THE MOST COMPREHENSIVE MORTGAGE COMPLIANCE SOLUTIONS IN THE UNITED STATES.

LENDERS COMPLIANCE GROUP belongs to these National Organizations:

ABA | MBA | NAMB | AARMR | MISMO | ARMCP | ALTA | IIA | ACAMS | IAPP | MERSCORP

Thursday, December 19, 2019

Employee Surveillance


QUESTION
I am the Assistant General Counsel for a large mortgage lender. We are licensed in all states and have several origination platforms. Your weekly FAQs are often used as topics of discussion in our compliance meetings. Thank you for providing this fine service!

Recently, we undertook a review of the expectation of privacy relating to our employees, especially those working in our online and call platforms. I know that you are one of the few compliance companies that provide Call Calibration reviews, so you may know the ins-and-outs of employee privacy.

We want to add a brief outline to our employee privacy policy, supported by case law, that sets forth our guidelines.

In general, what is a reasonable expectation of privacy for employees?

In particular, given our extensive branch structure and multiple platforms, what are some protected employee privacy interests with respect to an employee’s physical person and electronic locations?

ANSWER
Thank you for reading our FAQs and using them in your compliance commitments. Your questions require an extensive response; however, due to the constraints of the FAQ format, I will only provide a brief response. Hopefully, my response will help to contribute to your deliberations. Given the implications of your inquiry, I will write more about this subject from time to time.

Yes, we provide Call Calibration reviews, which is the tracking and compliance evaluation of calls. We offer quality assurance Call Calibration in various settings, such as between online platforms and consumers, telemarketing initiatives, and call center marketing. We also provide a Call Center Manual and a plan for Call Calibration Methodologies. To receive a presentation for Call Calibration, Click Here.

Let’s be clear, privacy is, to some extent, the “right to be left alone.” That said, no one living in our society today can be left entirely alone. It is important to balance the interest of society and that of the individual using some objective standard to determine whether an intrusion on privacy is actionable.

Maybe “intrusion” seems like a harsh word. Some people would find any intrusion to be objectionable even if it is not outrageous to a person of ordinary sensibilities.[i] Many courts have found that persistent attempts to interview and photograph a plaintiff, soliciting sex under non-aggravated circumstances, using harsh names and insulting gestures, are intrusions that may invoke a feeling of being highly offensive to a reasonable person, but may not be actionable under an “intrusion upon seclusion cause of action.” In general, courts have held that conduct that is merely offensive, insensitive or intrusive is non-actionable if it does not involve outrageously unreasonable conduct. Defining the word “outrageous” is what lawsuits are supposed to determine.

You likely know about the tort of intrusion, which could be brought against those parties who assist in, cooperate in, instigate, command, encourage, ratify, condone, aid, assist or advise in the intrusion.[ii] This might infer that a systems operator or network service provider could also be liable under the tort of intrusion because these may furnish the means and opportunities for the intrusion and have some knowledge or intention to cooperate in that manner.

Obviously, this is not the place to discuss the extensive features and elaborations of the tort of intrusion, but a majority of the applicable cases require that the defendant must have acted with knowledge or the intention to create the tortious intrusion. Most case law has recognized that the intrusion tort does not depend upon any publicity given to the person whose interest is ‘invaded’ or to his or her affairs but consists solely of an intentional interference with his or her interest in solitude or seclusion. It is may not be necessary that the defendant has disclosed the fact of the interference or the contents of any information contained in any of the communications. However, in some cases, the invasion of privacy may not have occurred unless the information was disclosed to a third party and that the disclosure represents the invasion of privacy.

You mention “physical person” and “electronic locations.” Cases dealing with the tort of intrusion have determined that it is not necessary for there to have been a trespass or physical intrusion. This view is true in cases of the installation of wiretaps or monitoring devices that do not involve an actual trespass onto the plaintiff’s property, or in cases of publicity that brings the plaintiff into a position of having many strangers intrude into the life of the plaintiff or concerning telephone or mail collection tactics. In most cases, there has not been a physical intrusion or trespass though there is an intrusion for purposes of this tort on the privacy of the plaintiff.

The fact that a physical intrusion is not required for this tort illustrates how important these privacy torts can be vis-à-vis the Internet and online world since it seems almost impossible to have a physical trespass.

Let me turn to your inquiry regarding “reasonable expectation of privacy.” There are many situations in our society and in the online world in which there are no reasonable expectations of privacy. So, for instance, the tort of intrusion cannot pertain to a situation in which the plaintiff is in a public place and there is no possibility that privacy is available. In Edwards v. State Farm Insurance Co., the court held that a “communication to which no justifiable expectation of privacy attaches is material to the public view.”[iii]

The courts have often taken the view that the tort of intrusion is not intended to protect places but is intended to protect people. Therefore, it is possible for the solitude or seclusion of a person to be violated even in a public place. Bottom line: even in a public place, some matters remain private.

