Massachusetts Nurse :: November/December 2005

Internet monitoring at work and employee privacy

By Joe Twarog
Associate Director, Labor Education & Training

Imagine this . . .

Mail that is addressed to you at work and marked “Confidential” is picked up by your supervisor. The nurse manager proceeds to open the letter and read the contents, then calls you into her office and disciplines you for what the confidential letter said about herself and the employer.

Sounds outrageous and improbable? It shouldn’t, because this—in effect—is what many employers are doing to employee's electronic mail via electronic monitoring spyware. In fact, the marketing of spyware has become a burgeoning industry in itself. An International Data Corporation study predicts that corporations worldwide will spend $561 million in 2005 on internet filtering and monitoring software. New software products allow companies to monitor absolutely everything passing over their network, from emails to Web site searches to instant messages, in any language without the end user's knowledge.

In March 2005, the Boeing Co. board of directors fired its chief executive, Harry Stonecipher, after snooping through his email and discovering that he was having an affair with an employee of the company. His behavior was a direct violation of the rules of conduct that he himself had promoted, and that ironically cost him his job. However, it raises the basic issue of privacy at work. If a Fortune 500 company monitors the email of its own chief executive, you can be sure that such surveillance occurs in a workplace near you.

A few years ago, the New York Times Co. fired 22 employees in its Virginia business office for distributing potentially offensive email messages. And the Xerox Corp. fired 40 workers for surfing pornographic and shopping sites during work. Email has also been subpoenaed in court. The Enron investigation is an example of how email ended up in court, and as part of a congressional investigation.

Another twist in the employer’s justification for internet monitoring appeared in a recent article in BusinessWeek Online (“Don’t Be an Every Minute Manager,” by Liz Ryan, Sept. 15, 2005). Ryan pointed out that one of the current major obsessions of employers is employee internet usage. The focus of this article though was on the employer’s monitoring of how employee time is spent. She states that, “It’s not just the general appropriateness of your internet usage that’s an issue now. It’s where you spend every single online minute ….”

So the electronic snooping seems to have added another excuse for what Ryan calls “the laziest way to manage”?that is, micro-managing time instead of understanding the nature of work and how to “lead the team to greatness.”

Big brother goes to work

Electronic surveillance is now the norm and not the exception. Stonecipher’s firing is a graphic reminder that one’s email at work is an open book. There is no secrecy for anyone who sends email or conducts internet searches while using a computer at work. A recent survey conducted by the American Management Association of 840 companies revealed that almost 63 percent use some sort of software to monitor employees’ email, both incoming and outgoing. That figure is up from 52 percent in 2003. Over 10 percent of these same companies also monitor instant messaging. Furthermore, the types of companies that are most likely to monitor email are financial institutions and health care providers.

The monitoring software is designed to look for specific words in emails that are considered to be red flags. Such software can also be customized for the particular type of business. Examples of the types of words that are such red flags include: porn, sex, easy money, boss, medication, patient record, meds, SSN, ID number and client file. Workers therefore, and especially nurses, should assume that their email is being monitored.

Moreover, email is very difficult to destroy. Simply “deleting” the document does not mean that it is gone forever. In fact, most electronic documents are backed up and are recoverable. Also, it is valuable to note that the use of a password does not protect in any way the “confidentiality” of internet usage, since spyware easily works around these. Remember, the employer has access to all of the passwords.

Little legal protection

There is not a great deal of law that directly addresses the issue of email and internet privacy. It is still in the evolving stages. Only two states, Connecticut and Delaware, have requirements that obligate employers to notify employees that their email is being monitored. Many Americans assume that the U.S. Constitution guarantees a right to privacy. However, those privacy rights found in the Bill of Rights only apply when the government is the intruding party, and not an employer.

In recent years, bills have been introduced in Congress that would provide for annual notice to employees of the employer’s electronic monitoring practices, as well as how such monitoring would be stored, used or disclosed. However these bills have died in committee. Therefore there is little in federal laws that protect employees’ privacy at the workplace regarding electronic surveillance.

With the passage of the USA Patriot Act in 2001, the threat to employee privacy increased dramatically. As a result of that act, employers may be required to comply with governmental search warrants of employees’ email and voice mail. In fact under the act, even the internet service provider (ISP) may also have access to the contents of electronic communications and be required to disclose information to law enforcement. These ISP disclosures have even been further expanded by provisions in the Homeland Security Act of 2002.

Consider what was recently written in TP Tech News (“Monitoring, Archiving and Indexing Enterprise Email,” by Jack M. Germain, Sept. 26, 2005). “While privacy advocates in the European Union are calling for a balance between workers’ expectations of workplace privacy and employers’ expectations of monitoring email and internet use, U.S. employees have no real right to privacy with their electronic communications in the workplace.”

Employers’ views vs. employees’ rights

Employers, and hospitals in particular, will argue that the reason they monitor electronic communications is because of legal liability concerns and patient confidentiality, especially in light of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Companies also argue that it is a way to keep proprietary information from going out of the office electronically.

Yet employees assume that their private phone conversations and communications will not be monitored by the employer or anyone else. This is referred to as an employee’s “expectation of privacy.” However, the courts have generally held that employees should have no reasonable expectation of privacy where email messages are concerned. The law tends to the view that the employer owns the computer network and terminals and therefore is free to monitor how the equipment is used.

Courts have started to view the concept of the “reasonableness” of the monitoring as it pertains to the employer’s business as a determinant of its permissibility. In other words, did the employer have a reason to conduct internet monitoring that related to its work and its policies and/or was it investigating potentially illegal activity or suspected misconduct.

Therefore, employees have to be on-guard with all internet usage. Even sending innocuous jokes can be dangerous, because everyone does not share the same sense of humor.

The role of the union and possible contractual protections

Given all of the above, the union is once again the prime advocate and defender of workers’ rights and should demand to bargain over internet-monitoring policies. In addition, the National Labor Relations Board (NLRB) has been suggesting that the computer network is a “work area.” The NLRB has ruled that an employee’s email communication is “protected, concerted activity” in a case where the employer fired a worker for sending an email critical of the company’s vacation policy to other employees (Timekeeping Systems Inc. vs. Leinweber).

Some issues that a union could pursue through collective bargaining include:

• Annual (or bi-annual, or quarterly) notices to employees explaining the employer’s electronic-monitoring practices.
• An explanation on the type, purpose, location and provisions of data collection.
• The use of a “signal” to the employee to inform them that they are being monitored.
• Employee access to all personal data collected, with the right to dispute and delete inaccurate data.
• A ban on data collected that is unrelated to work.
• A limit on the monitoring to a “reasonableness standard” with specific work related reasons (patient privacy, investigation of potential misconduct or illegal activity).
• A right for the employee to act against the employer for invasion of their privacy as mutually defined.

Ignoring the issue will not make it go away. We will inevitably be faced with cases where this will be an issue of discipline and litigation. But if the union decides to pursue the issue at the bargaining table, it cannot simply drop it to achieve an agreement on other items. That might let the employer off the hook and free to establish a policy on its own.