Managers and human resources professionals likely do not read rulings in tawdry divorce cases to gain tips on dealing with employees, but the recent decision in Epstein v. Epstein contains a valuable warning about a tactic frequently used by employers when investigating misconduct. In the Epstein case, the wife believed that her husband was engaged in “serial infidelity,” and secretly placed an auto-forwarding “rule” on his email accounts, thereby causing all incoming and outgoing emails to be sent to her. This type of monitoring is also utilized by employers who suspect that an employee is stealing confidential information or trade secrets. In Epstein, the Court of Appeals for the Seventh Circuit, which covers Illinois, Indiana and Wisconsin, found that the wife’s actions violated the federal Wiretapping and Electronic Surveillance Act (the “Wiretap Act”) and allowed the husband to sue the wife for this violation. The Epstein ruling serves as a reminder to employers who wish to intercept an employee’s emails as part of an investigation that they must take appropriate steps to avoid potential liability.
Many employers believe that the best way to confirm an ongoing theft of trade secrets or confidential information is by monitoring the suspected employee’s email communications and screening for transmission of proprietary information or communications with competitors. However, the Wiretap Act prohibits anyone from intentionally intercepting the contents of any wire, oral or electronic communications or from disclosing or using such communications while knowing they have been intercepted. This can hold true even for emails sent from and received by the employer’s own computers. Much of the Epstein ruling focused on technical questions about whether the wife’s email rule “intercepted” the husband’s emails within the meaning of the Wiretap Act. The Seventh Circuit ruled that interception occurs so long as an ongoing or an incoming email is copied at the server level. Since this is how email rules usually work, employers who use such rules may run afoul of the Wiretap Act just like the wife in Epstein.
Moreover, even if an employer’s method of monitoring does not involve copying at the server level, employer monitoring may still violate two other federal statutes -- the Computer Fraud and Abuse Act (the “CFAA”) and the Stored Communications Act (the “SCA”). The CFAA prohibits a person from intentionally accessing a computer without permission or exceeding authorization and thereby obtaining information, while the SCA outlaws unauthorized access (or access in excess of authorization) to stored electronic communications. Again, these laws may apply even if emails are being sent from or to the employer’s computer. Hence, looking at emails after the fact can also give rise to liability.
Of course, it is unauthorized access that violates the CFAA and the SCA. The Wiretap Act likewise contains an exception if one of the parties gives prior approval to the interception. The easy way for employers to avoid liability under the Wiretap Act, CFAA and SCA is to obtain permission to monitor employee communications. This is one of the reasons why employers should adopt policies notifying employees that the employer may monitor employee emails and internet usage at any time and for any reason. Keep in mind, however, that these policies are usually effective only to employee emails directly sent from an employer’s email server. An employer’s policy will not authorize it to monitor an employee’s private communications at home or on a personal email server. Employers who monitor employee communications away from the office, or employee communications using cloud-based services like Gmail (even if the employee accesses his or her account from a company computer) are potentially exposing themselves to liability in the same manner as the wife in Epstein v. Epstein.
Seth’s practice focuses on all areas of employment law. Seth also has been certified as a Certified Information Privacy Professional in US private-sector law by the International Association of Privacy Professionals.