THE LEGAL COMPLICATIONS AND ETHICAL DILEMMAS PRESENTED BY
CYBERSPACE IN THE WORKPLACE
By Stewart S. Manela
Arent Fox
1050 Connecticut Avenue, NW
Washington, DC 20036-5339
Manelas@arentfox.com
202.857-6364
I.
Electronic Communications: A Pervasive Medium
E-mail has become the preferred way to communicate about American business matters. Tens of
millions of Americans use e-mail in the workplace. Electronic messages arrive at their
destinations almost instantaneously, infinitely faster and cheaper than “snail-mail” or even fax.
E-mails can be forwarded, stored, or replied to with a click of a mouse, and messages can be sent
to one or a thousand recipients with ease.
It is instant, convenient, and apparently private, which promotes spontaneous exchanges. Even
normally prudent, circumspect people cannot resist the temptation to type an immediate response
to an e-mail and hit the send button before reflecting on the contents, communicating more
candidly and informally than they ever would on paper. An illusion pervades cyberspace that
email exchanges are private and will never be scrutinized, and hence e-mail tends to be more
casual, and when revealed, often proves to be embarrassing or intemperate.
It often seems virtually no consideration has been given to the possibility that a confidential
message will be saved, copied, forwarded, or ever seen by anyone other than its designated
recipient. Yet, a record of the message often survives, and may be saved indefinitely, stored
everywhere from desktop computers and workstations to backup tapes and personal Palm Pilots.
Many people refuse to erase old e-mail, and most people do not even understand what is stored
on their computer in the first place: “erased” data is not necessarily gone forever; telephone
systems may preserve voice messages though the recipient has “deleted” the message; messages
originating or terminating in a corporate computer system may persist indefinitely in backup
tapes or disks.
Moreover, there are security concerns relating to e-mail transmissions. E-mail messages pass
through routers where system administrators can read, copy, or tamper with any message.
Although unauthorized interception of e-mail may violate federal law, persons with access to the
servers where messages are stored have the technical capability – if not the legal authority – to
intercept those messages.
Recovering files that were deleted from a computer directory is a trivial process. Computers
create files users do not even know about in the first place. Word processors maintain temporary
files that may remain readable even after originals have been erased. Changes to document do
not eliminate prior versions. Web browsers create history files that keep a record of the Web
sites visited, and cache files may even keep copies of downloaded pictures.
© 2001 American Bar Association
http://www.bna.com/bnabooks/ababna/annual/2001/manela.doc
II.
Employment Litigation
The careless way e-mail and voice-mail messages are created and the unintentionally long time
they tend to be preserved make electronic communications a favored weapon in litigation. As
documentary evidence, e-mail communication provides a contemporaneous record of what
people were thinking, planning, and saying. Its spontaneity contrasts with prepared oral
testimony.
Courts and juries treat e-mail as a window into real thoughts of executives and the inner
workings of an enterprise. Courts have permitted litigants to use e-mail communications even
though the sender may have expected it to remain private because any expectation of privacy
when using an employer’s e-mail system is not reasonable. See Smyth v. Pillsbury Co., 914 F.
Supp. 97 (E.D. Pa. 1996). But see United States v. Smith, 155 F.3d 1051 (9th Cir., 1998)
(suppressing evidence of unlawful voicemail recording) and Monotype Corp. v. Int’l Typeface
Corp., 43 F.3d 443 (9th Cir. 1994)(e-mail is not a business record under Federal Rule of
Evidence 803(6)).