In electronic communications, the issue of a reasonable expectation of privacy has risen both in cellular phone communications and electronic mail transmitted through the Internet and other online electronic mail services. I have often wondered that – since the Internet and other electronic communication services transmit their information in a protocol that is easily intercepted by computer operators who are facilitating the transfer – perhaps the courts might eventually determine there is no reasonable expectation of privacy in those contexts.

As a side note, there are a few cases where the courts or state bar associations have opined that telephone conversations by lawyers with their clients over cellular telephones are not entitled to the attorney/client privilege because there is no reasonable expectation of privacy. This is because cellular telephone transmissions can easily be intercepted by standard radio receivers. Due to this susceptibility, lawyers who use cell phones or email to convey confidential client information may lose the attorney/client privilege or violate ethical obligations to protect client confidentiality. Just be forewarned: as confidentiality concerns are prone to be disputed, my suggestion is for you to identify all confidential communications as such and, whenever possible, adopt a written security policy agreement that includes cellular transmissions.

The security of electronic mail communications can be enhanced, of course, by the use of encryption and internal email communication methods that are not easily available to the public. Because of this, many financial institutions are sending information in an encrypted form to enhance the security of the communication better and to reduce the possibility of fraud or loss of attorney/client privilege. As technology improves, security will likely become less of an issue for the courts.

You ask about the “reasonable expectations of privacy for employees.” Many intrusions of privacy issues arising in the Internet and online interactions involve the expectation of privacy about electronic mail and similar electronic communications, including voice and video transmissions. Several court decisions have held that a plaintiff has no legitimate expectation of privacy in job-related conversations, communications, inquiries, investigations, or searches on the business premises regarding an employer or employee or someone in a comparable relationship.

Therefore, defendants have been found to not be liable for violations of the intrusion tort when they monitored an employee’s personal calls on a company telephone line pursuant to company policy, even if the employee was not aware of the policy and the employer was not liable for searching the office or desk of the employee.[iv]

In Williams v. Collins, the courts stated that it is not certain that a government employee had any reasonable expectation of privacy in his government desk as against superiors doing an inventory or investigation of the plaintiff’s performance.[v] But, in one case, an employee did have a legitimate expectation of privacy in the employer’s locker secured by her lock.[vi]

It is well established that even in the event that there is no consent to an interception or recording of a conversation and the party intercepting or monitoring the communication is not a party to the communication, the defendant is still not liable unless the plaintiff had a reasonable expectation of privacy in the conversation or communication. Therefore, it becomes very important to determine whether or not in a computer network online system, a party can have a reasonable expectation of privacy. This would be an especially difficult question on the Internet where the communications are subject to relatively easy interception.

In Simmons v. Southwestern Bell Telephone Co., the court found that an employee did not have a reasonable expectation of privacy and did not have a cause of action for interception of communications when the communication was made as a prohibited personal call on a business line that the plaintiff knew was monitored pursuant to a published computer art company practice.[vii] By the way, this same principle applies to mobile car telephone and radio transmissions, which are easily monitored by the public.[viii]

The Second Circuit in Leventhal v. Knapek upheld – against a constitutional challenge – the search of files stored in a desktop computer used by a staff accountant at a state agency in an investigation of anonymous allegations that he was neglecting his duties.[ix] Although the court found that the accountant “had some expectation of privacy in the contents of his office computer,” it found the search allowable to be “‘reasonably related to the objectives of the search and not excessively intrusive in light of the nature of the misconduct.’”[x]

In United States v. Simons, the Fourth Circuit upheld, against a constitutional challenge, a search discovering downloaded child pornography among the contents of a desktop computer used by a staff engineer at a government agency where an Internet usage policy had been instituted with notice of an audit mechanism capable of tracking traffic to and from a user.[xi] Stated thus: “This policy placed employees on notice that they could not reasonably expect that their Internet activity would be private.”[xii]

There have been several cases that have recognized employee privacy. In Van Alstyne v. Electronic Scriptorium Limited;[xiii] - see also Stengart v. Loving Care, Inc.[xiv] - the employee used a private password-protected e-mail account to conduct some of her own business that the employer accessed in violation of the Stored Communications Act (SCA).[xv] Although the Fourth Circuit found that that there were no actual damages, it affirmed an award of punitive damages and attorney’s fees.

In Quon v. Arch Wireless, the Ninth Circuit held that a public employer violated the Fourth Amendment by viewing personal text messages on an employer-issued pager where there was an informal policy that the usage would not be audited if the employee paid overages (as he did). The Supreme Court reversed, finding the audit a reasonable search, but not addressing the expectation of privacy.[xvi]

There’s so much more to discuss, but, given the constraints of the FAQ format, I will turn to your question concerning the protection of “employee privacy interests with respect to an employee’s physical person and electronic locations.” If you would like to discuss this matter in more detail, I welcome your call. Contact me HERE to arrange an appointment.

