Industry-Specific Privacy Issues

Access to Financial Records Is Denied to Government Agencies

Title 12 United States Code Section 3402, access to financial records by U.S. government authorities is prohibited except in the following circumstances:

  • The customer of financial records has authorized the disclosure.

  • The relevant financial records are disclosed in response to an administrative subpoena or summons.

  • The relevant financial records are disclosed in response to a judicial subpoena.

  • The relevant financial records are disclosed in response to formal written request in conformity with the provisions of Section 3408 of Title 12.

Gramm-Leach-Bliley Act

This is a law intended to provide information privacy protection obligating each financial institution to respect the privacy of its customers and protect the security and confidentiality of the customers' nonpublic personal information, Title 15 United States Code Sections 6801-6810.

  • Financial institutions may not disclose a customer's account number for the purpose of marketing by a third party.

  • Financial institutions must develop procedures to protect information from unauthorized access that could result in harm to customers.

  • Financial institutions must advise customers in a clear and timely manner of their policies regarding the disclosure of information with third parties.

  • Financial institutions must provide a vehicle for customers to opt out of arrangements refusing permission to disclose their nonpublic information to third parties.

Health Insurance Portability and Accountability Act

HIPAA governs health care communications and practices knowing they play an essential role in ensuring individuals receive effective health care (45 CFR 160-164). HIPAA has the goal of improving the effectiveness and efficiency of the health care system including comprehensive measures not the least of which are provisions for protecting the privacy of individual health information. To this end, HIPAA mandates the adoption of privacy protections for individually identifiable health information.

Most health plans and health care providers are covered by the new rule (HIPAA) and must have complied with the new requirements by April 14, 2003. For the first time, HIPAA creates national standards safeguarding the privacy of individuals' health information:

  • It provides patients with more control over the use and disclosure of their health records.

  • It establishes safeguards that health care providers must achieve protecting the privacy of individuals' health information.

  • It makes covered entities accountable, with civil and criminal laws when a patient's privacy rights are violated.

  • It empowers patients to discover how their information might be used and about disclosures of their information that have been made.

  • HIPAA limits the release of information reasonably needed for the specific purpose of the disclosure.

  • HIPAA grants individuals the right to examine and obtain copies of their own health records, request corrections, and limit how they might be released.

  • HIPAA grants individuals control over uses and disclosures of their health information.

Due to the nature of these types of communications and the environment in which individuals receive care, the potential for a person's health-related information to be disclosed is great. For example, a patient's conversation with their physician may be overheard in the confines of a two-patient hospital room.

HIPAA privacy rules are not intended to preclude customary or essential communications in the administration of patient care, nor does it require that all risk of disclosure be eliminated to satisfy its requirements. HIPAA privacy rules permit certain types of incidental uses or disclosures of protected health information when the covered health care entity has installed reasonable safeguards with required policies and procedures safeguarding privacy.

Generally HIPAA privacy rules require the following of the average health care provider or covered health plan:

  • Notify individuals of their privacy rights and how their health care information can be used.

  • Implement privacy procedures for covered entities, e.g., clinics, hospitals, health care plans, etc.

  • Train employees of covered entities to understand and implement privacy procedures.

  • Designate at least one individual to be responsible for the adoption and compliance with privacy procedures under HIPAA.

  • Secure health records containing individually identifiable health information so they are not accessible to those not needing to know.

There are many important aspects of HIPAA, including the patient's right to file complaints regarding privacy to the covered health care entity or the Office of Inspector General, Department of Health and Human Services.

Compliance with the new HIPAA privacy standards is required of the covered entities:

  • Health care plans

  • Health care clearinghouses

  • Health care providers who conduct certain financial and administrative transactions such as billing and fund transfers. These entities are bound by HIPAA privacy standards even if they contract with third parties to perform some functions.

  • HIPAA Privacy rules compliance became effective April 14, 2003, with small health plans compliant by April 14, 2004.

Fair Credit Reporting Act

The federal Fair Credit Reporting Act (FCRA) was created to promote fairness, accuracy, and privacy of information relating to consumer credit histories held by Credit Reporting Agencies (15 United States Code Sections 1681-1681). As a matter of background, most credit reporting agencies are credit bureaus that collect and sell credit histories. Under provisions of the FCRA, consumers have very specific rights and in some cases, these rights have been expanded under state laws.

These are a few of the rights granted under the FCRA to consumers:

  • Individuals and organizations have the right to review the information held in their file including a list of anyone who has requested to see the information. Credit reporting agencies are required to provide report copies for a nominal charge after proper request.

