Tuesday, 11 February 2014

Employee Web-based Email on Employer IT Resources – Can an employer look at it?

As more and more employers provide their employees with laptop computers, tablets and smartphones, employers often question whether everything that resides on those IT resources is open to monitoring and review.  These are business resources, and intended primarily for communication related to the employee’s work.  However, most employers also tolerate some personal use, as well, recognizing that increasingly ‘connected’ employees will use these devices for their own purposes on occasion.

So, where’s the line?  With an appropriate “Acceptable Use Policy” or similar workplace rules implemented and properly communicated, it’s clear that messages received via an employee’s work email account may be reviewed where the employer has reasonable grounds to believe that there may be evidence of wrongdoing in the employee’s email.  Likewise, a valid Policy may also shield an employer’s review of the content of an employee’s laptop, in appropriate circumstances.

But what if the employee has used work devices to access his or her personal email, for example by setting up a Gmail account on the corporate smartphone?  Does this open the door to employer review of the content of the personal email account?  Two recent decisions from other jurisdictions suggest that an employer is likely out of bounds if it takes this opportunity to look into the employee’s private correspondence.

Moore’s Industrial Service Ltd., Order P2013-07 (Alberta Information and Privacy Commissioner)

Following his retirement, an employee of the company (“Moore’s”) brought a complaint against his former employer, alleging that the CEO of Moore’s had been accessing and forwarding email from the complainant’s web-based, personal email account long after his retirement.  After leaving employment, the complainant had returned a corporate laptop (on which he’d accessed his personal email) to Moore’s.  The employee alleged that he had had the hard drive of the laptop wiped before he returned it, but somehow the employer had still managed to access his web mail and forward certain messages to the CEO’s account and to a former co-worker.  Approximately 2 months after the first incident, the complainant changed the password to his email account to prevent further access.

Moore’s acknowledged that the complainant’s email account had been accessed, but argued that it only opened and forwarded messages that appeared to relate to its business.  Moore’s claimed that its actions were designed to monitor whether the complainant was complying with the terms of a ‘termination agreement’ between the parties.  However, Moore’s did not advance any evidence that it had reasonable grounds to suspect a violation of the agreement.  The employer also argued that the complainant had implicitly consented to the access by returning the laptop with the web mail application still open (something the complainant denied) and by not changing his email password.

The Alberta Information and Privacy Commissioner concluded that the employee’s personal email account did constitute “personal employee information” for purposes of the Personal Information Protection Act (“PIPA”), which includes the information of a former employee, and that Moore’s did not have consent, actual or implied, to access that information.  The employer was not involved in an “investigation”, as defined in section 1(f) of the Act, as Moore’s had not provided the Commissioner with any evidence that it had reason to suspect the complainant was violating the termination agreement.  Moreover, the Commissioner concluded:

… In my view, even if the Complainant returned the laptop with his email account information intact, it was not reasonable for [Moore’s] to conclude that the Complainant intended [Moore’s] to access his personal email account on an ongoing basis. A more reasonable conclusion is that the Complainant simply neglected to remove all of his personal information from the laptop or that he tried to do this (or have it done) but failed.

In the circumstances, there was no basis for the Commissioner to “deem” that the complainant had consented to the CEO’s “unfettered access” to his personal email account.  The complainant’s failure to change his account password for almost 2 months after the first access was explained by the fact that it took the complainant some time to figure out how his email was being forwarded, and did not constitute proof that he was consenting to the ongoing access.

While the Commissioner did not need to determine whether the employer’s collection, use and disclosure of personal information was “reasonable”, she offered the opinion that Moore’s “continued access to the Complainant’s personal email account is far from being a reasonable collection, use or disclosure of personal information, nor is the purpose at all reasonable.”

In the result, the employer was ordered to stop collecting, using and disclosing the complainant’s personal information, to train staff on the appropriate management of personal information, and to notify the Commission and the complainant once it had complied with the Order.

Lazette v. Chris Kulmatycki, et al., Case No. 3:12CV2416 (U.S. Dist. Ct.)

The plaintiff, Sandi Lazette, was a former employee of Cellco Partnership, which did business as Verizon Wireless (“Verizon”).    Kulmatycki was her former supervisor.  After Lazette left her employment with Verizon, and returned her BlackBerry, she realized that Kulmatycki had continued to access her personal Gmail account that resided on the corporate smartphone.  Over a period of 18 months following her departure from Verizon, Kulmatycki had accessed approximately 48,000 personal email messages, without Lazette’s knowledge or consent.  She then changed the password on her Gmail account to prevent any further access.

The Claim by Lazette included several bases for damages, including violation of the Stored Communications Act (the “SCA”), violation of a state law prohibiting “interception” of electronic communications, common law invasion of privacy, as well as other statutory and common law causes of action.  The defendants sought to have the action dismissed.

In its decision on the defendants’ motion, the U.S. District Court for the Northern District of Ohio concluded that some of the plaintiff’s claims should be struck or limited.  The defendants argued that the provisions of the SCA were intended solely to address “hackers” breaking into computer systems belonging to others.  While the Court agreed that the legislation was “primarily” targeted at “hackers” and similar concerns, its application was more general and created a prohibition on any unauthorized access to electronic data without authorization.  The Court also rejected most of the defendants’ arguments, including its claim that the plaintiff had implicitly given authorization for her employer to access her personal email by failing to delete her Gmail account from the BlackBerry before returning the device to the company.  In rejecting this assertion, the Court observed:

Negligence is, however, not the same as approval, much less authorization. There is a difference between someone who fails to leave the door locked when going out and one who leaves it open knowing someone be stopping by.

Nor was the plaintiff required to expressly instruct her former employer that they should not access her personal email.  Moreover, even if the plaintiff could be deemed to have authorized monitoring of her personal email, this did not equate to permission to read everything in her account.