Sexual harassment and discrimination lawsuits have been based upon obscene or threatening email and voice-mail messages. Transmission of racially insulting voice mail messages,
combined with an employer's failure to take action in response to them has been found to support
a claim of racial harassment. Morgan Stanley & Co. was sued by black employees claiming
retaliation under Title VII after they complained about an e-mail message ridiculing “Ebonics”
and containing racist jokes which was disseminated through the firm's computer system. Owens
v. Morgan Stanley & Co., S.D.N.Y., No. 96-9747 (Dec. 24, 1997), (6 DLR A-1 1/9/98). The
New Jersey Supreme Court ruled the critical and insulting emails posted to a work-related
electronic bulletin board may constitute workplace harassment. Blakey v. Continental Airlines
Inc., 751 A.2d 538 (N.J. 2000). A federal jury in Illinois awarded $454,000 to plaintiff who
alleged she was fired after she filed a sexual harassment charge based on e-mail from a
supervisor that made her uncomfortable. Mercado v. Midwest Computer Inc., N.D. Ill., No. 99 C
1240, (May 5, 2000), (110 DLR A-1, 6/7/00). See also Harley v. McCoach, 928 F. Supp. 533
(E.D. Pa. 1996) (sexual harassment claim based in part on e-mail message sent to the plaintiff
identifying her as "Brown Sugar"); Strauss v. Microsoft Corp., 814 F. Supp. 1186 (S.D.N.Y.
1993) (defendant sent e-mail messages to staff containing advertisement for replacement "moose
balls," news report on Finland's proposal to institute a sex holiday, and play entitled "A Girl's
Guide to Condoms”); Donley v. Ameritech Services, Inc., 1992 U.S. Dist. LEXIS 21281 (E.D.
Mi. Nov. 16, 1992) (reverse discrimination claim based on termination due to e-mail about
African American male client which was offensive and disrespectful to the client). Curran v.
Unemployment Compensation Board of Review, 752 A.2d 938 (Comm.Pa., 2000) (employee
terminated for misconduct and denied unemployment insurance benefits for violating employer’s
internet policy ). But see Schnaars v. Copiague Union Free School District, 713 N.Y.S.2d. 84
(2d. Dept., 2000) (reinstating long-term employee terminated for using school computers to
access pornographic websites ); Bertolini v. Whitehall City School District Board of Education,
2000 WL 1376455(Ohio App.10th.Dist., 2000) (reversing termination of associate
superintendent who sent romantic e-mail messages since policy allowed personal e-mail
messages).
2
© 2001 American Bar Association
http://www.bna.com/bnabooks/ababna/annual/2001/manela.doc
III.
E-Mail Communication By Counsel.
Model Rule of Professional Conduct 1.6 precludes a lawyer from disclosing “information
relating to representation of a client unless the client consents after consultation,” and likewise,
DR 4-101 of the Code of Professional Responsibility prohibits a lawyer from “knowingly”
revealing information protected by the attorney-client privilege and other information gained in
the professional relationship that might embarrass or be detrimental to the client or that the client
wants to remain secret. Rule 1.6 requires lawyers to take reasonable steps to protect client
confidences from unauthorized disclosure, including use of a transmission mode that is
reasonably expected to remain private.
The American Bar Association, ABA Formal Op. 99-413 (March 10, 1999), has concluded that
“lawyers have a reasonable expectation of privacy in communications made by all forms of email, including unencrypted e-mail sent on the Internet, despite some risk of interception and
disclosure.” The risk of an e-mail being intercepted is not unlike the risk of using a telephone,
fax, or mail, where it is always possible that a transmission will be intercepted, lost, or stolen.
Just as a prudent lawyer dealing with particularly sensitive information should take heightened
measures to preserve confidentiality, the ABA Opinion cautions that for top secret client
information a lawyer should consult the client as to whether a mode of transmission other than email would be preferred.
Most states that have considered the subject have concluded that in the ordinary course of events,
an attorney may communicate with clients using unencrypted e-mail. Alaska Op. 98-2; Arizona
Op. 97-04; Connecticut Op. 99-52; D.C. Bar Op. 281 (1998); Florida Op. 00-4; Illinois Op. 9610; Iowa Op. 1997-1; Kentucky Op. E-403; Minnesota Op. 19 (1999); New York State Bar
Association Op. 709 (1998); Association of the Bar of the City of New York Op. 1998-2; North
Carolina RPC 215 (1995); North Dakota Op. 97-09; Ohio Op. 99-2 and 99-9; Pennsylvania Op.