  • Consumers must be advised if information from their credit file has been used to deny credit, insurance, or employment. This notification must include the name, address, and telephone number of the credit-reporting agency providing the credit history report.

  • Consumers have the right to dispute inaccurate information with the credit-reporting agency. If notified of inaccuracies, it is the credit-reporting agency's responsibility to investigate the disputed items by presenting to its credit source all relevant evidence provided by the consumer unless it is determined the dispute is frivolous. The information source must review the consumer's evidence and report its findings to the credit-reporting agency that must deliver a written report of the investigation to the consumer. If the dispute cannot be resolved, then the consumer may add a statement to his file, and credit reports must normally include a summary of this statement in future reports.

  • If a consumer disputes an item with the source of the information, they may not report the credit information to the credit-reporting agency without including notice of the dispute. Once the source of credit information is notified of an inaccuracy, it may not continue to report the identified inaccurate information.

  • Access to credit history information is limited. The credit reporting agency may only provide information to individuals recognized by the FCRA: creditors, insurers, employers, landlords, and other relevant businesses.

  • Consumers must provide consent for their credit history reports to be provided to employers or for reports that contain medical information. Credit reporting agencies may not provide information to employers, prospective employers, or reports containing medical information without the consumer's consent.

Penalties for failing to comply with FCRA tenets include:

  • Civil liabilities for willful and negligent noncompliance including actual damages, attorneys' fees, punitive and statutory damages.

  • Class actions can be brought under standards of civil liability.

  • Criminal penalties for obtaining information under false pretenses and unauthorized disclosures. Of course, penalties include incarceration, fines, and restitution.

  • Administrative actions may be sought by the Federal Trade Commission resulting in financial penalties against any person knowingly violating the FCRA.

Family Education Privacy Rights

Family educational and privacy rights are guaranteed by this federal law found at Title 20, United States Code, Section 1232g. Contingent upon the continued receipt of federal funding, it sets conditions for the availability of student records to parents who have children in school or for adults attending school. It grants the right to inspect and review education records of children and mandates that each institution establish appropriate procedures for granting requests by parents to inspect records. Under the tenets of this law, parents have the right to have a hearing challenging the content of such student's education records ensuring that the records are accurate or otherwise not in violation of the student's privacy rights. Such challenges may serve to correct, delete inaccuracies, or delete misleading or inappropriate data contained in the student's education records. Parents also have a right to insert into such records a written explanation respecting the content of these records. When a student has attained the age of eighteen or is attending post-secondary educational institutions, the permission or rights of the parents are accorded to the student.

Educational institutions have the right to disclose educational records to teachers and school officials including teachers and school officials in other schools having legitimate educational interest in the behavior and performance of the student.

By way of enforcement, the Secretary of Education must take appropriate actions enforcing this law and address violation. Failing to voluntarily comply can result in the Secretary terminating federal assistance to the educational institution.

Cable TV Privacy Act

Under the provisions of this law, 47 U.S. Code 551, at least yearly a cable TV operator must provide written notice to subscribers clearly and conspicuously advising of the nature of personally identifiable information collected with respect to the subscriber and the use of such information.

Cable operators are required to notify subscribers of the nature, frequency, and purpose of any disclosures, including the identification of persons to whom disclosure is made, the period during which this information is maintained by the operator, and the times and places at which the subscriber may have access to this information.

Cable operators cannot use the cable system to collect personally identifiable information about subscribers without the prior written consent of the subscriber.

Operators are prohibited from disclosing personally identifiable information concerning subscribers without their written consent. However, cable operators may use collected information or go about the process of collecting sufficient information in order to render services and conduct legitimate business. Operators may disclose personally identifiable information pursuant to a court order and must notify the subscriber of such orders. Disclosure of personally identifiable information to governmental entities will require a court order if there is clear and convincing evidence that the subscriber is reasonably suspected of engaging in criminal activity and the information sought is material to the case. In such cases, the law allows the subscriber to appear and contest the entity's claim.

A cable subscriber must be provided access to all personally identifiable information in the possession of the operator at reasonable times and places. Subscribers are provided reasonable opportunities to correct any errors. Cable operators may destroy personally identifiable information if the information is no longer necessary to conduct business.

Civil actions are directed to the United States district courts with damages, costs, and attorney's fees possibly awarded as part of any remedy.

Wrongful Disclosure of Videotape Rental or Sale Records (18 U.S. Code 2710)

Vendors engaged in the rental and sales of videotapes or similar products are prohibited from knowingly disclosing personally identifiable information concerning any consumer unless the following is met:

  • There is informed written consent from the consumer given at the time the disclosure is sought.

