An overview of technologies, treatment, and best practices.
By Andrew Milam Jones
Roughly three quarters of Americans work at a computer.1 It is not surprising then, that how employees use the company’s networks, email systems, and web resources is of great interest to employers. Employers monitor for many well-established reasons, such as ensuring productivity, preventing theft of trade secrets, minimizing the risk of harassment or discrimination claims, and more. This article considers technological and legal developments regarding employee monitoring.2
Increasingly sophisticated technologies are used to observe any imaginable use of a workplace computer system. The technologies can record precisely which systems, documents, and files are accessed, modified, and printed; they can observe and record every keystroke made on a keyboard; and they can provide screenshots activated by optical character recognition. They can be viewed in real time and can provide a recording of a computer screen through entire work shifts. They can be installed remotely and surreptitiously.3
Employee monitoring goes beyond the mere use of computer systems. Millions of Americans use badges to access parking lots, buildings, and special floors and areas of their workplaces. Their movements are also monitored by closed circuit television, or CCTV. Technology has also blurred the line between workplace and home: employees’ locations may be tracked at any time, as may be the very specific nature of their driving habits (e.g., speeding, rapid acceleration, or braking, etc.).
Growing numbers of employers use biometric sensors and other devices that measure and analyze incredibly detailed information about workplace activities in ways unimaginable even a few years ago.
One Boston startup provides employers with a device resembling a common employee badge that uses Bluetooth, infrared motion sensors, an accelerometer, and microphones to record an employee’s conversations, his or her movements about the office, proximity to his or her desk and to others, posture, and overall activity level. The technology is coupled with device monitoring technologies. The combined technologies are used to measure productivity, chart social interactions, determine who is influential or who is isolated, and ascertain who is overworked and may need additional team members. The technology allows employers to better allocate resources, both human and capital.4
Another technology uses artificial intelligence to analyze employees’ conversations—words spoken, speech volume, tonal qualities, interruptions, and more—to detect joy, anger, or stress or to learn what sort of project strategies are most effective. The results can be used to consider organizational changes, modifications to projects, or specific actions to address individual performance concerns.5
Emerging methods for employee monitoring raise a multitude of privacy concerns. While federal law affords privacy protections to telephonic, email, and internet communications, exceptions generally permit employers to monitor these communications.6 In Texas, like the U.S. generally, employers are typically free to monitor their employees’ internet and email usage. Emerging statutes, both federal and state, are beginning to place more regulation on assorted forms of employee monitoring, but not surprisingly, these laws tend to lag well behind the technological capabilities they seek to regulate.7
In the absence of statutes, common law notions of privacy provide the best available guidance on appropriate boundaries for employee monitoring. Like most states, Texas recognizes the tort of invasion of privacy, and more specifically, the tort of intrusion upon one’s seclusion, solitude, or private affairs. There are two elements to this cause of action: (1) an intentional intrusion, physically or otherwise, upon another’s solitude, seclusion, or private affairs or concerns, which (2) would be highly offensive to a reasonable person. When assessing the offensive nature of the invasion, courts further require the intrusion to be unreasonable, unjustified, or unwarranted. Plaintiffs must thus demonstrate that a reasonable expectation of privacy exists in the circumstances in question.8 Reasonable expectations may be determined by the employer’s interest in the monitoring, the means employed, and whether notice was provided, among other things. In considering whether a given kind of monitoring is justified, it can be helpful to consider whether the monitoring would be fair and reasonable in the absence of the technology that permits the monitoring in question to occur.
While employers are generally afforded wide latitude to monitor, there are numerous instances in which employees have been found to have an expectation of privacy in their electronic communications at work. For instance, in Stengart v. Loving Care Agency, the New Jersey Supreme Court found that an employee had a reasonable expectation of privacy in emails sent to her lawyer through a password-protected, personal, web-based account that she accessed on her company laptop.9
Employees are also afforded protections under existing and emerging statutory frameworks. Actions under the Electronic Communications Privacy Act and Stored Communications Act have been used to challenge monitoring practices, including an employer who used keylogging technologies to obtain an employee’s bank account password.10 Labor union regulations have also been relied upon to contest monitoring.11 Employee location tracking by GPS has also been contested, under state privacy laws, labor laws, and other theories.12
Certain circumstances support monitoring of employees and reduce an employee’s reasonable expectation of privacy. For example, a number of states, including Texas, require employers to report cases in which they discover that child pornography has been accessed on company systems. While employers are shielded from liability for failing to report improper internet usage “except in a case of wilful or wanton misconduct,” it is not hard to imagine that juries may conclude that failures to detect such usage meet an exception.13 Another example concerns employees who work with vulnerable persons, such as teachers or assisted living facility nurses. The need for closer monitoring of these employees is understandable but raises various privacy considerations.14
Employers with international employees must consider relevant foreign laws. Two recent noteworthy European cases are instructive. The first, Barbulescu v. Romania, involved an employee fired for using a Yahoo Messenger account for personal emails. His employer had asked him to set up the account, but later he used it for personal chats. The Grand Chamber of the European Court of Human Rights, reversing Romanian courts, found that Bogdan Barbulescu’s privacy rights had been violated. In its opinion, the Grand Chamber cited a lack of prior information about the extent and nature of the employer’s monitoring, as well as the possibility that the employer might have access to the actual content of the messages.15
The second case, Antovic & Mirkovic v. Montenegro, involved the use of CCTV in a college lecture room. Math professors Nevenka Antovic and Jovan Mirkovic complained that their right to privacy was violated by the overt placement of CCTVs in their lecture halls. The ECHR, once again reversing the high court of a member nation, found that, despite the public location of the cameras, their placement violated the professors’ privacy rights.16
Best Practices for Employers
Employers wishing to take advantage of new, sophisticated monitoring tools do so at a time in which the rules are arguably playing catch-up. Nonetheless, certain best practices can help companies make good use of these tools while minimizing risks:
Employers should carefully consider whether and how to monitor, especially in cases where the line between work and personal life is blurred (e.g. location monitoring or bring your own device policies). For internet use, employers should consider less intrusive alternatives, such as blocking.
Employers should provide thorough and detailed notices to employees in advance of monitoring, for all types of monitoring, and they should make the disclosures part of their employee handbooks. Employers should utilize consent and waiver forms, recognizing that some jurisdictions may deem them ineffective.
Employers should follow strict protocols on the deployment and use of monitoring tools to limit access to appropriate individuals and to ensure that decisions involving collected data are fair and reasonable. Collected data should be securely held and promptly deleted when no longer needed.
Monitoring policies and procedures should be developed and routinely reviewed with consultation among human resources, information security, and legal professionals, as well as third-party experts. The policies should be harmonized with acceptable use policies for employees and with protocols and processes for information security teams.
As applicable, before commencing any new form of monitoring, employers should conduct impact assessments, consult with privacy regulatory authorities, and consult with works councils (notably in cases in which European or similar laws apply). TBJ
ANDREW MILAM JONES
serves as senior director and legal counsel to Epsilon Data Management, LLC (Publicis Groupe), a targeted marketing, analytics, and data services company, where he practices in support of technology and privacy related matters. His prior experience includes in-house roles at MoneyGram International, where he focused on privacy law matters, and AT&T, where he practiced for more than a decade in regulatory, litigation, transactional, and legislative roles. Jones holds an economics degree from Kansas State University and a law degree from the University of Kansas, and he may be reached at email@example.com.