97-130; South Carolina Op. 97-08; Utah Op. 00-01; and Vermont Op. 97-5.
Other jurisdictions have found that representation of or communication with a client via
electronic channels may violate Rule 1.6 absent an express waiver by the client. See Iowa Ethics
Formal Op. 96-1, finding that attorneys should not use e-mail to communicate with clients unless
they use security measures to protect confidentiality, such as encryption or a protected
password/firewall, or first obtain acknowledgment from the client about the security risks
involved in using e-mail and the Internet; South Carolina Ethics Opinion 94-27 (1995),
explaining that the nature of on-line services makes it possible for system operators to gain
access to all communications that are transmitted through them, and as various jurisdictions have
ruled in regard to communications via cellular phones, a lawyer should not use a cellular
telephone to discuss confidential information with clients –absent informed consent. North
Carolina State Bar Op. 215, 1995 WL 853887 (July 21, 1995), finding that “e-mail is susceptible
to interception by anyone who has access to the computer network to which a lawyer ‘logs on’
and such communications are rarely protected from interception by anything more than a simple
password.” “In using e-mail, or any other technological means of communication that is not
secure, an attorney must exercise precautions to protect client confidentiality.”
See
Massachusetts Ethics Opinion 94-5 (1994); New York City Ethics Opinion 1994-11 (1994); New
Hampshire Ethics Opinion 1991-92/6 (1992) (noting that confidential cellular phone
3
© 2001 American Bar Association
http://www.bna.com/bnabooks/ababna/annual/2001/manela.doc
conversations may be permissible if scrambler used).
These ethics opinions focus only on exposure to disciplinary action when a lawyer uses e-mail.
Another issue is whether a lawyer and client may breach the requirement of confidentiality
essential to maintain the attorney-client privilege by sending privileged information via e-mail.
For the reasons cited in ABA Opinion 99-413, the privileged nature of e-mail communications
between attorney and client should be assured unless they are not securely stored after they have
been sent or received. Internal limitations on access to e-mail files and password protections
would safeguard the confidentiality of stored e-mail.
Still, waiver of the attorney-client privilege from use of unencrypted e-mail containing
confidential information could be found if a court were to follow the reasoning of Castano v.
American Tobacco Co., 896 F.Supp. 590 (E.D. La. 1995), involving supposedly privileged
documents that were available on the Internet through a public library. Other courts have refused
to recognize a reasonable expectation of privacy in electronic communications that can be
intercepted with more ease than regular land-line telephone calls. See Tyler v. Berodt, 877 F.2d
705 (CA 8 1989) (cordless phone). But see Shubert v. Metrophone Inc., 898 F.2d 401 (CA 3
1990) (transmission over cellular phone not intentional disclosure of content though subject to
interception). A military court has recognized a reasonable expectation of privacy in e-mail
messages for Fourth Amendment search and seizure purposes. United States v. Maxwell, 42 M.J.
568, 576 (US Air Force CtCrimApp 1995) (sender of e-mail messages had an reasonable
expectation of privacy: “[T]here was virtually no risk that . . . computer transmissions would be
received by anyone other than the intended recipients.”).
To enhance the claim of confidentiality and demonstrate the sender’s expectation of
confidentiality, some lawyers include confidentiality notices with the e-mail, such as:
This email contains confidential, privileged information intended only for the
addressee. Do not read, copy, or disseminate it unless you are the addressee. If
you have erroneously received this e-mail, please call us immediately at ___ and
please e-mail the message back to the sender. We appreciate your assistance in
correcting this error.
There may be an ethical duty on a lawyer who inadvertently receives e-mail with such a notice,
to avoid reviewing the contents, notify the lawyer who sent it, and abide by the instructions. See
ABA Formal Ethics Opinion 92-368 (1992) (inadvertent disclosure of confidential materials).
IV.
Monitoring Electronic Communications in the Workplace
Companies monitor their employees to review performance, ensure legal compliance, and
control costs. A 1999 survey of employer monitoring conducted by the American Management
Association of 1,054 AMA-member organizations found that 67 percent of employers conduct
some form of electronic monitoring and surveillance of employees.
