It has long been established that employees have a diminished right to privacy while in the workplace but an increased expectation of privacy at home. However, with the recent rise in working remotely, the line between work and home was blurred. At the beginning of the pandemic, many employers supplied the equipment needed for employees to easily transition to working from home—internet routers, cell phones, laptops, and tablets, among other electronics.
Under federal law, employers generally have the right to monitor employees’ use of employer-provided equipment and computer networks including keystrokes, web pages, and work emails. See generally, The Electronic Communications Privacy Act of 1986. A 2018 Gartner report indicated that of 239 large corporations, 50 percent were monitoring the content of employee emails, social media accounts, who employees met with, and how they utilized their workspace. Brian Kropp, “The Future of Employee Monitoring,” Smarter with Gartner (May 3, 2019). Gartner further found that this number was up from only 30 percent in 2015 and was expected to grow to 80 percent in 2020. Id. Notably, that estimate was prior to the work-from-home surge due to the coronavirus pandemic.
The following considerations can be used by employers as they ponder working from home in a time where an individual’s right to increased privacy in the confines of their own home conflicts with the reduced expectation of privacy that individual has while at work.
1. Review Existing Privacy and Security Policies
Employers should first consider their existing company privacy and security policies – policies relating to secured network access, VPNs, cell phone and computer usage if provided by the company should all be reviewed.
2. Know the Legal Limits of Employee Monitoring
Before drafting or revising the policy, it is critical that organizations understand the legal limits of employee monitoring, especially now that employees might be using a mix of company-provided devices and personal devices. If employers will be monitoring employees working from home, it is important to identify the type of data to be monitored, the way it will be monitored, and the reason for monitoring as these answers may implicate different laws and exceptions. Employers should carefully review the laws and regulations that may apply based on those factors.
For instance, monitoring data in transit would be governed by the Electronic Communications Privacy Act of 1986 (ECPA). Despite prohibiting an employer from intentionally intercepting the oral, wire, and electronic communication of employees, ECPA provides several caveats such as the business use exception (which requires an employer to have a legitimate business reason for monitoring employees) and the consent exception (which allows monitoring with consent). See The Electronic Communications Privacy Act of 1986; see also Hannah George, “How Much Employee Monitoring Is Too Much?” American Bar Association (Jan. 2018).
Alternatively, monitoring stored emails on a server would be governed by the Stored Communications Act (SCA), enacted as Title II of ECPA. SCA likely allows employers to review work emails sent and received through its own server, but not personal email accounts as a private email server is not provided by the employer. See The Stored Communications Act, 18 U.S.C. §§2701-2712; see also Brenda R. Sharton & Karen L. Neuman, “The Legal Risks of Monitoring Employees Online,” Harvard Business Review (Dec. 14, 2017), https://hbr.org/2017/12/the-legal-risks-of-monitoring-employees-online; Lisa Nagele-Piazza, “Privacy in the E-Workplace: What Employers Need to Know,” The Society for Human Resource Management, (Nov. 23, 2016).
Organizations should also be mindful of other potentially applicable regulations which can intersect with ECPA and SCA. There are several possible interactions, but to name a few, the Civil Rights Act of 1964 and the Age Discrimination in Employment Act might prohibit certain selective monitoring, even if ECPA or SCA allows monitoring of employees in general. Selective monitoring of employees in certain protected classes such as race, religion, national origin, age, gender, disability, and genetic information might violate these laws. Additionally, the National Labor Relations Act might prohibit monitoring communications of employees while they are engaging in collective-bargaining activity.
One final note on potentially applicable laws is that state laws may also apply, and in some cases, state laws may be even more restrictive. Organizations should evaluate whether their state law restricts or otherwise alters the ability to monitor employees. And, to the extent that employees are working remotely from another state, employers must be aware that these state laws may also require consideration.
Assuming that an employer has determined that monitoring employees’ use of company-provided devices is acceptable under relevant laws, the next step is to draft or revise the company policy. Insofar as the existing policies are outdated, organizations should revise their policies to include provisions relating to remote working, any new technology, and use of company-provided devices, as well as provisions addressing expectations, investigatory procedures, appeal procedures, and any penalties or steps to remedy violations.
4. Consider the Effect that Monitoring Has on Employee Morale
Finally, knowledge is not always power. In some instances, implementing surveillance of employees might increase stress levels and can make even the most loyal employees question whether they are being trusted and valued. Employers should weigh the need for monitoring devices and information against the risk of reduced morale and determine whether there are any less intrusive methods that can be implemented to achieve the same goals.
Kayla A. Day Estes is an attorney with Tucker Law Group in Bangor, Maine, a firm dedicated to representing a variety of employers and insurers in employment litigation, insurance defense, and workers’ compensation defense. She also is a Certified Information Privacy Professional through the International Association of Privacy Professionals (IAPP). As an attorney with Tucker Law Group, Kayla helps employers and insurers navigate Maine’s workers’ compensation laws, employee rights regulations, and other related matters.