QUESTION
I am the Assistant General Counsel
for a large mortgage lender. We are licensed in all states and have several
origination platforms. Your weekly FAQs are often used as topics of discussion
in our compliance meetings. Thank you for providing this fine service!
Recently, we undertook a review of
the expectation of privacy relating to our employees, especially those working
in our online and call platforms. I know that you are one of the few compliance
companies that provide Call Calibration reviews, so you may know the ins-and-outs
of employee privacy.
We want to add a brief outline to
our employee privacy policy, supported by case law, that sets forth our
guidelines.
In general, what is a reasonable
expectation of privacy for employees?
In particular, given our extensive
branch structure and multiple platforms, what are some protected employee
privacy interests with respect to an employee’s physical person and electronic
locations?
ANSWER
Thank you for reading our FAQs and
using them in your compliance commitments. Your questions require an extensive
response; however, due to the constraints of the FAQ format, I will only provide
a brief response. Hopefully, my response will help to contribute to your
deliberations. Given the implications of your inquiry, I will write more about
this subject from time to time.
Yes, we provide Call
Calibration reviews, which is the tracking and compliance evaluation of
calls. We offer quality assurance Call Calibration in various settings, such as
between online platforms and consumers, telemarketing initiatives, and call
center marketing. We also provide a Call Center Manual and a plan for Call
Calibration Methodologies. To receive a presentation for Call Calibration,
Click Here.
Let’s be clear, privacy is, to some extent, the “right to be left alone.” That
said, no one living in our society today can be left entirely alone. It is
important to balance the interest of society and that of the individual using
some objective standard to determine whether an intrusion on privacy is
actionable.
Maybe “intrusion” seems like a
harsh word. Some people would find any intrusion to
be objectionable even if it is not outrageous to a person of ordinary
sensibilities.[i] Many
courts have found that persistent attempts to interview and photograph a
plaintiff, soliciting sex under non-aggravated circumstances, using harsh names
and insulting gestures, are intrusions that may invoke a feeling of being
highly offensive to a reasonable person, but may not be actionable under an “intrusion
upon seclusion cause of action.” In general, courts have held that conduct that
is merely offensive, insensitive or intrusive is non-actionable if it does not
involve outrageously unreasonable conduct. Defining the word “outrageous” is what
lawsuits are supposed to determine.
You likely know about
the tort of intrusion, which could be brought against those parties who
assist in, cooperate in, instigate, command, encourage, ratify, condone, aid,
assist or advise in the intrusion.[ii]
This might infer that a systems operator or network service provider could also
be liable under the tort of intrusion because these may furnish the means and
opportunities for the intrusion and have some knowledge or intention to
cooperate in that manner.
Obviously, this is not
the place to discuss the extensive features and elaborations of the tort of
intrusion, but a majority of the applicable cases require that the defendant
must have acted with knowledge or the intention to create the tortious
intrusion. Most case law has recognized that the intrusion tort does not depend
upon any publicity given to the person whose interest is ‘invaded’ or to his or
her affairs but consists solely of an intentional interference with his
or her interest in solitude or seclusion. It is may not be necessary that the
defendant has disclosed the fact of the interference or the contents of any
information contained in any of the communications. However, in some cases, the
invasion of privacy may not have occurred unless the information was disclosed
to a third party and that the disclosure represents the invasion of privacy.
You mention “physical person” and
“electronic locations.” Cases
dealing with the tort of intrusion have determined that it is not necessary for
there to have been a trespass or physical intrusion. This view is true in cases
of the installation of wiretaps or monitoring devices that do not involve an
actual trespass onto the plaintiff’s property, or in cases of publicity that
brings the plaintiff into a position of having many strangers intrude into the
life of the plaintiff or concerning telephone or mail collection tactics. In most
cases, there has not been a physical intrusion or trespass though there is an
intrusion for purposes of this tort on the privacy of the plaintiff.
The fact that a physical intrusion is not required for this tort illustrates how important these privacy torts can be vis-à-vis the Internet and online world since it seems almost impossible to have a physical trespass.
Let me turn to your
inquiry regarding “reasonable expectation of privacy.” There are many situations in our society and in the online
world in which there are no reasonable expectations of privacy. So, for
instance, the tort of intrusion cannot pertain to a situation in which the
plaintiff is in a public place and there is no possibility that privacy is
available. In Edwards v. State Farm
Insurance Co., the court held that a “communication to which no justifiable
expectation of privacy attaches is material to the public view.”[iii]
The courts have often taken
the view that the tort of intrusion is not intended to protect places but is
intended to protect people. Therefore, it is possible for the solitude or
seclusion of a person to be violated even in a public place. Bottom line: even
in a public place, some matters remain private.
