So, where’s the line?
With an appropriate “Acceptable Use Policy” or similar workplace rules implemented
and properly communicated, it’s clear that messages received via an employee’s
work email account may be reviewed where the employer has reasonable grounds to
believe that there may be evidence of wrongdoing in the employee’s email. Likewise, a valid Policy may also shield an
employer’s review of the content of an employee’s laptop, in appropriate
circumstances.
But what if the employee has used work devices to access his
or her personal email, for example by setting up a Gmail account on the
corporate smartphone? Does this open the
door to employer review of the content of the personal email account? Two recent decisions from other jurisdictions
suggest that an employer is likely out of bounds if it takes this opportunity
to look into the employee’s private correspondence.
Moore’s Industrial Service Ltd., Order P2013-07 (Alberta
Information and Privacy Commissioner)
Following his retirement, an employee of the company
(“Moore’s”) brought a complaint against his former employer, alleging that the
CEO of Moore’s had been accessing and forwarding email from the complainant’s
web-based, personal email account long after his retirement. After leaving employment, the complainant had
returned a corporate laptop (on which he’d accessed his personal email) to
Moore’s. The employee alleged that he
had had the hard drive of the laptop wiped before he returned it, but somehow
the employer had still managed to access his web mail and forward certain
messages to the CEO’s account and to a former co-worker. Approximately 2 months after the first incident,
the complainant changed the password to his email account to prevent further
access.
Moore’s acknowledged that the complainant’s email account
had been accessed, but argued that it only opened and forwarded messages that
appeared to relate to its business.
Moore’s claimed that its actions were designed to monitor whether the
complainant was complying with the terms of a ‘termination agreement’ between
the parties. However, Moore’s did not
advance any evidence that it had reasonable grounds to suspect a violation of
the agreement. The employer also argued
that the complainant had implicitly consented to the access by returning the
laptop with the web mail application still open (something the complainant
denied) and by not changing his email password.
The Alberta Information and Privacy Commissioner concluded
that the employee’s personal email account did constitute “personal employee
information” for purposes of the Personal
Information Protection Act (“PIPA”), which includes the information of a
former employee, and that Moore’s did not have consent, actual or implied, to
access that information. The employer
was not involved in an “investigation”, as defined in section 1(f) of the Act, as
Moore’s had not provided the Commissioner with any evidence that it had reason
to suspect the complainant was violating the termination agreement. Moreover, the Commissioner concluded:
… In my view, even
if the Complainant returned the laptop with his email account information
intact, it was not reasonable for [Moore’s] to conclude that the Complainant
intended [Moore’s] to access his personal email account on an ongoing basis. A
more reasonable conclusion is that the Complainant simply neglected to remove
all of his personal information from the laptop or that he tried to do this (or
have it done) but failed.
In the circumstances, there was no basis for the
Commissioner to “deem” that the complainant had consented to the CEO’s
“unfettered access” to his personal email account. The complainant’s failure to change his
account password for almost 2 months after the first access was explained by
the fact that it took the complainant some time to figure out how his email was
being forwarded, and did not constitute proof that he was consenting to the
ongoing access.
While the Commissioner did not need to determine whether the
employer’s collection, use and disclosure of personal information was
“reasonable”, she offered the opinion that Moore’s “continued access to the Complainant’s personal email
account is far from being a reasonable collection, use or disclosure of
personal information, nor is the purpose at all reasonable.”
In the
result, the employer was ordered to stop collecting, using and disclosing the
complainant’s personal information, to train staff on the appropriate
management of personal information, and to notify the Commission and the
complainant once it had complied with the Order.
Lazette v. Chris
Kulmatycki, et al., Case No. 3:12CV2416 (U.S. Dist.
Ct.)
The plaintiff, Sandi Lazette, was a former employee of
Cellco Partnership, which did business as Verizon Wireless (“Verizon”). Kulmatycki was her former supervisor. After Lazette left her employment with
Verizon, and returned her BlackBerry, she realized that Kulmatycki had
continued to access her personal Gmail account that resided on the corporate
smartphone. Over a period of 18 months
following her departure from Verizon, Kulmatycki had accessed approximately
48,000 personal email messages, without Lazette’s knowledge or consent. She then changed the password on her Gmail
account to prevent any further access.
The Claim by Lazette included several bases for damages,
including violation of the Stored
Communications Act (the “SCA”), violation of a state law prohibiting
“interception” of electronic communications, common law invasion of privacy, as
well as other statutory and common law causes of action. The defendants sought to have the action
dismissed.
In its decision on the defendants’ motion, the U.S. District
Court for the Northern District of Ohio concluded that some of the plaintiff’s
claims should be struck or limited. The
defendants argued that the provisions of the SCA were intended solely to
address “hackers” breaking into computer systems belonging to others. While the Court agreed that the legislation
was “primarily” targeted at “hackers” and similar concerns, its application was
more general and created a prohibition on any unauthorized access to electronic
data without authorization. The Court
also rejected most of the defendants’ arguments, including its claim that the
plaintiff had implicitly given authorization for her employer to access her
personal email by failing to delete her Gmail account from the BlackBerry
before returning the device to the company.
In rejecting this assertion, the Court observed:
Negligence is, however, not the
same as approval, much less authorization. There is a difference between
someone who fails to leave the door locked when going out and one who leaves it
open knowing someone be stopping by.
Nor was the plaintiff required to expressly instruct her
former employer that they should not access her personal email. Moreover, even if the plaintiff could be
deemed to have authorized monitoring of her personal email, this did not equate
to permission to read everything in her account.
The Court did, however, conclude that only those email that
the plaintiff had yet to open were in “electronic storage”, and struck any
claims related to opened, undeleted email that were in her account.
