Privacy

Employee Monitoring

An overview of technologies, treatment, and best practices.

By Andrew Milam Jones


Roughly three quarters of Americans work at a computer.1 It is not surprising then, that how employees use the company’s networks, email systems, and web resources is of great interest to employers. Employers monitor for many well-established reasons, such as ensuring productivity, preventing theft of trade secrets, minimizing the risk of harassment or discrimination claims, and more. This article considers technological and legal developments regarding employee monitoring.2

 

Technologies
Increasingly sophisticated technologies are used to observe any imaginable use of a workplace computer system. The technologies can record precisely which systems, documents, and files are accessed, modified, and printed; they can observe and record every keystroke made on a keyboard; and they can provide screenshots activated by optical character recognition. They can be viewed in real time and can provide a recording of a computer screen through entire work shifts. They can be installed remotely and surreptitiously.3

Employee monitoring goes beyond the mere use of computer systems. Millions of Americans use badges to access parking lots, buildings, and special floors and areas of their workplaces. Their movements are also monitored by closed circuit television, or CCTV. Technology has also blurred the line between workplace and home: employees’ locations may be tracked at any time, as may be the very specific nature of their driving habits (e.g., speeding, rapid acceleration, or braking, etc.).

Growing numbers of employers use biometric sensors and other devices that measure and analyze incredibly detailed information about workplace activities in ways unimaginable even a few years ago.

One Boston startup provides employers with a device resembling a common employee badge that uses Bluetooth, infrared motion sensors, an accelerometer, and microphones to record an employee’s conversations, his or her movements about the office, proximity to his or her desk and to others, posture, and overall activity level. The technology is coupled with device monitoring technologies. The combined technologies are used to measure productivity, chart social interactions, determine who is influential or who is isolated, and ascertain who is overworked and may need additional team members. The technology allows employers to better allocate resources, both human and capital.4

Another technology uses artificial intelligence to analyze employees’ conversations—words spoken, speech volume, tonal qualities, interruptions, and more—to detect joy, anger, or stress or to learn what sort of project strategies are most effective. The results can be used to consider organizational changes, modifications to projects, or specific actions to address individual performance concerns.5

 

Legal Treatment
Emerging methods for employee monitoring raise a multitude of privacy concerns. While federal law affords privacy protections to telephonic, email, and internet communications, exceptions generally permit employers to monitor these communications.6 In Texas, like the U.S. generally, employers are typically free to monitor their employees’ internet and email usage. Emerging statutes, both federal and state, are beginning to place more regulation on assorted forms of employee monitoring, but not surprisingly, these laws tend to lag well behind the technological capabilities they seek to regulate.7

In the absence of statutes, common law notions of privacy provide the best available guidance on appropriate boundaries for employee monitoring. Like most states, Texas recognizes the tort of invasion of privacy, and more specifically, the tort of intrusion upon one’s seclusion, solitude, or private affairs. There are two elements to this cause of action: (1) an intentional intrusion, physically or otherwise, upon another’s solitude, seclusion, or private affairs or concerns, which (2) would be highly offensive to a reasonable person. When assessing the offensive nature of the invasion, courts further require the intrusion to be unreasonable, unjustified, or unwarranted. Plaintiffs must thus demonstrate that a reasonable expectation of privacy exists in the circumstances in question.8 Reasonable expectations may be determined by the employer’s interest in the monitoring, the means employed, and whether notice was provided, among other things. In considering whether a given kind of monitoring is justified, it can be helpful to consider whether the monitoring would be fair and reasonable in the absence of the technology that permits the monitoring in question to occur.