  • There is a warrant issued under the Federal Rules of Criminal Procedure, equivalent state warrant, grand jury subpoena, or court order.

  • Pursuant to a court order in a civil proceeding, that is based on a showing of compelling need for the information that cannot be accommodated by any other means.

  • Court orders authorizing personally identifying information disclosure shall only be issued with prior notice to the consumer and if the law enforcement agency shows there is probably cause to believe that the records or other information are relevant to a legitimate law enforcement inquiry.

If videotape service providers knowingly disclose to any person, personally identifiable information concerning any consumer of video tape sales or rentals, they can be held liable to the aggrieved person (consumer). Any person (plaintiff) alleging violations of this law by filing civil actions in U.S. District Court may seek financial remedies. The court may award actual damages to the plaintiff amounting to not less than $2,500, punitive damages in any appropriate amount, and other equitable relief the court determines to be appropriate and other reasonable fees including attorney's fees.

Children's Online Privacy Protection Act (COPPA)

Effective April 21, 2000, COPPA became law, addressing the online collection of personal information about children under the age of 13 must be safeguarded and limited (15 U.S. Code 6501). This law applies to the commercial operation of a Web site, online services, or general audience Web sites where vendors have knowledge these children are going to be providing personal information. There are actually several tests, applied by the Federal Trade Commission, responsible for this law's enforcement, to determine if the Web site is directed to children:

  • Visual or audio content of the Web site

  • Age of the models on the site

  • Language of the site

  • Advertising on the site appealing to children

  • Information regarding the age of the actual or intended audience

  • Use of animated characters

  • Child-oriented features

Web site operators are defined as the persons responsible for ownership and control of the online services, individuals paying for the collection and maintenance of the information, individuals whose roles are defined by contract with respect to the collected information, and the role the target Web site has in collecting or maintaining the information.

Personal information, for the purposes of COPPA, is basically defined as a child's individually identifiable information collected through online services. Items such as name, home address, e-mail address, telephone numbers, age, or any other information permitting identification or making contact possible, are covered under the law. There are other items that frequently escape notice considered part of this pool of identifiable information:

  • Hobbies

  • Interests

  • Tracking mechanisms such as cookies

  • School attendance

On Web sites, operators must have links to privacy policies on their home page advising of information privacy practices and on each Web page where personally identifiable information is collected from children. Links to privacy notices must be clear and easy to see. They must be clearly written and plainly understandable and include:

  • Name and contact information, address, telephone number, and e-mail address of Web site operator(s) collecting or maintaining children's information.

  • If more than one Web site operator is collecting information at the Web site, the site may provide contact information for only one operator who is designated to respond to all inquiries from parents about the Web site's privacy, policies, and procedures.

  • Kinds of personal information collected from children, e.g., name, address, etc.

  • Means by which the information is collected, e.g., directly from children or indirectly using a mechanism such as cookies.

  • Uses of the information by the operator. For example, is the information used for marketing purposes, contest participation, etc.?

  • Operators must disclose whether the child's information is transmitted to third parties. If this is the case, the operator must disclose the kinds of business in which the information recipients are engaged, the general purposes they intend to use the information, and if the recipients have agreed to maintain the confidentiality and security of the personal information.

  • Parents must have the option to agree to the collection and use of children's information without consenting to the disclosure of the information to third parties.

  • Parents can review the child's personal information, requesting to have it deleted and refusing to permit any further collection or use of the child's information. The Web page's notice must also declare the procedures for parents to follow if they wish to take any action or make any inquiry.

The notice to parents must have the same information included on the notice on the Web site. Operators must notify parents that they wish to collect personal information from children, that the parent's consent is necessary for the collection, use and disclosure of the information, and of the means by which the parent can provide consent. The notice to parents must be written clearly and understandably.

It may not contain any unrelated or confusing information. Operators are allowed to use different methods of parental notification including sending an e-mail message to the parent, telephone call or by sending a notice by conventional mail. Operators must obtain verifiable parental consent, from the child's parent, before collecting or disclosing a child's personal information. In short, operators must take reasonable steps ensuring that a child's parent receives notice of the operator's information practices and consents to those practices before collecting, using, or disclosing a child's personal information.

Parental consent is not necessary in the following conditions:

  • Operator collects an e-mail address belonging to a child or parent to provide notice to obtain consent.

  • Operator collects an e-mail address to respond to a one-time request from a child, and then deletes it.