When you draft your policy section dealing with the protection of the interests involving an employee’s physical person as well as physical and electronic locations, I suggest you consider drafting language that reflects the following concerns:

(A) An employee has a protected privacy interest against employer intrusion into:

1. The employee’s physical person, bodily functions and personal possessions; and

2. Physical and electronic locations, including employer-provided locations, as to which the employee has a reasonable expectation of privacy.

(B) An employee has a reasonable expectation in the privacy of a physical or electronic work location provided by the employer if:

(1) The employer has provided notice that the location or aspects of the location are private for employees; or

(2) The employer has acted in a manner that treats the location or aspects of the location as private for employees, the type of location is customarily treated as private for employees, and the employee has made reasonable efforts to keep the employee’s activities in that location private.

(C) An employer intrudes upon an employee’s protected privacy interest by such means as an examination, search, or surveillance into certain locations.

These principles apply more clearly to email accounts where the employer ratifies a policy that such email accounts may or may not be used personally. There is a question in addressing the currently common situation of the “bring your own device” scenario, reflecting personal preferences and investment in particular brands of mobile devices, but where the employer pays monthly data usage fees that subsidize the purchase of the device. I’ll leave that matter for another FAQ to explore.

With social media sites such as LinkedIn, where the account is that of the employer, the employee may have only partial interest. I suggest you look at Eagle v. Morgan.[xvii] Note the summary judgment on Computer Fraud and Abuse Act (CFAA) and Lanham Act claims where the employer controlled the LinkedIn account. It is worth noting also that in Eagle v. Morgan,[xviii] after trial, liability was found for the unauthorized use of the plaintiff’s name, invasion of privacy, and misappropriation of publicity, but not for identity theft, conversion, tortious interference with contract, yet no damages were awarded. On the other hand, employees may not violate the CFAA even in misappropriating confidential information if they had rightful access at the time.[xix]

Nearly half the states have enacted protections against employer coercion of employees (and prospects) disclosure of access information or content of private online accounts, notably “social media” accounts that are now commonly used for communication among “friends.” The Uniform Law Commission in 2016 promulgated a Uniform Employee and Student Online Privacy Act for enactment by the states that balances employee interests.

Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director
Lenders Compliance Group



[i] Shorter v. Retail Credit Co., 251 F. Supp. 329, 332 (D.S.C. 1966); Logan v. Sears, Roebuck & Co., 466 So. 2d 121 (Ala. 1985)
[ii] Prahl v. Brosamle, 98 Wis. 2d 130, 295 N.W.2d 768, 782 (Wis. Ct. App. 1980)
[iii] 833 F.2d 535, 541 (5th Cir. 1987); Jaubert v. Crowley Post-Signal, Inc., 375 So. 2d 1386, 1387 (La. 1979)
[iv] Simmons v. Southwestern Bell Telephone Co., 452 F. Supp. 392 (W.D. Okla. 1978), aff’d, 611 F.2d 342 (10th Cir. 1979); and Morton v. Hartigan, 145 Ill. App. 3d 417, 99 Ill. Dec. 424, 495 N.E.2d 1159 (Ill. App. Ct. 1986)
[v] 728 F.2d 721, 728 (5th Cir. 1984)
[vi] K-Mart Corp. Store No. 7441 v. Trotti, 677 S.W.2d 632 (Tex. App. 1984)
[vii] 452 F. Supp. 392 (W.D. Okla. 1978), aff’d, 611 F.2d 342 (10th Cir. 1979)
[viii] Edwards v. State Farm Insurance Co., 833 F.2d 535 (5th Cir. 1987)
[ix] Leventhal v. Knapek, 266 F.3d 64 (2d Cir. 2001)
[x] Under O’Connor, see 266 F.3d at 76, quoting O’Connor v. Ortega, 480 U.S. 709, 726 (1987)
[xi] United States v. Simons, 206 F.3d 392 (4th Cir. 2000)
[xii] 206 F.3d at 398
[xiii] 560 F.3d 199 (4th Cir. 2009)
[xiv] 2009 N.J. Super, where, my reading, expressly rejects the company’s claim to access to the employee’s private e-mail account on the basis of the company’s ownership of a computer used by the employee to access her account; 529 F3d 892 (9th Circ. 2008), rehearing en banc denied, 554 F.3d 769 (9th Cir 2009)
[xv] USC. §§ 2701–2711
[xvi] 529 F3d 892 (9th Circ. 2008), rehearing en banc denied, 554 F.3d 769 (9th Cir 2009); City of Ontario v. Quon, 560 U.S. 746, 130 S. Ct. 2619, 177 L. Ed. 2d 216 (2010)
[xvii] 2012 U.S. Dist., E.D. Pa. Oct. 4, 2012
[xviii] 2013 U.S. Dist., E.D. Pa. Mar. 12, 2013
[xix] WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199 (4th Cir. 2012)