Cyber-Liability Evolves in the Wake of Important Legal Developments


By Mary Anne Ackourey and Betsy Bulat Turner
It is no secret that technology has irreversibly changed the workplace. Mobile email devices and remote access have blurred the distinction between business and personal time as employers often expect employees to be available on these devices after normal work hours. On the other hand, many employees now expect access to the Internet, including their personal email, social media, and other accounts, for personal use at work, and many employees use their company email accounts for personal business, further blurring the line between work and personal time.

This year, the United States Supreme Court decided its first major case addressing cyber-liability issues. While the decision did not extend as far as many employers had hoped, the Court in City of Ontario v. Quon unanimously found that an employer’s search of an employee’s text messages, on a device owned and issued by the employer, to see if those texts were work-related, was reasonable and lawful. The Court based its decision on the fact that the City’s review of the text messages was for a reasonable purpose – the City’s interest in ensuring that it was not paying for extensive personal communications made during work hours.
Quon is significant because it supports the notion that employers may search an employee’s communications on company-owned devices when: (1) the search is for a work-related purpose and not simply to investigate the employee’s affairs; (2) the search is not excessive in scope but limited, to the extent possible, to the work-related purpose; and (3) the employee clearly is on notice through the company’s policies and procedures that the company has reserved the right to monitor the employee’s electronic communications.
Nevertheless, employers still must be wary of monitoring employees’ electronic communications. The Electronic Communications Protection Act, Stored Communications Act, and many state laws make it illegal to use illicit or coercive means to access employees’ private electronic communications, including personal email and social media accounts, or to otherwise invade employees’ privacy expectations in personal communications. In this regard, the Supreme Court of New Jersey in the case of Stengart v. Loving Care Agency, Inc.recently held that an employee’s use of a company computer to send and receive personal emails with her attorney did not justify that company’s claim of ownership to the emails when it obtained the emails through forensic imaging of the employee’s computer, even though the emails were sent in violation of the company’s electronic communications policy. The court explained that the computer on which the emails were found was “little more than a file cabinet for personal communications” and that property rights “are no less offended when an employer examines documents stored on a computer as when an employer rifles through a folder containing an employee’s private papers or reaches in and examines the contents of an employee’s pockets.”
Troubling cyber-liability issues also have begun to emerge in the area of traditional labor law, especially in connection with communications made by employees through social media. For example, on November 2, 2010, the NLRB announced that it had filed a complaint against an ambulance service that had terminated an employee who posted negative remarks about her supervisor on her personal Facebook page after she was denied union representation at a disciplinary meeting. The complaint also alleges that the company illegally maintained and enforced an overly broad blogging and internet posting policy. The NLRB contends that termination for the employee’s Facebook postings and the company’s blogging and internet policies constitute interference with the employee’s right to engage in protected concerted activity under Section 7. Although no decision yet has been rendered in this case (a hearing on the case is scheduled for January 25, 2011), the case highlights the NLRB’s increasing willingness to scrutinize employers’ electronic communications policies and actions taken against employees based on those policies.
In conclusion, to avoid liability for reviewing or taking action based on employees’ electronic communications, employers clearly must put employees on notice that, if they view their personal email or other accounts on company computers, their communications can and will be monitored. Some states, including Delaware and Connecticut, have even passed statutes requiring employers to notify their employees when monitoring their electronic communications. Indeed, it is prudent to proceed cautiously or seek legal advice prior to accessing employee’s communications on electronic or social media platforms.
For more information, contact Ms. Ackourey at [email protected] or Ms. Turner at[email protected].