Based on the language and interpretation of the word
“intercept” given in prior case law, the Court also accepted the defendants’
contention that the defendants had not “intercepted” the plaintiff’s
email: the email was already stored on
the service provider’s server, and was then sent to the plaintiff’s device
where it was read, so there was no “interception” in the circumstances.
The Court was not prepared to reject the plaintiff’s claim
for invasion of privacy, finding:
Many factors can affect whether
plaintiff’s expectations that no one would intrude into her e-mail account [are
reasonable], particularly in light of her unawareness of Kulmatycki’s ability
to do so. Indeed, the precise terms of the warning [in the employee handbook] matter. With regard to what one might expect
from a warning of the possibility of occasional, random monitoring is one
thing, total absorption is another. Here there are, in any event, several
preliminary issues that have yet to be addressed. Among these, aside from the
content of the warning, are just what did Kulmatycki do, when did he do it,
what were his motives, when might plaintiff have become aware of his
intrusions, and what and from whom had she learned about using her company blackberry for a personal e-mail
account. These and other factors may have a bearing on the reasonableness of
what plaintiff might reasonably have expected when she returned her blackberry.
Given that evidence would have to be adduced on these
preliminary issues, the Court was not prepared to reject her claim that the
defendants had intruded upon her privacy by accessing her personal email
without authorization.
The plaintiffs other claims were also allowed to stand,
although she was required to amend her pleadings to include a specific claim
that she had suffered some form of psychological injury or harm as a result of
the defendants’ actions.
What does it mean for
Ontario employers?
While Ontario has never passed privacy protection
legislation applicable to private-sector employment matters (such as Alberta
has), the 2012 decision of the Ontario Court of Appeal in Jones v. Tsige, 2012 ONCA 32, recognized the existence of a common
law tort (cause of action) for invasion of privacy or “intrusion upon
seclusion” in Ontario. In that case,
involving a bank employee’s unauthorized access to the electronic banking
records of the plaintiff, the Court conducted a review of the existing
jurisprudence, at common law, under the Canadian Charter of Rights and
Freedoms, and emanating from the U.S. and other common law jurisdictions, as
well as the patchwork of Canadian privacy legislation. Following this review,
the Court of Appeal concluded:
In my view, it is appropriate for
this court to confirm the existence of a right of action for intrusion upon
seclusion. Recognition of such a cause of action would amount to an incremental
step that is consistent with the role of this court to develop the common law
in a manner consistent with the changing needs of society.
The Court went on to explain:
The case law, while certainly far
from conclusive, supports the existence of such a cause of action. Privacy has long been recognized as an
important underlying and animating value of various traditional causes of
action to protect personal and territorial privacy. Charter jurisprudence
recognizes privacy as a fundamental value in our law and specifically
identifies, as worthy of protection, a right to informational privacy that is
distinct from personal and territorial privacy. The right to informational
privacy closely tracks the same interest that would be protected by a cause of
action for intrusion upon seclusion. Many legal scholars and writers who have
considered the issue support recognition of a right of action for breach of
privacy: …
… The Internet and digital
technology have brought an enormous change in the way we communicate and in our
capacity to capture, store and retrieve information. As the facts of this case
indicate, routinely kept electronic databases render our most personal
financial information vulnerable. Sensitive information as to our health is
similarly available, as are records of the books we have borrowed or bought,
the movies we have rented or downloaded, where we have shopped, where we have
travelled and the nature of our communications by cellphone, e-mail or text
message.
The Court then formulated the elements of the cause of
action:
One who intentionally intrudes,
physically or otherwise, upon the seclusion of another or his private affairs
or concerns, is subject to liability to the other for invasion of his privacy,
if the invasion would be highly offensive to a reasonable person.
Based on this newly recognized cause of action, it is clear
that employers should be cautious before accessing an employee’s personal
email, even if it is “located” on a corporate smartphone or laptop. While acceptable use policies will typically
provide guidance on prohibited activities using employer resources, as well as
the fact that monitoring may occur, often employers will (openly or tacitly)
permit some personal use of these resources, too. Doing so is likely to create at least the
appearance that the employee has some reasonable expectation of privacy in
relation to his or her use of the employer property. The alternative of banning any and all
personal use is often viewed as draconian and virtually impossible to police.
So what can an employer do and what should be avoided?
·
If no personal use of work devices is permitted,
ensure that the Acceptable Use Policy is clear that the employer retains the
right to review and monitor any use of its resources, including utilizing any
passwords and accessing any sites that have been visited using these work
tools.
·
If, as is more likely, some personal use will be
permitted, ensure that the Acceptable Use Policy reflects that employees should
not use personal email for business purposes, that confidential business
information should not be sent using a personal email account, and that any
passwords used to access personal email should be removed and/or changed prior
to returning laptops or other devices to the employer.
·
Ensure that managers and IT staff are properly
trained in the management of corporate devices and the personal information
that may be on them. Whenever possible,
all personal information should be wiped from laptops and phones when they are
returned. Personal email passwords and
other sensitive information should be deleted, and web-based email accounts
should not be accessed.
·
If employees will be exposed to highly sensitive
or confidential business information in the course of their duties, consider
implementing some form of data-loss prevention technology to flag items of
concern and provide the capability to track and/or block their movements both
within and outside the organization’s IT infrastructure. This can include the ability to prevent such
material from being attached to an email sent through a web-based email
account.
As the case law develops, it is likely that privacy
protections will continue to expand – particularly as our electronic world continues
to put more and more of our personal information at risk of exposure. Employers who provide employees with the
resources to access and make that information available via the internet need
to be aware that their rights are limited in intruding upon the employee’s
privacy – even if the employee forgets to close the door on their personal
email.
No comments:
Post a Comment