Employers that monitor e-mails may assume a duty to take action if an employee is using
company e-mail to communicate threats or engage in other misconduct. A company that
4
© 2001 American Bar Association
http://www.bna.com/bnabooks/ababna/annual/2001/manela.doc
monitored emails was sued for negligent supervision when an employee sent sexually explicit
messages to a child, and arranged a meeting with the child using the company's e-mail system.
When a company monitors email and learns – or should have learned – that someone is in
danger, the employer may be found to have a duty to act to protect that person.
Monitoring communications in the workplace may violate federal law. The Electronic
Communication Privacy Act of 1986 ("ECPA"), 18 U.S.C. §§ 2510-2711, prohibits the
intentional interception, access, disclosure or use of another person’s wire, oral, or electronic
communication. Section 2510(4) defines "interception" as the aural or other acquisition of the
contents of any wire, electronic, or oral communication through the use of any electronic,
mechanical, or other device. Section 2510(5) defines an "electronic, mechanical, or other
device" as any device or apparatus which can be used to intercept a wire, oral or electronic
communication other than-- (a) any telephone or telegraph instrument, equipment or facility or
other component thereof..." "Electronic communication" is "any transfer or signs, signals,
writing, images, sounds, data or intelligence of any nature transmitted in whole or in part by a
wire, radio, electromagnetic, photoelectric or photo-optical system that affects interstate
commerce, . . ." 18 U.S.C. § 2510(12).
The ECPA imposes criminal and civil liability. In a civil case a plaintiff may recover the greater
of either: (1) actual damages suffered and any profits made by the violator; or (2) statutory
damages (the greater of $100 a day for each day of violation or $10,000). 18 U.S.C. §
2520(c)(2). Attorneys' fees, litigation costs, and other equitable relief is also available. §
2520(a)(3). In a criminal prosecution, the penalty may be up to five years imprisonment and
fines up to $5000. § 2511(4)(a)-(b).
The ECPA only covers interstate commerce. Internal e-mail transmitted exclusively through a
private employer’s system might not be deemed to be in interstate commerce. However, a
network that handles internal e-mail messages, but also permits employees to transmit external email messages would probably be a "system that affects interstate commerce."
Section 2511(2)(a)(i) of the ECPA provides:
It shall not be unlawful under this chapter for an operator of a switchboard, or an officer,
employee, or agent of a provider of wire or electronic communication service, whose
facilities are used in the transmission of a wire or electronic communication, to intercept,
disclose, or use that communication in the normal course of his employment while
engaged in any activity which is a necessary incident to the rendition of his service or to
the protection of the rights or property of the provider of that service, except that a
provider of wire communication service to the public shall not utilize service observing
or random monitoring except for mechanical or service quality control checks.
It is not clear that merely maintaining an internal e-mail system transforms an employer into a
"provider" within the meaning of this statutory exception. For any monitoring activity to be
covered by the exception, the employer must show that the particular interception was in the
ordinary course of business and was necessary to the rendition of the service, or was necessary to
protect its rights or property. See, e.g., Bohach v. City of Reno, 932 F.Supp. 1232 (D.Nev., 1996)
5
© 2001 American Bar Association
http://www.bna.com/bnabooks/ababna/annual/2001/manela.doc
(no ECPA violation in retrieval of stored communications from Reno Police Department’s
computer system because City was “provider” of electronic communications service and had
right of access to stored communications); Simmons v. Southwestern Bell Tel. Co., 452 F. Supp.
392, 396 (W.D. Okla. 1978), aff'd, 611 F.2d 342 (10th Cir. 1979) (in claim by telephone
company employee under § 2510 based on monitoring phone conversations, court found
company had legitimate reason for monitoring calls relating to service quality and need to
prevent persistent use of telephone for personal calls).