In electronic
communications, the issue of a reasonable expectation of privacy has risen both
in cellular phone communications and electronic mail transmitted through the
Internet and other online electronic mail services. I have often wondered that –
since the Internet and other electronic communication services transmit their
information in a protocol that is easily intercepted by computer operators who
are facilitating the transfer – perhaps the courts might eventually determine
there is no reasonable expectation of privacy in those contexts.
As a side note, there
are a few cases where the courts or state bar associations have opined that
telephone conversations by lawyers with their clients over cellular telephones
are not entitled to the attorney/client privilege because there is no
reasonable expectation of privacy. This is because cellular telephone
transmissions can easily be intercepted by standard radio receivers. Due to
this susceptibility, lawyers who use cell phones or email to convey
confidential client information may lose the attorney/client privilege or
violate ethical obligations to protect client confidentiality. Just be
forewarned: as confidentiality concerns are prone to be disputed, my suggestion
is for you to identify all confidential communications as such and, whenever
possible, adopt a written security policy agreement that includes cellular
transmissions.
The security of
electronic mail communications can be enhanced, of course, by the use of
encryption and internal email communication methods that are not easily
available to the public. Because of this, many financial institutions are
sending information in an encrypted form to enhance the security of the
communication better and to reduce the possibility of fraud or loss of
attorney/client privilege. As technology improves, security will likely become
less of an issue for the courts.
You ask about the
“reasonable expectations of privacy for employees.” Many intrusions of privacy issues arising in the Internet
and online interactions involve the expectation of privacy about electronic
mail and similar electronic communications, including voice and video
transmissions. Several court decisions have held that a plaintiff has no
legitimate expectation of privacy in job-related conversations, communications,
inquiries, investigations, or searches on the business premises regarding an
employer or employee or someone in a comparable relationship.
Therefore, defendants
have been found to not be liable for violations of the intrusion tort when they
monitored an employee’s personal calls on a company telephone line pursuant to
company policy, even if the employee was not aware of the policy and the
employer was not liable for searching the office or desk of the employee.[iv]
In Williams v. Collins, the courts stated
that it is not certain that a government employee had any reasonable
expectation of privacy in his government desk as against superiors doing an
inventory or investigation of the plaintiff’s performance.[v]
But, in one case, an employee did have a legitimate expectation of privacy in
the employer’s locker secured by her lock.[vi]
It is well established
that even in the event that there is no consent to an interception or recording
of a conversation and the party intercepting or monitoring the communication is
not a party to the communication, the defendant is still not liable unless the
plaintiff had a reasonable expectation of privacy in the conversation or
communication. Therefore, it becomes very important to determine whether or not
in a computer network online system, a party can have a reasonable expectation
of privacy. This would be an especially difficult question on the Internet
where the communications are subject to relatively easy interception.
In Simmons v. Southwestern Bell Telephone Co.,
the court found that an employee did not have a reasonable expectation of
privacy and did not have a cause of action for interception of communications
when the communication was made as a prohibited personal call on a business
line that the plaintiff knew was monitored pursuant to a published computer art
company practice.[vii] By
the way, this same principle applies to mobile car telephone and radio
transmissions, which are easily monitored by the public.[viii]
The Second Circuit in Leventhal v. Knapek upheld – against a
constitutional challenge – the search of files stored in a desktop computer
used by a staff accountant at a state agency in an investigation of anonymous
allegations that he was neglecting his duties.[ix]
Although the court found that the accountant “had some expectation of privacy
in the contents of his office computer,” it found the search allowable to be
“‘reasonably related to the objectives of the search and not excessively
intrusive in light of the nature of the misconduct.’”[x]
In United States v. Simons, the Fourth Circuit upheld,
against a constitutional challenge, a search discovering downloaded child
pornography among the contents of a desktop computer used by a staff engineer
at a government agency where an Internet usage policy had been instituted with
notice of an audit mechanism capable of tracking traffic to and from a user.[xi]
Stated thus: “This policy placed employees on notice that they could not
reasonably expect that their Internet activity would be private.”[xii]
There have been
several cases that have recognized employee privacy. In Van Alstyne v. Electronic Scriptorium Limited;[xiii]
- see also Stengart v. Loving Care, Inc.[xiv]
- the employee used a private password-protected e-mail account to conduct some
of her own business that the employer accessed in violation of the Stored
Communications Act (SCA).[xv]
Although the Fourth Circuit found that that there were no actual damages, it
affirmed an award of punitive damages and attorney’s fees.
In Quon v. Arch Wireless, the Ninth Circuit
held that a public employer violated the Fourth Amendment by viewing personal
text messages on an employer-issued pager where there was an informal policy
that the usage would not be audited if the employee paid overages (as he did).
The Supreme Court reversed, finding the audit a reasonable search, but not
addressing the expectation of privacy.[xvi]
There’s so much more
to discuss, but, given the constraints of the FAQ format, I will turn to your
question concerning the protection of “employee
privacy interests with respect to an employee’s physical person and electronic
locations.” If you would like to discuss this matter in more detail, I welcome
your call. Contact me HERE to arrange an appointment.