  • Operator collects an e-mail address to respond more than once to specific requests. In this case, the operator must notify parents that it is communicating with the child and provide the parent with the opportunity to halt the communication before transmitting a second communication to the child.

  • Operator collects a child's name or other contact information to protect the safety of the child who is participating on the site. In this fashion, the operator must notify parents and provide them the opportunity to prevent further use of the information.

  • Operator collects a child's name or contact information to protect the security or liability of the Web site or to respond to law enforcement. The operator may not use the information for any other purpose.

Operators are required to send notices and seek consent from parents if there are material changes in their collection, use or change disclosure practices to which parents had consented previously. Operators must send parental notices and seek new consent, if the third parties materially change or if they change their information handling practices.

Operators must disclose the types of personal information they collect from children to parents when requested by the parents. Operators are legally required to employ reasonable procedures ensuring they are, in fact, communicating with the child's parents before they provide access to the child's personal information.

Experience Note

Web site operators, appealing to young children, should have extensive documentation of their privacy policies and procedures. They must document their communications with parents and their children thoroughly if they wish to avoid legal actions. Vendors are wise to include the scope and existence of this documentation as part of their audit procedures.

Operators may deploy a variety of means in verifying parents' identities:

  • Obtaining a personally signed form from the parent received by the operator via conventional mail or facsimile

  • Operators may accept and verify a credit card number

  • Operators may accept telephone calls from parents

  • Operators may accept e-mail accompanied by the parent's digital signature

    Operators may accept an e-mail with a PIN or password obtained through a verification method

Web site operators following prudent and reasonable procedures, acting in good faith to a request for parental access to a child's personal information, may be protected from liability under federal law for inadvertent disclosures of a child's information to someone purporting to be a parent.

Parents may revoke their consent refusing to permit operators to further collect or use their child's information. They may advise operators they wish to have the information deleted and request operators to cease communicating further with their child.

COPPA enforcement is the responsibility of the Federal Trade Commission who examines operator's practices for deception and a lack of fairness. Their enforcement actions are pursued through civil processes and usually target representations, omissions, fraud, or deceptions where operators mislead consumers affecting behavior or decisions about the product or services.

Federal Privacy Act

In 1974, the federal government became bound by the Privacy Act, 5 U.S. Code 552. With the passage of this law, Congress established controls over the collection and disclosure of personal information. The federal government has a voracious personal information appetite collecting an incredibly wide range of individual information through military records, social security records, welfare programs, health care programs, federal employment, food stamps, farm subsidies, emergency assistance, government financial instruments, tax records, court records, grants, student loans, etc.

There are certain rights and controls within this law:

  • Right to see one's records (there are certain exemptions)

  • Right to amend that record if it contains inaccurate, irrelevant, untimely, or incomplete information

  • Right to sue the government for violations of the statute, including unauthorized access, etc.

The Right to Privacy law mandates certain constraints on informational practices of federal agencies by requiring them to ensure their records are relevant, accurate, and complete. Federal agencies are prohibited in collecting or maintaining information about the way individuals exercise their First Amendment rights. Of course, agencies may collect this type of information if the individual consents to the practice or is within the scope of a legitimate law enforcement investigation.

Individuals may request to review their information but there are some conditions to this request. Requests only apply to information within the statutory definition of a "system of records." The system of records refers to records that can be retrieved by the individual's name, Social Security number, date of birth, or some other unique personal identifier. The Privacy Act does not apply to information about individuals contained in records that are filed under other subjects. For example, if a person purchased federal government bonds but they were purchased in the name of a business, it is likely the person actually making the purchase would not be indexed and her information would not likely be recoverable.

Any federal, state, or local government agency requesting an individual's Social Security number is required to advise that individual whether that information is mandatory or voluntary. If mandatory, they are required to cite the statutory or other authority by which the number is requested and their intended uses of it.

There are exemptions described in the Act under which an agency can withhold certain types of individual information. Such examples of exempted information are classified information or information contained in certain criminal investigations. Information relating to a confidential informant is exempted for obvious reasons as are individuals requesting confidentiality when they provide background information about someone seeking federal employment.

Information relating to an individual's name and address may not be sold, traded, or rented by an agency unless specifically authorized by law.

Safe Harbor Issues in the United States

In 2000, the European Union (EU) adopted the European Commissions Directive on Data Protection (Safe Harbor) prohibiting the transfer of personal data to non-EU nations that do not meet the EU standard for privacy protection. The United States has taken a different route to secure privacy protection adopting a combination of legislation, regulation, and self-regulation where the EU has adopted a stance of data protection agencies; registration of databases, and in some cases approval before personal data processing can be begun.