The business extension or ordinary course of business exception, 18 U.S.C. § 2510(5)(a) derives
from the definition of electronic device. A violation under the ECPA requires that an electronic
device be used to intercept the e-mail messages, but § 2510(5)(a) defines electronic device to
exclude any equipment furnished by a provider of electronic communication service in the
ordinary course of its business that is used by the user in the ordinary course of business.
Unlimited monitoring of employees has been held not in the ordinary course of business and not
justified under the Act. Sanders v. Robert Bosch Corp., 38 F.3d 736 (4th Cir. 1994) (employer
recorded employee telephone conversations 24 hours per day; interceptions not in ordinary
course of business despite proffered reason of bomb threat investigation – covert use of a
surveillance device must be justified by a valid business purpose); Watkins v. L.M. Berry & Co.,
704 F.2d 577 (11th Cir. 1983) (employer's interception of phone calls valid only to determine
whether the call was in fact personal; further interception unwarranted); Deal v. Spears, 980 F.2d
1153, 1157 (8th Cir. 1992) (effort to catch thief did not justify employer monitoring of phone
line for twenty-two hours of primarily personal phone calls).
Notice of any monitoring may be required. United States v. Harpel, 493 F.2d 346 (10th Cir.
1974) (telephone monitoring unlawful absent notice); James v. Newspaper Agency Corp., 591
F.2d 579, 581 (10th Cir. 1979) (monitoring lawful where employer provided notice to employees
and was for legitimate purposes of training, instruction and protection against abusive calls).
Courts have determined that an employer may monitor a "business" communication, but not a
"personal" communication. Watkins, 704 F.2d at 583 (monitoring personal calls never in
ordinary course of business unless to prohibit use of telephone or to determine whether call is
personal); Briggs v. American Air Filter Co., 630 F.2d 414, 419 (5th Cir. 1980) (no violation
where employer limited monitoring to portion of call in which employee discussed employer's
business with competitor); Epps v. St. Mary's Hosp. of Athens, Inc., 802 F.2d 412, 416-17 (11th
Cir. 1986) (monitoring conversations between employees concerning "scurrilous remarks" about
supervisors permitted).
Section 2511(d) provides that it is not be unlawful to intercept an electronic communication
when one of the parties to the communication has given prior consent to the interception.
Consent under may be implied or actual. Deal v. Spears, 980 F.2d 1153, 1157 (8th Cir. 1992);
Griggs-Ryan v. Connelly, 904 F.2d 112, 116 (1st Cir. 1990); George v. Carusone, 849 F. Supp.
159, 163 (D. Conn. 1994). Implied consent will not be found if an employee is merely aware
that monitoring may occur, as opposed to being notified that they are being monitored. In
Williams v. Poulos, 11 F.3rd 271(1st Cir., 1993) an employer’s interception of employee phone
calls was found not to be within the consent exception of the law because while a corporate
officer was told that employee calls would be monitored, he was not told that his calls would be
monitored or the manner in which the monitoring would take place. In Deal v. Spears, 980 F.2d
6
© 2001 American Bar Association
http://www.bna.com/bnabooks/ababna/annual/2001/manela.doc
1153, 1157 (8th Cir., 1992) the court would not endorse employee consent to the tape recording
of phone calls simply because the employee had been warned that calls might be monitored or
because a phone extension was located in the owner’s home.
Several states have statutes protecting against the interception of electronic communications by
private parties: New Jersey Wiretapping and Electronic Surveillance Control Act, N.J.S.A.
2A:156A-1 et seq.; Pennsylvania Wiretapping and Electronic Surveillance Act, 18 Pa. Cons.
Stat. Ann. _ 5702 et seq.; Cal. Penal Code _ 631; Colo. Rev. Stat. Ann. _ 16-15-102; Md. Code
Ann. § 10-4A-01-08; and N.Y. Crim. Proc. Art. 700; Connecticut law protects employee e-mail
privacy rights, requiring employers to give employees notice of all forms of electronic
monitoring. See also California Senate Bill, (S.B. 1822), under which employers would be
required to inform employees of company policies and practices of reading employee e-mail and
tracking the Internet sites they visit.
V.