When you draft your policy section
dealing with the protection of the interests
involving an employee’s physical person as well as physical and electronic
locations, I suggest you consider drafting language that reflects the following
concerns:
(A) An employee has a
protected privacy interest against employer intrusion into:
1. The employee’s
physical person, bodily functions and personal possessions; and
2. Physical and electronic
locations, including employer-provided locations, as to which the employee has
a reasonable expectation of privacy.
(B) An employee has a
reasonable expectation in the privacy of a physical or electronic work location
provided by the employer if:
(1) The employer has
provided notice that the location or aspects of the location are private for
employees; or
(2) The employer has
acted in a manner that treats the location or aspects of the location as
private for employees, the type of location is customarily treated as private
for employees, and the employee has made reasonable efforts to keep the
employee’s activities in that location private.
(C) An
employer intrudes upon an employee’s protected privacy interest by such means
as an examination, search, or surveillance into certain locations.
These principles apply
more clearly to email accounts where the employer ratifies a policy that such
email accounts may or may not be used personally. There is a question in
addressing the currently common situation of the “bring your own device”
scenario, reflecting personal preferences and investment in particular brands
of mobile devices, but where the employer pays monthly data usage fees that
subsidize the purchase of the device. I’ll leave that matter for another FAQ to
explore.
With social media
sites such as LinkedIn, where the account is that of the employer, the employee
may have only partial interest. I suggest you look at Eagle v. Morgan.[xvii]
Note the summary judgment on Computer Fraud and Abuse Act (CFAA) and Lanham Act
claims where the employer controlled the LinkedIn account. It is worth noting
also that in Eagle v. Morgan,[xviii]
after trial, liability was found for the unauthorized use of the plaintiff’s
name, invasion of privacy, and misappropriation of publicity, but not for
identity theft, conversion, tortious interference with contract, yet no damages
were awarded. On the other hand, employees may not violate the CFAA even in
misappropriating confidential information if they had rightful access at the
time.[xix]
Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director
Lenders Compliance Group
[i] Shorter v. Retail Credit Co., 251
F. Supp. 329, 332 (D.S.C. 1966); Logan v. Sears, Roebuck & Co., 466 So. 2d
121 (Ala. 1985)
[ii] Prahl v. Brosamle, 98 Wis. 2d 130,
295 N.W.2d 768, 782 (Wis. Ct. App. 1980)
[iii] 833 F.2d 535, 541 (5th Cir. 1987);
Jaubert v. Crowley Post-Signal, Inc., 375 So. 2d 1386, 1387 (La. 1979)
[iv] Simmons v. Southwestern Bell
Telephone Co., 452 F. Supp. 392 (W.D. Okla. 1978), aff’d, 611 F.2d 342 (10th
Cir. 1979); and Morton v. Hartigan, 145 Ill. App. 3d 417, 99 Ill. Dec. 424, 495
N.E.2d 1159 (Ill. App. Ct. 1986)
[v] 728 F.2d 721, 728 (5th Cir. 1984)
[vi] K-Mart Corp. Store No. 7441 v.
Trotti, 677 S.W.2d 632 (Tex. App. 1984)
[vii] 452 F. Supp. 392 (W.D. Okla.
1978), aff’d, 611 F.2d 342 (10th Cir. 1979)
[viii] Edwards v. State Farm Insurance
Co., 833 F.2d 535 (5th Cir. 1987)
[ix] Leventhal v. Knapek, 266 F.3d 64
(2d Cir. 2001)
[x]
Under O’Connor, see 266 F.3d at 76,
quoting O’Connor v. Ortega, 480 U.S. 709, 726 (1987)
[xi] United States v. Simons, 206 F.3d
392 (4th Cir. 2000)
[xii] 206 F.3d at 398
[xiii] 560 F.3d 199 (4th Cir. 2009)
[xiv] 2009 N.J. Super, where, my
reading, expressly rejects the company’s claim to access to the employee’s
private e-mail account on the basis of the company’s ownership of a computer
used by the employee to access her account; 529 F3d 892 (9th Circ. 2008),
rehearing en banc denied, 554 F.3d 769 (9th Cir 2009)
[xv] USC. §§ 2701–2711
[xvi] 529 F3d 892 (9th Circ. 2008),
rehearing en banc denied, 554 F.3d 769 (9th Cir 2009); City of Ontario
v. Quon, 560 U.S. 746, 130 S. Ct. 2619, 177 L. Ed. 2d 216 (2010)
[xvii] 2012 U.S. Dist., E.D. Pa. Oct. 4,
2012
[xviii] 2013 U.S. Dist., E.D. Pa. Mar. 12,
2013
[xix] WEC Carolina Energy Solutions LLC
v. Miller, 687 F.3d 199 (4th Cir. 2012)