While employers are generally afforded wide latitude to monitor, there are numerous instances in which employees have been found to have an expectation of privacy in their electronic communications at work. For instance, in Stengart v. Loving Care Agency, the New Jersey Supreme Court found that an employee had a reasonable expectation of privacy in emails sent to her lawyer through a password-protected, personal, web-based account that she accessed on her company laptop.9

Employees are also afforded protections under existing and emerging statutory frameworks. Actions under the Electronic Communications Privacy Act and Stored Communications Act have been used to challenge monitoring practices, including an employer who used keylogging technologies to obtain an employee’s bank account password.10 Labor union regulations have also been relied upon to contest monitoring.11 Employee location tracking by GPS has also been contested, under state privacy laws, labor laws, and other theories.12

Certain circumstances support monitoring of employees and reduce an employee’s reasonable expectation of privacy. For example, a number of states, including Texas, require employers to report cases in which they discover that child pornography has been accessed on company systems. While employers are shielded from liability for failing to report improper internet usage “except in a case of wilful or wanton misconduct,” it is not hard to imagine that juries may conclude that failures to detect such usage meet an exception.13 Another example concerns employees who work with vulnerable persons, such as teachers or assisted living facility nurses. The need for closer monitoring of these employees is understandable but raises various privacy considerations.14

Employers with international employees must consider relevant foreign laws. Two recent noteworthy European cases are instructive. The first, Barbulescu v. Romania, involved an employee fired for using a Yahoo Messenger account for personal emails. His employer had asked him to set up the account, but later he used it for personal chats. The Grand Chamber of the European Court of Human Rights, reversing Romanian courts, found that Bogdan Barbulescu’s privacy rights had been violated. In its opinion, the Grand Chamber cited a lack of prior information about the extent and nature of the employer’s monitoring, as well as the possibility that the employer might have access to the actual content of the messages.15

The second case, Antovic & Mirkovic v. Montenegro, involved the use of CCTV in a college lecture room. Math professors Nevenka Antovic and Jovan Mirkovic complained that their right to privacy was violated by the overt placement of CCTVs in their lecture halls. The ECHR, once again reversing the high court of a member nation, found that, despite the public location of the cameras, their placement violated the professors’ privacy rights.16

 

Best Practices for Employers
Employers wishing to take advantage of new, sophisticated monitoring tools do so at a time in which the rules are arguably playing catch-up. Nonetheless, certain best practices can help companies make good use of these tools while minimizing risks:

  • Employers should carefully consider whether and how to monitor, especially in cases where the line between work and personal life is blurred (e.g. location monitoring or bring your own device policies). For internet use, employers should consider less intrusive alternatives, such as blocking.

  • Employers should provide thorough and detailed notices to employees in advance of monitoring, for all types of monitoring, and they should make the disclosures part of their employee handbooks. Employers should utilize consent and waiver forms, recognizing that some jurisdictions may deem them ineffective.

  • Employers should follow strict protocols on the deployment and use of monitoring tools to limit access to appropriate individuals and to ensure that decisions involving collected data are fair and reasonable. Collected data should be securely held and promptly deleted when no longer needed.

  • Monitoring policies and procedures should be developed and routinely reviewed with consultation among human resources, information security, and legal professionals, as well as third-party experts. The policies should be harmonized with acceptable use policies for employees and with protocols and processes for information security teams.

  • As applicable, before commencing any new form of monitoring, employers should conduct impact assessments, consult with privacy regulatory authorities, and consult with works councils (notably in cases in which European or similar laws apply). TBJ

