Whatever the wording of your employer’s computer, e-mail and internet usage policy, chances are you use your work-issued computer for at least some personal, non-work-related communication. This practice raises potentially serious privacy concerns. Employer snooping has generated significant litigation across the country, less so (to date) in Minnesota. This article overviews the law in this area, providing guidance to both employers and employees to help limit their exposure. Financially and personally, as the case may be.
Minnesota was late to the game in recognizing common law privacy rights. The right to sue for invasion of privacy only first arrived in 1998, as a result of the Minnesota Supreme Court decision of Lake v. Wal-Mart Stores, Inc., 582 N.W.2d 231 (Minn. 1998). That famous (or infamous) case involved Wal-Mart photo lab employees viewing and distributing nude vacation photos brought in for processing by a customer. Invasion of privacy actually encompasses three separate categories in Minnesota: (1) intrusion upon seclusion, (2) appropriation, and (3) publication of private facts. Employer reading of employee e-mail implicates the first of the three, intrusion upon seclusion: when a person “intentionally intrudes, physically or otherwise, upon the solitude or seclusion of another or his private affairs or concerns … [where] the intrusion would be highly offensive to a reasonable person.” The latter two, less directly relevant to this article, arise from misappropriating the likeness or identity of another person for commercial gain and disseminating private information to a wide audience.
No Minnesota court to date has addressed claims arising from an employer who snoops into an employee’s personal e-mails. Many other jurisdictions have, however, and the emerging consensus is that employees have little to no expectation of privacy concerning e-mails sent over or received through an employer’s e-mail server. The employer’s case is bolstered significantly where the employer warns employees, typically in an employee handbook, that they have no right to privacy. It behooves employers to adopt such policies, indicating that employee e-mail on a work computer is subject to inspection at any time by the employer, and limiting usage of work computers for business purposes. See Long v. Marubeni Am. Corp., No. 05-CV-639, 2006 WL 2998671, at *3 (S.D.N.Y. Oct. 19, 2006) (no expectation of privacy where employer’s policy instructed employees they had “no right of personal privacy” and employer reserved the right to monitor its systems); United States v. Angevine, 281 F.3d 1130 (10th Cir.2002) (no expectation of privacy where computer was provided only for work-related purposes and employer reserved ownership of data); United States v. Simons, 206 F.3d 392 (4th Cir.2000)(employer had policy to inspect and monitor Internet activity, so employee had no expectation of privacy in files transferred from the internet).
“Web mail” presents a cloudier picture. Several courts have ruled in favor of employees when an employer surreptitiously reads password-protected cloud-based e-mail (e.g. Gmail messages viewed on the Google website). Even when the employee views the messages on a workplace computer during working hours. See Stengart v. Loving Care Agency, Inc., 201 N.J. 300, 990 A.2d 650 (N.J. 2010)(employee could have reasonably expected that e-mail communications with her lawyer through her personal, password-protected, web-based e-mail account would remain private); Pure Power Boot Camp, Inc. v. Warrior Fitness Boot Camp, LLC, 587 F.Supp.2d 548 (S.D.N.Y. 2008) (employee had a reasonable expectation of privacy in personal, password-protected e-mail messages stored on a third party’s server, although the employee had accessed that outside server while at work). Depending on the circumstances, the same may apply to private Facebook and other social media webpages. In one case, an employer gained access to an employee’s Facebook account by having a supervisor summon a co-worker, who was also one of the employee’s Facebook friends, into an office, whereupon he was “coerced” into accessing his Facebook account on a work computer in the supervisor’s presence. A federal court, applying New Jersey law, ruled in favor of the aggrieved employee, and declined to dismiss her invasion of privacy claim under these facts. Ehling v. Monmouth–Ocean Hosp. Serv. Corp., 872 F.Supp.2d 369 (D.N.J. 2012). Whether a Minnesota court would rule similarly is open to question. In Yath v. Fairview Clinics, N.P., 767 N.W.2d 34, 44 (Minn. Ct. App. 2009), the court held that privacy was lost when private information was posted on a publicly accessible Internet website and “[a]ccess to the publication was not restricted”. So here’s a tip to all employees who use Facebook at work: check your privacy settings. And if you access your account at work, be careful about what you disclose, even to friends only, at least until the law becomes more settled in this area.
As mentioned above, no Minnesota case to date has addressed employer reading of employee e-mails. One, however, involved co-owners of a business. The court in Gates v. Wheeler, No. 19HA-CV-09-1863 (Minn. Ct. App. Nov. 23, 2010) had occasion to consider privacy claims resulting from one co-owner basically hacking the other owner’s computer, using an IT professional to re-route private e-mail that went through the company’s servers. The following were accessed in this fashion:
“The record reflects that Wheeler collected emails of communications between Gates and his attorneys, email reminders Gates sent to himself about litigation strategy, pictures of Gates’ children at a park with degrading captions added by Wheeler, personal emails between Gates and his wife, emails with passwords and financial account information, and private communications between Gates and his accountant.”
The court had no trouble ruling that “surreptitious collection of these items would be offensive to the reasonable person,” and concluded that the plaintiff was likely to succeed at trial, even though these events involved use of work-based e-mail servers. In so ruling, the court noted that the company “had no email policy and did not monitor email use of any other employees, third parties did not have a right of access, and [Defendant] did not notify [Plaintiff] and [Plaintiff] did not know that [Defendant] was intercepting his emails.”
The purpose of the inspection will matter, too. Although the reported decision in Gates provides no detail as to the rationale, the spying apparently related to a dispute between two business owners who were, at the time, fighting over company control. The outcome may have differed if the inspection served a legitimate purpose. Balancing an employee’s right to privacy is an employer’s interest in protecting its business from employee misappropriation of trade secrets or liability arising its employee’s acts. For instance, when an employee uses his work computer to sexually harass a co-worker or engage in criminal Ponzi schemes, child pornography, drug diversion or the like. To those ends, the law generally recognizes an employer’s right to inspect its employees’ computers.
In any event, it’s impossible to predict whether an e-mail or computer usage policy would have insulated the defendant from liability in the Gates case. Without deciding one way or another, the Minnesota Court of Appeals noted that “Minnesota courts have not addressed whether an employee can have an expectation of privacy in a company email account.” Leaving open the question, is employee privacy in the workplace a reality or myth in Minnesota? Stay tuned…