The Department of Commerce, acting with the European Commission, has developed a framework for "safe harbor" where U.S. businesses can avoid experiencing interruptions in their business operations with the EU or possibly face prosecution under EU privacy laws. The Department of Commerce has established a means certifying to the EU that U.S. registered companies provide adequate privacy safeguards as defined by the directive. [2]

Data controllers in Europe know which U.S. companies can receive data by the fact that the U.S. Department of Commerce, on this Web site, publicly posts those organizations that have joined Safe Harbor. By self-certification, U.S. companies can become placed on the Safe Harbor Web list. Through the self-certification process, U.S. organizations declare they will comply with Safe Harbor privacy requirements. European Union Data Protection Directive (95/46/EC) mandates that organizations provide adequate protection of data relevant to EU residents. If a U.S. organization publicly declares its compliance to Safe Harbor principles, it is presumed to provide adequate information protection. In their most basic form, Safe Harbor principles basically consist of the following:

  • Notice of the purpose the information is being collected, its uses, and disclosures.

  • Individual personal information may be reviewed making corrections, deletions, amendments, and modifications. The individual also has right to determine to whom the information might be revealed and which parts will be disclosed. The collector of the information is bound to safeguard the information for the time it is stored, whether it is being used or not.

  • Entities receiving personal information from the original collector are bound to comply with the privacy principles of Safe Harbor.

  • The collector of personal information is bound to adequately protect the information from unauthorized access, disclosure, or use.

After they certify, businesses are subject to oversight and enforcement by the Federal Trade Commission or the Department of Transportation dealing with unfair and deceptive practices. Subscribing organizations are required to identify an independent body whose purpose it is to resolve disputes so anyone with a complaint knows where to file.

One of the guiding principles of Safe Harbor is that the transfer of data to U.S. participants cannot be transmitted to others outside the Safe Harbor confines. The only exception to this rule is if the disclosure is made to a third party acting as an agent under the direction of a member of Safe Harbor. It is a requirement that receiving third parties have to observe similar information privacy protections as the member-business.

Experience Note

Becoming a member of Safe Harbor is voluntary with the rules applying only to those who enlist.

Enforcement of Safe Harbor privacy requirements in the United States is essentially driven by filed complaints. Resolution forums established for that purpose address initial disputes. It is expected these entities will investigate and attempt to resolve complaints as an initial step. However, if members fail to adhere to rulings, then cases will be transmitted to the Federal Trade Commission or Department of Transportation who have the ability to legally obligate them into compliance. If there are more serious cases of noncompliance, then they will be removed from the membership list, meaning they can no longer receive personal information data transfers from the EU under Safe Harbor.

Compliance with Safe Harbor membership has Federal Trade Commission enforcement through the Federal Trade Commission Act, making it unlawful to make misrepresentations or engage in deceptive practices misleading consumers. If businesses declare they are providing a specific set of information privacy protections and fail to do so, this is going to be interpreted as a deceptive practice resulting in civil or administrative enforcement actions from the Federal Trade Commission.

Organizations undergo the self-certify process by providing a letter, signed by an officer on behalf of the organization that it is joining Safe Harbor, containing the following information:

  • Name of organization, mailing address, e-mail address, telephone and facsimile numbers

  • Description of the organization's activities relating to personal information received from the EU

  • Description of the organization's privacy policies for personal information protection including:

    • Where is the organization's privacy policy available for public viewing?

    • What is the privacy policy's effective date of implementation?

    • What is the organization's official contact for addressing complaints, information access requests, and other issues under Safe Harbor?

    • What is the statutory body having jurisdiction to hear complaints against the organization regarding allegations of unfair, deceptive practices, violations of laws and regulations?

    • What is the name of any privacy program in which the petitioning organization is a member?

    • What is the method of compliance verification?

    • What is the mechanism available to investigate unresolved complaints?

Adherence to the Safe Harbor rules is not limited to the time the organization is exchanging data with the EU. It means that the member-organization continues to observe and apply Safe Harbor rules to the EU data as long as the organization stores, uses, or discloses the information even if it leaves Safe Harbor membership.

Employee Privacy: Is Monitoring the Same as Spying?

Most computer security statistics clearly demonstrate the most devastating information events happen as a result of employees (including full-time, part-time, interns, contractors, and volunteers). There are numbers amounting to more than 80 percent of unlawful computer acts committed by insiders with the remaining 20 percent resulting from individuals outside the organization's walls. The principal tool in the typical office is the workstation comprising the communication portal between employees and the outside world. Before organizations can safeguard their communications resources, they must understand why and what must be protected.