Notes
1. See Saida Mamedova & Emily Pawlowski, Stats in Brief: A Description of U.S. Adults Who Are Not Digitally Literate, U.S Department of Education (May 2018), at 5, https://nces.ed.gov/pubs2018/2018161.pdf.
2. This article considers employee monitoring during the active portion of the employment life cycle. Other aspects of the employment life cycle are not considered (e.g., background checks, benefits information, etc.).
3. See generally Rob Marvin, The Best Employee Monitoring Software, PC Magazine (Sept. 27, 2019, 3:00 PM), https://www.pcmag.com/roundup/357211/the-best-employee-monitoring-software.
4. Sarah Krouse, The New Ways Your Boss is Spying on You, Wall Street Journal, July 20, 2019, B1, B6-7. See also @TheEconomist, Some employers are making workers wear surveillance equipment to monitor their productivity, Twitter (Feb. 8, 2019, 7:01 AM), https://twitter.com/theeconomist/status/1093857285439455232.
5. Id.
6. See generally Electronic Communications Privacy Act (18 U.S.C. §§ 2510-2523, amending the Wiretap Act) and the Stored Communications Act (18 U.S.C. §§ 2701-11), which permit monitoring of an employee’s internet and email use where the review is authorized by the employer’s policies and information is stored on employer-provided communications services. Monitoring of employee telephone conversations by employers is generally limited to certain types of calls (e.g., customer call centers).
7. For example, a growing number of states have enacted laws that prohibit employers from seeking login information from employees or applicants for personal electronic accounts, such as social media accounts. Texas has generally taken a hands-off approach, but a notable exception is Texas’ biometric privacy law, one of the first in the nation and which, inter alia, prevents employers from using an employee’s biometric identifiers without prior consent. Tex. Bus. & Comm. Code § 503.001.
8. See McLaren v. Microsoft Corp., 1999 Tex. App. LEXIS 4103 (Tex. App.—Dallas May 28, 1999, not designated for publication per Tex. R. App. P. 47.7) (finding employee had no expectation of privacy in company email); K-Mart Corp. Store No. 7441 v. Trotti, 677 S.W.2d 632 (Tex. App.—Houston [1st Dist.] 1984), writ ref’d n.r.e., 686 S.W.2d 593 (1985) (finding employee did have an expectation of privacy in company locker used to store personal effects); Valenzuela v. Aquino, 853 S.W.2d 512, 513 (Tex. 1993) (noting elements of intrusion of privacy tort); and Wilhite v. H.E. Butt Co., 812 S.W.2d 1, 6 (Tex. App.—Corpus Christi 1991, no writ) (associating intrusion of privacy with physical invasion, eavesdropping, or spying).
9. See Stengart v. Loving Care Agency, 201 N.J. 300, 990 A.2d. 650 (2010); but compare Fazio v. Temporary Excellence, Inc., 2012 WL 300634 (N.J. Super.) (App. Div. 2012) (attorney-client privilege waived when employee sent emails from the employer’s email account).
10. See Rene v. G.F. Fishers, Inc., 817 F.Supp.2d 1090 (S.D. Ind. 2011) (state wiretap act replied upon). See also Owen v. CIGNA, 188 F.Supp.3d 790 (S.D. Ill. 2016).
11. See Purple Communications, Inc., 361 NLRB No. 126 (N.L.R.B. Dec. 11, 2014) (limiting employers’ ability to prevent employee use of emails on company systems regarding union activities).
12. See Arias v. Intermex Wire Transfer, L.L.C., (Super. Ct. Kern County, 2015, No. S-1500-CV-284673) and Case No. 1:15-cv-01101-JLT (E.D. Cal. 2015) (employee fired for refusing to permit location tracking application to remain on her mobile phone; case settled). See also Elgin v. St. Louis Coca-Cola Bottling Co., Case No. 4:05CV970-DJS (E.D. Mo. Nov. 14, 2005) (employee claim of invasion of privacy regarding covertly placed GPS device during theft investigation dismissed on summary judgment).
13. See Tex. Bus. & Comm. Code § 110, notably at § 110.002(b).
14. See, e.g., Karen Levy, et al., Regulating Privacy in Public/Private Space: The Case of Nursing Home Monitoring Laws, 26 Elder L.J. 323 (2019).
15. See Barbulescu v. Romania, 61496 Eur. Ct. H.R. 8 (2017), available at http://hudoc.echr.coe.int/eng?i=001-177082.
16. See Antovic & Mirkovic v. Montenegro, 70838 E. Ct. of H.R. 13 (Nov. 28, 2017), available at https://www.bailii.org/eu/cases/ECHR/2017/1068.html.

 

ColeyANDREW MILAM JONES
serves as senior director and legal counsel to Epsilon Data Management, LLC (Publicis Groupe), a targeted marketing, analytics, and data services company, where he practices in support of technology and privacy related matters. His prior experience includes in-house roles at MoneyGram International, where he focused on privacy law matters, and AT&T, where he practiced for more than a decade in regulatory, litigation, transactional, and legislative roles. Jones holds an economics degree from Kansas State University and a law degree from the University of Kansas, and he may be reached at andrew.jones@lionresources.com.

{Back to top}

We use cookies to analyze our traffic and enhance functionality. More Information agree