with employee conduct and the types of telephone calls that have been a problem. You must also decide how much monitoring you will perform. For example, if you have decided to monitor only business calls, will you monitor every business call or will you only monitor some business calls. This is important, because if you are going to monitor all phone calls, you should say you are going to monitor all phone calls. If you have the facilities to monitor all calls, you must consider whether to provide a means for employees to make private nonmonitored calls. You might provide the employees with phones that are not subject to monitoring or you might suggest they use personal cellular phones. If you are going to allow some means to make personal calls, you may want to consider whether you will define parameters of employee personal calls during working hours. Once you make these determinations you can then draft a policy and procedure to implement them. The policy should clearly state what calls will be monitored and the frequency of the monitoring. If you intend to monitor all calls, the policy should state that you monitor all telephone calls at all times. If you state you will monitor only business calls, you should only monitor business calls. You only have consent from the employee to engage in the monitoring you tell them about. Telling the employees about some monitoring will most likely not create implied consent to broader monitoring. In one Wiretap Act case, the employer s policy stated that they would monitor calls between the employee and the company s customers. The policy also made it clear that not all of the employee s calls to company customers would be monitored. The employee sued her employer after her supervisor intercepted two personal phone calls between the employee and the employee s spouse. The employer attempted to defend the claim by arguing that the employee had impliedly consented to the monitoring, because she placed a personal call on Page 6

7 phones that she knew the employer could monitor. The court relied heavily on the fact that the employer s policy clearly stated that some, but not all calls between the employee and customers would be monitored. Because the policy explicitly stated only business calls would be monitored, the court reasoned the employee could not have known her personal call would be monitored. The Court concluded that where the employee would not have expected her personal calls to be monitored, she could not be found to have consented to the monitoring simply be placing a personal call on the employer s phones. It is worth noting that the court implied the employer was free to monitor all of the calls it wanted. But by drafting its policies to encompass a narrower range of calls, the employer limited itself to only monitoring this lesser range of calls. The mere fact that the employee used the employer s telephone did not amount to consent to monitoring beyond the scope of the stated policy. This reinforces a key point, once you have drafted your policies and procedures, you should follow them. If you do not, you likely do not have consent to intercept the communications. Once you have drafted the policy, your employees should be given a copy of the policy and procedure as well as a chance to ask any questions they might have. You should also have the employee sign an acknowledgement that they have received and reviewed the policy. Employees should also be clearly told that they have no expectation of privacy in the contents of any communication sent or received using the company s system. You must then make sure that your staff is following the policy. This may include random audits to determine what monitoring is occurring. If an employee complains that the policy is not being followed, you should investigate. You do not want to discover an otherwise lawful policy has become a source of liability when you are served with a lawsuit. Monitoring monitoring should be addressed in the same manner as telephone monitoring. You should first consider what is allowed with the company system, until you decide what employees can and cannot do you do not know what you are looking for with monitoring. In most cases, the company policy will be that company is only for company business. Any use of company for personal business will then become the basis for discipline. Once you have decided on your corporate use policy, you then need to decide how you will monitor use. Your monitoring policy will be influenced by a number of factors including: capabilities of your software and/or ISP, volume of , resources to dedicate to monitoring, etc. Once you have decided to monitor employee , you need to determine what monitoring tools your system can provide. You may be able to forward copies of all s that are sent and received to an additional in box. This would allow you obtain copies of every sent by your employees, but may require a substantial amount of time to audit. Your system most likely will allow for more refined monitoring, such as forwarding of s with certain words, phrases, or addresses. Page 7