Experience Note

The organization's assets must be defined, identified, and prioritized before efforts can be mounted to keep them safe. Do not protect junk.

Governing the conduct of employees should be a set of well-established policies and procedures. Of course, employees are expected to conduct themselves in conformity with laws and regulations, but an organization's policies provide governance in situations tailored to the particular business structure and its needs. The employee's authority to act is derived from the lines of responsibility and reporting; consequently, there are some basic tenets when considering employee conduct:

  • Least privilege. This is the practice of constraining a user's information access to the minimum level necessary for her to do her job and nothing more.

  • Separation of duties. This is the practice of dividing critical function steps among employees so that no one employee has the ability to complete a transaction. For example, if an accounts payable clerk reviews incoming invoices and prepares checks, it is the vice president who must sign them before they may be sent.

  • Accountability. This is the overarching goal of conscientious auditing to review business practices and determine if they are in conformity with laws, regulations, policies and procedures. Accountability looks for potential unlawful acts, abuse, single points of failure, business efficiency and effectiveness, separation of duties, and least privilege.

An employee's job-related conduct must not jeopardize the organization's critical assets, meaning the organization's legitimate ability to achieve its profitable goals.

Legalities in Employee Monitoring

There is much made of lawfully monitoring employees' conduct on the job. And, there seems to be a fair degree of misunderstanding on the part of senior managers and legal units. The fact of employee monitoring or auditing is this: the most active attacks on the organization's assets originate from outside the organization, but the most successful and financially devastating attacks come from employees, former employees, contractors, and others who had or have legitimate access to sensitive information.

Experience Note

Organizations can and will be held legally liable for the acts of their employees even if those employees are not longer employed. Unless organizations monitor and audit the activities of their employees, they are remiss in their legal responsibilities.

There are federal and state criminal statutes governing "listening" to employees' conversations and intercepting third-party electronic communications. These laws include actions such as eavesdropping on oral conversations, intercepting electronic communications, and the rights of those monitored by these techniques. Federal and many state laws define wire communications as electronically exchanged information through cable, wires, or transmitted through the air. Examples would include wireless local area networks, WLANs, conventional cable-connected networks, wire-connected telephones, cellular telephones, and cordless telephones.

Oral communications are exchanged in face-to-face situations, where one or more persons are vocalizing one to another without interceding technology. Intercepting communications is the process by which the contents of a communication, either oral, wireless or wire, is acquired by a third party. There is another type of employee monitoring where employers install video camera equipment to capture the activities of their employees and others on property under their control.

Oral Communications

There is federal law protection of oral communications not transmitted by means of electronic transmission such as telephone or voice over IP means. Federal laws protect the interception of oral communications or the disclosure of the contents of those communications that were unlawfully intercepted. Interestingly, legal privacy protection is only extended to oral communications that have a reasonable expectation of privacy. If there is a reasonable expectation of privacy, the only means by which an oral communication may be intercepted (absent a consenting third party) is by a law officer using a court ordered wiretap.

Experience Note

If employers want to lawfully monitor the conversations of employees having a reasonable expectation of privacy, they must not use mechanical, electronic, or any other device to intercept the conversation. Intercepting an oral conversation may only take place where the people talking do not have a reasonable expectation of privacy. Employers may obtain consent from one or more of the persons present at the conversation and those persons may use electronic means to record the conversation. In the latter case, it is not a requirement that the consenting person speak during the conversation, it is only required that they have a legitimate right to be present during the conversation. It is important to note that several states have statutes outlawing the use of recording equipment. Ensure legal counsel is consulted before using this monitoring technique.

Wire Communications

Federal laws protect the sanctity of telephone communications and other electronically transmitted communications (Title 18, United States Code Section 2511). Under this statute if an employer intercepts or discloses the content of an unlawfully intercepted communication, it could result in a criminal prosecution. It is important to note that this statute has application to cellular telephones, cordless telephones, hard-wire telephones, and possibly wireless networks. However, there are some exceptions to this law:

  • Consent of at least one of the participating parties to the electronic communication. As in the oral communication privacy law, it is required that only one person, having a legitimate presence, provide consent to monitoring. Currently, many organizations obtain continuing consent or waivers from their employees as a condition of their employment. Employers are wise to obtain signed employee acknowledgement and consent before monitoring.