Invasion of Privacy
Monitoring of electronic communications can expose employers to state law tort claims. The
most likely claim would be the tort of unreasonable intrusion upon the seclusion of another.
Section 652B of the RESTATEMENT (SECOND) ON TORTS provides that Intrusion upon Seclusion
includes intruding upon the private affairs or concerns of another person. Liability does not
require information to be publicized or used by the employer, but the intrusion must be highly
offensive to a reasonable person. Electronic surveillance has been considered an "intrusion"
sufficient to establish that element of the tort. Billings v. Atkinson, 489 S.W.2d 858 (Tex. 1973);
Nader v. General Motors Corp., 255 N.E.2d 765 (N.Y. 1970) (telephone wiretapping). The
degree of intrusion, the context, conduct and circumstances surrounding the intrusion, as well as
the intruder's motives and objectives, the setting into which he intrudes, and the expectations of
those whose privacy is invaded determine the degree of offensiveness. Miller v. National
Broadcasting Co., 232 Cal. Rptr. 668, 679 (Cal. Ct. App. 1986).
The employee must have a subjective expectation of privacy and the expectation be objectively
reasonable. In determining employer liability for monitoring e-mail courts consider: whether
employees had a reasonable expectation of privacy and, if so, was there a legitimate business
justification for the intrusion sufficient to override that privacy expectation. Smyth v. The
Pillsbury Co., 914 F. Supp. 97 (E.D. Pa. 1996) (no reasonable expectation of privacy in e-mail
communications where employee terminated for inappropriate e-mail messages voluntarily sent
to supervisor despite employer’s assurance that e-mail messages would not be intercepted by
management).
At most companies, various passwords are used by employees to access the local network, to
gain entry to individual mail boxes, or to listen to voice-mail messages. Employees often believe
that their communications are private because they have a password which they can select and
change independently. The security provided by a password may be more apparent than real,
however. Electronic messages are preserved in assorted network servers or on back-up tapes,
which can be monitored by managers with a need or desire to know what communications are
being transmitted, or computer hacks who simply know how to gain access to stored data and get
cheap thrills from eavesdropping. If an employee asserts a claim of invasion of privacy based
7
© 2001 American Bar Association
http://www.bna.com/bnabooks/ababna/annual/2001/manela.doc
upon workplace monitoring of electronic communications, courts will weigh the reasonableness of
the employee's expectation of privacy against the business interest of the employer in monitoring
the communication.
In Restuccia v. Burk Technology, Inc., 1996 WL 1329386 (Mass.Super., August 13, 1996), two
employees were terminated based upon e-mail messages they sent containing unflattering
references to the company’s president, which he accessed and reviewed. The Superior Court of
Massachusetts found a factual question as to whether a reasonable expectation of privacy in email might exist in a computer system that required a password to log in, permitted employees to
maintain individual passwords which they were reminded to change periodically, there was no
policy against using the system for personal e-mail messages, and employees were not told that
the supervisors could access their systems or that their e-mail files were automatically backed up
and that the supervisors had access to the back-up files. McLaren v. Microsoft Corporation,
1999 WL 339015 (Tex.App., May 28, 1999), also presented the issue of whether a cause of
action exists for invasion of privacy where an employer reviews e-mails stored in password
protected folders on the employee’s computer. Noting that during transmission over a network
e-mail exists in unencrypted plain text subject to review by network administrators and that the
communications are initially stored on a server, the court held that there was no reasonable
expectation of privacy even though the data was password protected. See also United States v.
Simons, 206 F.3rd 392 (4th Cir., 2000).
Conclusion
E-mail and electronic communications are a burgeoning field, not only for increased efficiency
and rapid transmission of information, but also of legal and ethical issues in the workplace and
law office. Employment counsel must stay abreast of new developments affecting workplace
privacy, monitoring, and communications, while maintaining appropriate protections for clients
with respect to counsel’s own use of new technologies.
8
© 2001 American Bar Association
http://www.bna.com/bnabooks/ababna/annual/2001/manela.doc