8 You may choose to only monitor employees when you suspect they are misusing your system, planning to steal confidential information, etc. You could then review only that employee s . Of course, this has the disadvantage of allowing other employees to get away with abuses until such time as you identify the problem and begin to monitor their activities. There are a wide range of ways to implement monitoring. You must carefully consider this issue and affirmatively decide upon a policy. Once you have determined what you can do and how you will implement monitoring, you should draft a policy and procedure that notified the employees that you will monitor usage. The employees should be aware that you can and will intercept and read their s, regardless of whether they are business or personal. Employees should also be clearly told that they have no expectation of privacy in the contents of any communication sent or received using the company s system. They should also be told that they do not have any reasonable expectation of privacy in , personal or corporate, stored on the company s computers, regardless of whether the was sent or received using the company s system. The former may be implied in any policy that states the employer monitors use, but the latter is not. It is important to be very broad in this language, because employees may use your computer s to send and receive s from other systems. If you search an employee s computer and find s that were not sent using your system and you did not make it clear that they do not have a reasonable expectation of privacy in stored on your computers, you may have created liability for yourself. Text Messaging Another area to consider is text messaging from company cell phones. The use of text messaging by employees has led to employers receiving bills for overages. These overages may be due to employees using company cell phones to send personal text messages. Your current computer and Internet usage policies may not help you in a text message case if they do not specifically address text messaging. In one recent case, an employer was sued after it obtained copies of every text message sent by an employee from his company issued cellular phone. The employer requested the copies from the cellular phone company, because the employee had a significant overage. Upon auditing the employees text message, the employer discovered that a significant number of the message were of a personal nature. Your current computer and Internet usage policies may not help you in a text message case if they do not specifically address text messaging. In one recent case, an employer was sued after it obtained copies of every text message sent by an employee from his company issued cellular phone. The employee objected that this was an invasion of his privacy. The court agreed, because the company had an informal policy of not auditing text messages, but simply asking employees to pay any overage fee. The employee had had prior instances of overages and, in each case, had been asked to pay the overage, but had not had his text messages reviewed. The court found the employer had violated the employee s right to privacy. The court s ruling focused on the lack of a policy stating the employer would review text messages along with the employer s informal policy of only requir- Page 8

9 ing the employee to pay the overage. This case makes it clear that providers should consider cell phone/pager text messaging in their electronic communications policies and procedures. Text messaging is becoming a more and more popular way to contact individuals and to share quick messages. Employees can abuse these in a way that costs employers money. Your policy should not only address appropriate use of text messages, but expectations of privacy and monitoring of text messages. If your employees are clearly told that the cell phone/pager is only for company use and you will review the messages as part of a regular audit or an overage audit, they will not be able to make the privacy claim the employees did in the previous case. This case focused on the employee s expectation of privacy in text message retrieved from the service provider. A related issue is whether employees have a reasonable expectation of privacy in text message stored on a company issued cell phone. This is another area that should be expressly addressed in your policies and procedures. It might be part of a company equipment policy and procedure or it might also be part of your text messaging policies and procedures. Company Equipment Your policies and procedures should make it clear that the employee has no reasonable expectation of privacy regarding any message, , communication, document, or other information stored on a company computer, PDA, cell phone, pager, or other company issued device. This is important, because there are a number of cases where employees have stored personal s, text messages, documents, and other information on a company issued device and then objected when the employer obtained copies. Plainly stating to employees that they cannot expect these things to remain private eliminates potential issues later. Monitoring Internet Usage Employers have a number of technology options for monitoring Internet usage. This can include monitoring instant messaging, Internet chat sessions, and web browsing. Many firewall products can provide employers with a record of the websites visited by employees. There are a number of software products that can expand upon this monitoring. There are other software products that can block, manage and monitor Internet messaging and chat sessions on your company s network. In addition, the browser on your employees computers will keep track of the web sites they have visited in the browser s history. If blocking websites, messaging and chats are not an option, monitoring is your alternative. You will first need to formulate a policy on appropriate Internet usage. Then, when you have evidence of employee s violating the policy, due to your monitoring, you can take disciplinary action against them. As with other forms of monitoring, your employees should know you can and will monitor their Internet usage. Your policy should make it clear that your Page 9 Your policy should make it clear that your employees have not reasonable expectation of privacy in their usage of the Internet.