  • There is not a reasonable expectation of privacy to the electronic communication. Many employers announce that communications with their employees are possibly being monitored; this relieves the reasonable expectation of privacy. Employers might advise their employees and others that use of the organization's electronic equipment for any purpose other than business is not permitted.

Trap and Trace and Pen Register Installations

There are pieces of hardware known by their purpose of "trap and trace" that are installed to identify telephone numbers that are calling other telephones. Trapping and tracing telephone numbers refers to tracing a caller's telephone number to a telephone located at a specific location at a specific time. Equipment used to trap and trace a telephone call generally must be used in conjunction with the local telephone carrier and is restricted to law enforcement actions supported by court ordered installations. Pen registers are electronic devices that, when installed on a telephone line, identify the numbers dialed out from a targeted telephone. This equipment is installed only to identify telephone numbers either received or called. Trap and trace equipment will not and must not be used to monitor communication's content, merely the involved telephone numbers.

Under the provisions of Title 18 United States Code, Section 3121 there are general prohibitions regarding the installation of pen register and trap and trace equipment with the requirement of first obtaining a court order described under Section 3123. Court orders are generally obtained by law enforcement agents with an effective life of 60 days, and may be extended for additional periods of time. It is important to note that the application and court order for pen register and trap and trace equipment is applicable only to telephone lines. Using software applications and tools to locate IP addresses is not addressed in this statute and does not require any special type of court order or warrant.

Video and Still Camera Monitoring

Monitoring activities on property under the control of employers is allowed using video and still camera technology. It is a requirement, however, that only images are viewed and recorded, not communications either oral or electronic. For example, a bank uses hidden video camera or still camera technology to record the activities within the confines of the vault. As part of their employment, all employees are advised that only the bank's business may be conducted on the property during business hours and that employees are not entitled to a reasonable expectation of privacy with respect to their actions. During business hours, the camera captures an employee taking cash from her drawer and passing it to a customer in exchange for a small paper package that she immediately places in her pocketbook. No conversational exchange was recorded or intercepted. Is this a lawfully monitored incident? In all likelihood, the answer is "yes."

However, there are conditions under which employers may not record images as employees have expectations of privacy. For example, restroom stalls are areas where employees have a reasonable expectation of privacy. Monitoring their activities with video or still-camera equipment there would be prohibited. However, video camera surveillance of the work area where an employee can observe the equipment negates any reasonable expectation of privacy, Vega-Rodriguez v. Puerto Rican Telephone Co., 110 F. 3d 174 (1997).

Monitoring E-Mail and the Employee Workstation Conduct

Employers' monitoring of e-mail used to be the $64,000 question. The matter is best addressed in the context that employers are liable for the conduct of their employees, even when employees are using the organization's equipment after business hours. Employees sending and receiving racist, sexist, and sexually explicit e-mail leave a trail that exposes an employer to liabilities based on claims of hostile work environment and negligence.

The courts have decided that it is the responsibility of employers to monitor the activities of their employees, and failing to do so can result in substantial settlements in the defendant's favor. In the matter of Blakey v. Continental Airlines, Inc., June 1, 2000, the New Jersey Supreme Court unanimously decided that certain postings made to a work-related electronic bulletin board constituted a hostile work environment for which the employer could be held liable. The court decided that if the employer had noticed that its employees were posting messages to the bulletin board that were defamatory and harassing, the employer had a duty and responsibility to remedy that harassment.

Productivity and liability are issues that drive employers to monitor employee use of e-mail systems in the workplace. Failing to take appropriate levels of discipline often result in defendant's prevailing in civil suits. Presently, the courts have been inclined to side with the employer's position in the debate over employee's electronic privacy.

In Smyth v. The Pillsbury Co., 914 F. Supp. 97 (Eastern District of Pa., 1996), the District Court decided that the employee did not have a reasonable expectation of privacy by his use of the internal e-mail system to communicate with his supervisor. The company had previously stated that e-mail communications would remain confidential. The court found that it was lawful for the company to intercept the employee's e-mail and terminate him for transmitting inappropriate communications using the company's e-mail. In this case, the court ruled that no employee had a reasonable expectation of privacy using e-mail sent over the company's e-mail network.

In the matter of McLaren v. Microsoft Corp., No.05-97-00824-CV, 1999 Texas App. Texas Ct. App., May 28, 1999, the employee filed e-mail messages in "personal folders" on his office computer with password protection. The court ruled the employee did not have a reasonable expectation of privacy preventing the company from viewing these files. In their decision, the court determined the employee's e-mail messages were not his personal property, rather they were part of the employer's office environment. Accordingly, the employer's need to prevent inappropriate use of its e-mail system outweighed the employee's privacy, and the company had a legitimate right to access data stored in the employee's "personal folders."

