An Employer Can Be Liable for Accessing an Employee’s Personal Email Even if the Employee Engaged in Misconduct
Over the last several years, communication via email and text has become commonplace in the workplace. Oftentimes, employees use one device for both personal and work-related communication regardless of whether that device is employee-owned or employer-provided. There is no doubt that employers may have legitimate business reasons for monitoring employee communications. For example, an employee may leave the company and the employer is concerned that she has taken confidential information or illegally solicited clients. Employers feel entitled to review data stored on employer-provided, particularly where employees are instructed that the company owns the devices and has the right to monitor the data. As a general rule, the law supports employers here. An employer’s zeal to snoop, however, may subject it to both civil and criminal penalties under both federal and state statutes.
The Electronic Communication Privacy Act (ECPA) and the Stored Communications Act (SCA) both govern an employer’s ability to review electronic communications. The ECPA prohibits the interception of electronic communications, and the term “interception” as used in the ECPA has been interpreted narrowly. The SCA makes it illegal to “access without authorization a facility through which electronic communication service is provided,” making it illegal to obtain access to certain communications in electronic storage. With regard to an employer’s review of employee emails sent through web-based email accounts like Gmail or Hotmail, the most frequent scenario is where the former employer is able to access the former employee’s web-based email account because the employee saved his username and password on a device provided by the employer. In these cases, courts have typically sided with the former employee and have been reluctant to punish the former employee for failing to take appropriate steps to secure their own personal information and allegedly private communications. The former employee’s own negligence in securing personal data is not a defense for the employer.
Bottom line – an employer should seek advice before accessing an employee’s personal email account without authorization even though it has the ability to do so.
For more information on this topic please contact:
Howard Teplinsky at:
312-368-0100 or firstname.lastname@example.org.
Amendments to Illinois Right to Privacy in the Workplace Act Expand Privacy Protections for Employees
On Jan. 1, 2017, amendments to the Illinois Right to Privacy in the Workplace Act (IRPWA) took effect expanding the protections of IRPWA to prevent employers from insisting on access to any employee’s “personal online accounts.” The broadened definition of “personal online accounts” now includes all “online accounts” “used by a person primarily for their personal purposes.” The IRPWA previously contained a narrower definition of the type of protected accounts and only prevented employers from seeking access to “social networking websites,” such as Facebook.
The amendments to IRPWA prohibit an employer or prospective employer from attempting to access employee social media accounts. The amendments state that employers cannot “request, require or coerce” an employee to: provide a username or password to any personal online account; authenticate or access a personal account in the presence of the employer; invite the employer to join a group affiliated with any personal account; or join an online account established by the employer. The amendments also widened the parameters of what constitutes a “personal online account,” which IRPWA now defines as any online account primarily used for personal purposes. Employers may still inquire about business and professional online accounts.
The IRPWA amendments do not prohibit employers from making inquiries regarding personal online accounts in certain limited circumstances, including to assure compliance with federal and Illinois law and to investigate an allegation based on specific information that alleges a violation of law.
Employers who violate IRPWA are subject to civil damages, including up to $500 per affected employee plus costs, attorneys’ fees, and actual damages, for willful and knowing violations. Further, any employer or prospective employer or its agent who violates IRPWA is guilty of a petty offense.
If you have any questions regarding this or any other employment related matter, please contact:
email@example.com or 312-368-0100.
The threat of the theft or accidental disclosure of electronic personal information is on the rise. On January 1, 2017, new legislation went in effect amending the Illinois Personal Information Protection Act (the “Act”) to expand the definition of protected personal information and increase certain security and notification requirements for data breaches. Important amendments to the Act include:
- Expanded definition of “Personal Information” for which notice of a breach is required to include certain medical and online account information. The definition of “Personal Information” includes an individual’s first name or first initial and last name and any of the following:
- social security number;
- driver’s license or State identification card number;
- account number or credit or debit card number, or an account number or credit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account;
- medical information (including any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional, including such information provided to a website or mobile application);
- health insurance information (including an individual’s health insurance policy number or subscriber identification number or any other unique identifier); and
- unique biometric data generated from measurements or technical analysis of human body characteristics used by the owner or licensee to authenticate an individual, such as a fingerprint, retina or iris image, or other unique physical representation or digital representation of biometric data.
The definition of “Personal Information” also includes an individual’s user name or email address in combination with a password or security question and answer that would permit access to an online account.
- Expanded Notification Requirements. If a security breach involves an individual’s user name or email address, in addition to a password or security question answer that can allow access to an online account, notice is required to inform the individual that his account information has been breached and that he should promptly change his user name or password and security question or answer, as applicable, or to take other steps appropriate to protect all online accounts for which the individual uses the same user name or email address and password or security question and answer.
- Expanded Data Security Requirements for Data Collectors. Any data collector that owns, maintains, stores, or licenses records that contain Personal Information must implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification, or disclosure.
- Compliance with HIPPA. The Act also provides that any covered entity or business associate that is subject to and in compliance with the privacy and security standards for the protection of electronic health information established pursuant to the federal Health Insurance Portability and Accountability Act of 1996 (“HIPPA”) and the Health Information Technology for Economic and Clinical Health Act shall be deemed to be in compliance with the provisions of the Act, provided that notification of a breach is provided to the Illinois Attorney General within five business days of notifying the Secretary of Health and Human Services.
If you have any questions regarding the Personal Information Protection Act’s application to your business or your obligations under the Act, please contact:
firstname.lastname@example.org or 312-368-0100.