10 employees have not reasonable expectation of privacy in their usage of the Internet. You should also tell them that you will access their computer in order to check their browser history, cookies, etc. If your employees have been told they have no reasonable expectation of privacy on company issued devices, including computers, they have no basis to object to a search of the browser history, cookies, etc. These searches are less likely to turn up employee communications and more likely to produce evidence of employees wasting company time. Video Surveillance Another area that employer s are considering is workplace video surveillance. This can be an area that employees object to very strenuously, because they feel that you are watching them. This is, of course, exactly what you are doing. As with other forms of monitoring, this type of monitoring can be done legally. If video surveillance is done using video cameras without microphones, the employer can avoid a potential wiretap act violation, because there is no interception of an oral communication. There is still a privacy issue. As with other forms of monitoring, informing employees that you will be implementing video surveillance and that they will be monitored at all times eliminates the employees expectation of privacy. This policy should be implemented and provided to the employees before you start recording the workplace. You should avoid placing hidden cameras in your offices. You should also avoid placing cameras in bathrooms. Implementing Policies as Drafted You should avoid placing hidden cameras in your offices. You should also avoid placing cameras in bathrooms. Once you have drafted these policies and procedures, they need to be implemented as drafted and followed as drafted. In the text messaging case discussed above, one of the employer s problems was that the individual in charge of the pager program was allowed to create an informal policy by what he told employees. The individual responsible for the pagers stated he did not want to monitor text messages and that if the employee paid the overage he would not look at the messages. This became the employer s de facto policy and reinforced the employees claim that he had a reasonable expectation of privacy in the texts. Making sure your policies are implemented as drafted requires you to train management on these policies. They should know what they can and cannot do. For example, if your policy states you will not monitor personal calls, you should not monitor personal calls. A manager or other employee who exceeds the scope of your policies and procedures can lead to a violation of the Wiretap Act, the Stored Communications Act or an invasion of privacy claim. The employees responsible for implementing the program should know that if they violate the policies and procedures they will be disciplined. Page 10

11 Annual Review Your employees should be given a copy of your communications and monitoring policies and procedures every year. They should sign a new acknowledgement each year as well. This avoids an employee later claiming they did not understand or were not aware, because it had been several years since the came to work for you. As the employer, you should consider your policies each year. As technology changes and new forms of communication develop, your policies may not cover the technologies you have implemented in your agency. You may need to consider additional monitoring policies and procedures. You may need to revise older policies and procedures. If you change your policies and procedures, you will need to provide copies of the new policies and procedures to employees and have them execute a new acknowledgement form. Performing an annual review will help you to slip into non-compliance from expanding your monitoring without formally adopting policies or from relying upon old policies that do not apply to new means of communication. Conclusion As communications technologies change and grow, employer communications policies and procedures need to change as well. Monitoring employee communications has become more and more common as employers seek to limit time lost to employee s who use company time to send personal s, surf the Internet and/or text message. Employers who have decided to monitor employee communications need to take precautions to avoid potential liability later. Employers must carefully consider and implement communications monitoring policies and procedures before they begin monitoring their employees or risk monitoring becoming an even larger source of liability. Employers who have failed to do so have found themselves being sued for violating not only federal laws, but also employee privacy. Employers who have previously implemented monitoring policies and procedures need to review them regularly, because communications technologies are constantly changing. Robert W. Markette, Jr., CHC is a partner at Gilliland & Markette LLP. He can be reached at (317) or rmarkette@gillilandmarkette.com. This column, which represents the author s view and not necessarily those of IAHHC, is for educational and informational purporses only, is not intended to be legal advice, and should not be used for legal guidance or to resolve specific legal problems. In all cases, agencies should seek legal advice applicable to their own specific circumstances. Home Care & The Law Published by the Indiana Association for Home & Hospice Care, Inc. Members are encourage to submit legal topics for future issues to the Indiana Association for Home and Hospice Care, Inc.; 6320-G Rucker Road, Indianapolis, IN Page 11

12 Home Care & The Law Published by Indiana Association for Home and Hospice Care, Inc G Rucker Road Indianapolis, IN n (317) Employee Monitoring: Know the Risks or Risk Major Liability Your policies and procedures should make it clear that the employee has no reasonable expectation of privacy regarding any message, , communication, document, or other information stored on a company computer, PDA, cell phone, pager, or other company issued device. Learn how to protect your agency. Page 12