The Court did, however, conclude that only those email that the plaintiff had yet to open were in “electronic storage”, and struck any claims related to opened, undeleted email that were in her account.

Based on the language and interpretation of the word “intercept” given in prior case law, the Court also accepted the defendants’ contention that the defendants had not “intercepted” the plaintiff’s email:  the email was already stored on the service provider’s server, and was then sent to the plaintiff’s device where it was read, so there was no “interception” in the circumstances.

The Court was not prepared to reject the plaintiff’s claim for invasion of privacy, finding:

Many factors can affect whether plaintiff’s expectations that no one would intrude into her e-mail account [are reasonable], particularly in light of her unawareness of Kulmatycki’s ability to do so. Indeed, the precise terms of the warning [in the employee handbook]  matter. With regard to what one might expect from a warning of the possibility of occasional, random monitoring is one thing, total absorption is another. Here there are, in any event, several preliminary issues that have yet to be addressed. Among these, aside from the content of the warning, are just what did Kulmatycki do, when did he do it, what were his motives, when might plaintiff have become aware of his intrusions, and what and from whom had she learned about using her  company blackberry for a personal e-mail account. These and other factors may have a bearing on the reasonableness of what plaintiff might reasonably have expected when she returned her blackberry.

Given that evidence would have to be adduced on these preliminary issues, the Court was not prepared to reject her claim that the defendants had intruded upon her privacy by accessing her personal email without authorization.

The plaintiffs other claims were also allowed to stand, although she was required to amend her pleadings to include a specific claim that she had suffered some form of psychological injury or harm as a result of the defendants’ actions.

What does it mean for Ontario employers?

While Ontario has never passed privacy protection legislation applicable to private-sector employment matters (such as Alberta has), the 2012 decision of the Ontario Court of Appeal in Jones v. Tsige, 2012 ONCA 32, recognized the existence of a common law tort (cause of action) for invasion of privacy or “intrusion upon seclusion” in Ontario.  In that case, involving a bank employee’s unauthorized access to the electronic banking records of the plaintiff, the Court conducted a review of the existing jurisprudence, at common law, under the Canadian Charter of Rights and Freedoms, and emanating from the U.S. and other common law jurisdictions, as well as the patchwork of Canadian privacy legislation. Following this review, the Court of Appeal concluded:

In my view, it is appropriate for this court to confirm the existence of a right of action for intrusion upon seclusion. Recognition of such a cause of action would amount to an incremental step that is consistent with the role of this court to develop the common law in a manner consistent with the changing needs of society.

The Court went on to explain:

The case law, while certainly far from conclusive, supports the existence of such a cause of action.  Privacy has long been recognized as an important underlying and animating value of various traditional causes of action to protect personal and territorial privacy. Charter jurisprudence recognizes privacy as a fundamental value in our law and specifically identifies, as worthy of protection, a right to informational privacy that is distinct from personal and territorial privacy. The right to informational privacy closely tracks the same interest that would be protected by a cause of action for intrusion upon seclusion. Many legal scholars and writers who have considered the issue support recognition of a right of action for breach of privacy: …

… The Internet and digital technology have brought an enormous change in the way we communicate and in our capacity to capture, store and retrieve information. As the facts of this case indicate, routinely kept electronic databases render our most personal financial information vulnerable. Sensitive information as to our health is similarly available, as are records of the books we have borrowed or bought, the movies we have rented or downloaded, where we have shopped, where we have travelled and the nature of our communications by cellphone, e-mail or text message.

The Court then formulated the elements of the cause of action:

One who intentionally intrudes, physically or otherwise, upon the seclusion of another or his private affairs or concerns, is subject to liability to the other for invasion of his privacy, if the invasion would be highly offensive to a reasonable person.

Based on this newly recognized cause of action, it is clear that employers should be cautious before accessing an employee’s personal email, even if it is “located” on a corporate smartphone or laptop.  While acceptable use policies will typically provide guidance on prohibited activities using employer resources, as well as the fact that monitoring may occur, often employers will (openly or tacitly) permit some personal use of these resources, too.  Doing so is likely to create at least the appearance that the employee has some reasonable expectation of privacy in relation to his or her use of the employer property.  The alternative of banning any and all personal use is often viewed as draconian and virtually impossible to police.

So what can an employer do and what should be avoided? 

·         If no personal use of work devices is permitted, ensure that the Acceptable Use Policy is clear that the employer retains the right to review and monitor any use of its resources, including utilizing any passwords and accessing any sites that have been visited using these work tools.

·         If, as is more likely, some personal use will be permitted, ensure that the Acceptable Use Policy reflects that employees should not use personal email for business purposes, that confidential business information should not be sent using a personal email account, and that any passwords used to access personal email should be removed and/or changed prior to returning laptops or other devices to the employer.

·         Ensure that managers and IT staff are properly trained in the management of corporate devices and the personal information that may be on them.  Whenever possible, all personal information should be wiped from laptops and phones when they are returned.  Personal email passwords and other sensitive information should be deleted, and web-based email accounts should not be accessed.

·         If employees will be exposed to highly sensitive or confidential business information in the course of their duties, consider implementing some form of data-loss prevention technology to flag items of concern and provide the capability to track and/or block their movements both within and outside the organization’s IT infrastructure.  This can include the ability to prevent such material from being attached to an email sent through a web-based email account.

As the case law develops, it is likely that privacy protections will continue to expand – particularly as our electronic world continues to put more and more of our personal information at risk of exposure.  Employers who provide employees with the resources to access and make that information available via the internet need to be aware that their rights are limited in intruding upon the employee’s privacy – even if the employee forgets to close the door on their personal email.

No comments:

Post a Comment