The Food and Drug Administration (FDA) was sued by six on-staff doctors and scientists after discovering the FDA accessed their personal email accounts (Gmail).
The Washington Post reported that government documents showed that the secret surveillance took place over a two-year period after the staffers complained to lawmakers in Congress that the FDA was approving risky medical devices.
According to the complaint filed against the FDA (PDF), the plaintiff-employees claim the FDA targeted its employees with a covert spying campaign that used spyware to monitor and access the employees’ workplace computers and other technology to monitor the employees’ password-protected Gmail. Additionally, the Complaint alleges that the FDA intercepted email communications, including attorney-client communications by a staffer preparing to file an Equal Employment Opportunity Commission (EEOC) retaliation case against FDA managers.
Employer Monitoring of Employee Email
The Complaint against the FDA, a governmental agency, for monitoring employee email brings into play unique issues that private employers do not necessarily have to consider, such as Fourth Amendment protections. But employer monitoring of employees’ emails in the private sector has met with mixed results:
Stengart v Loving Care (PDF) (2009) involved an employer who provided its employee with a laptop computer and a work email address. Prior to plaintiff’s resignation, she communicated with her attorneys about her anticipated suit against her employer. These email communications were sent from plaintiff’s work-issued laptop but through her personal, web-based, password-protected Yahoo email account. After plaintiff filed suit, the company created a forensic image of the hard drive from plaintiff’s computer and was able to numerous communications between plaintiff and her attorney.
The trial judge found in favor of the employer noting that the company’s policy put employees on sufficient notice that electronic communications, “whether made from her company E-mail address or an Internet based E-mail address would be subject to review as company property.”
The Court of Appeals disagreed, however, and noted that the policy was not clear as to what email use would or would not become company property. The policy also failed to put an employee on notice that he or she should have no expectation of privacy in private emails sent over the employer’s network. The Court further based its decision on the “important societal considerations that undergird the attorney-client privilege.”
Scott v. Beth Israel Med. Center Inc., (N.Y. Sup. Ct. 2007) is a case in stark contrast to Stengart. In Scott, the court sided in favor of the employer and decided that email communications between the plaintiff doctor and his attorney exchanged over the employer’s email system was not protected by the attorney-client privilege or work product doctrine.
The emails in question were were all sent over the employer’s email server. And the employer’s email policy stated, among other things, that the electronic mail systems were the property of the employer and should be used for business purposes only, that employees “have no personal privacy right in any material created, received, saved or sent using [employer’s] communication or computer systems,” and that the employer reserved the right to access and disclose such material at any time without prior notice.
The important distinction between Scott and Stengart is that Scott used his employer provided email account. Stengart, however used her personal email account, but accessed it through her employer provided computer.
The decision-making process for monitoring employee emails is as much about managing legal risks as it is about managing your company’s culture. In that regard, there is not necessarily a right or wrong answers just responses along the spectrum of bad to better.
In any event, among other points that employers should consider in monitoring employee email are the following:
- Have a well-written e-mail policy that clearly advises employees of how company computers, Internet resources, and email will be treated. The lack of such a policy was one of the critical facts the Stengart used to decide in favor of the employee.
- The policy should expreslly note that the employer reserves the right to monitor all e-mail and that employees should have no expectation of privacy in email transmitted through the company system.
- An employer should obtain the employee’s signed acknowledgement that the policy was received and understood. A better check would be to require an employee to click an acknowledgment screen before the employee could log onto the network.
For individual employees:
- You should assume anything you email or otherwise access through your employer’s technology infrastructure will be reviewed.
- Also, it is important to realize that there is the potential that webmail, e.g., Gmail or Yahoo based email, could be retrieved after you have logged out and long after you have left your employer.
- Do not, under any circumstances use your employer’s email system to communicate with your attorney, especially if you are planning on suing that employer.
In regard to this last point, I have on various occassions directed individuals emailing me about legal representation to create a private email account rather than use their employer provided account. While I’ve been called “paranoid,” it is better than later finding out you were correct to believe your email discussions were being monitored.