An Employer Can Be Liable for Accessing an Employee’s Personal Email Even if the Employee Engaged in Misconduct
Over the last several years, communication via email and text has become commonplace in the workplace. Oftentimes, employees use one device for both personal and work-related communication regardless of whether that device is employee-owned or employer-provided. There is no doubt that employers may have legitimate business reasons for monitoring employee communications. For example, an employee may leave the company and the employer is concerned that she has taken confidential information or illegally solicited clients. Employers feel entitled to review data stored on employer-provided, particularly where employees are instructed that the company owns the devices and has the right to monitor the data. As a general rule, the law supports employers here. An employer’s zeal to snoop, however, may subject it to both civil and criminal penalties under both federal and state statutes.
The Electronic Communication Privacy Act (ECPA) and the Stored Communications Act (SCA) both govern an employer’s ability to review electronic communications. The ECPA prohibits the interception of electronic communications, and the term “interception” as used in the ECPA has been interpreted narrowly. The SCA makes it illegal to “access without authorization a facility through which electronic communication service is provided,” making it illegal to obtain access to certain communications in electronic storage. With regard to an employer’s review of employee emails sent through web-based email accounts like Gmail or Hotmail, the most frequent scenario is where the former employer is able to access the former employee’s web-based email account because the employee saved his username and password on a device provided by the employer. In these cases, courts have typically sided with the former employee and have been reluctant to punish the former employee for failing to take appropriate steps to secure their own personal information and allegedly private communications. The former employee’s own negligence in securing personal data is not a defense for the employer.
Bottom line – an employer should seek advice before accessing an employee’s personal email account without authorization even though it has the ability to do so.
For more information on this topic please contact:
Howard Teplinsky at:
312-368-0100 or firstname.lastname@example.org.
Amendments to Illinois Right to Privacy in the Workplace Act Expand Privacy Protections for Employees
On Jan. 1, 2017, amendments to the Illinois Right to Privacy in the Workplace Act (IRPWA) took effect expanding the protections of IRPWA to prevent employers from insisting on access to any employee’s “personal online accounts.” The broadened definition of “personal online accounts” now includes all “online accounts” “used by a person primarily for their personal purposes.” The IRPWA previously contained a narrower definition of the type of protected accounts and only prevented employers from seeking access to “social networking websites,” such as Facebook.
The amendments to IRPWA prohibit an employer or prospective employer from attempting to access employee social media accounts. The amendments state that employers cannot “request, require or coerce” an employee to: provide a username or password to any personal online account; authenticate or access a personal account in the presence of the employer; invite the employer to join a group affiliated with any personal account; or join an online account established by the employer. The amendments also widened the parameters of what constitutes a “personal online account,” which IRPWA now defines as any online account primarily used for personal purposes. Employers may still inquire about business and professional online accounts.
The IRPWA amendments do not prohibit employers from making inquiries regarding personal online accounts in certain limited circumstances, including to assure compliance with federal and Illinois law and to investigate an allegation based on specific information that alleges a violation of law.
Employers who violate IRPWA are subject to civil damages, including up to $500 per affected employee plus costs, attorneys’ fees, and actual damages, for willful and knowing violations. Further, any employer or prospective employer or its agent who violates IRPWA is guilty of a petty offense.
If you have any questions regarding this or any other employment related matter, please contact:
email@example.com or 312-368-0100.