Decisions made in the California State court system ruled that employees do not have cause of action for wrongful termination when they were fired because of their objections to their employers' e-mail monitoring activities. The relevant cases are Bourke v. Nissan Motor Corp., No. B068705 (Cal. Ct. App. July 26, 1993); and Shoars v. Epson America, Inc., No. B 073243 (Cal. Ct. App., rev. dec., No. S040065, 1994 Cal. LEXIS 3670, June 29, 1994, no published decision).

In 1986, the Electronic Communications Privacy Act (ECPA), 18 U.S. Code 2700 et seq. became federal law prohibiting the interception and unlawful use of intercepted electronic communications. Although the specific term of e-mail is not mentioned in the statute, the legislative history and current case law indicate that e-mail falls within its coverage. For the purposes of employers monitoring e-mail activities of their employees, there are three major exceptions:

  1. Provider exception to monitoring electronic communications. The employer is the provider of the e-mail system and has the right to monitor its use preventing prohibited or unlawful behavior.

  2. Prior consent exception. This exception is drawn on the conclusion that the employee has given her prior consent to having her electronic communications monitored.

  3. Business use exception. This exception is based on the organization's policy that only proper official business may be conducted using the e-mail system.

Employee Legal Defense

With recent and past legal decisions regarding employees' privacy rights in the electronic workplace, there are some things that should be considered:

  • Do not look to the Fourth Amendment to the Constitution for privacy protection as it only applies to the citizen's relationship with government and law enforcement agencies. Depending on an organization's policies and procedures, if an employer searches an employee's workstation where there is a reasonable expectation of privacy, then the employer may be held liable. If an employer searches an employee's workstation at the direction of law enforcement agents and it is determined there is a reasonable expectation of privacy, it is likely any evidence will be excluded from criminal proceedings under the doctrine of "fruits of a poisonous tree."

  • For an invasion of an employee's privacy, an employee must have an expectation of privacy that society considers reasonable (Medical Laboratory Management Consultants v. ABC, Inc., 30 F. Supp. 2d 1182, 1998). For an intrusion to be actionable in civil proceedings, it must violate the solitude or seclusion of another or her private affairs or concerns is subject to liability to the other for invasion of her privacy if the intrusion is highly offensive to a reasonable person. In determining whether the employees' privacy expectation is reasonable, the workplace should include areas and artifacts related to work that are under control of the employer even if employees bring personal items to work. Not everything brought into the workplace can be considered part of the workplace, e.g., pocketbooks, handbags, briefcases, etc. In the case, O'Connor v. Ortega, 480 U.S. 709 (1987), the court upheld the expectation of privacy as reasonable given that the employer had not discouraged employees from bringing personal items to their workplace neither had they established any privacy policies.

  • Lack of formal official use policy. Even in today's world, some employers fail to institute policies governing official use only of business resources. Employees might be able to use the lack of enforced official use policy as grounds for wrongful termination in the event of objectionable behavior. (United States v. Slanina, No. 00-20926 5th Cir. Feb. 21, 2002)

  • Hard drive cleansing. There are super cleansing programs available for download offering differing levels of assurance that discarded data have been erased. Regrettably, as many have experienced, there are often records of e-mail and Internet browsing stored in other locations of the organization's network.

  • Employees often deny they were viewing objectionable material and that the material in question was received from unsolicited sources. The viability of this argument will depend on the amount, type, and characteristics of the material. If material is discovered in the form of sexually explicit banner advertisements with a few thumbnail images, there might be some merit to the employee's argument. However, if there is a sizeable cache of full-size material that has been stored on the employee's workstation covering a lengthy period of time, then this argument is not persuasive.

Employee Monitoring Best Practices

The best philosophy for employee monitoring is to "get it out in the open." Do not hide the fact that employees are going to be monitored. If employers attempt to conceal employee-monitoring activities, it could result in employees having a reasonable expectation of privacy in their behavior at work. Employers choosing to engage in some type of employee monitoring should consider the following:

  • Senior managers should formally identify the business purpose of employee monitoring and confine their monitoring to that purpose alone. It is a matter of legal business practices and continuing profitability. If employee monitoring is based in any other purpose, then prepare for endless litigation.

  • Employers should have plainly written policies and procedures describing the nature, extent, and uses of monitoring. Wise employers will clarify that monitoring employee conduct is a matter of protecting the bottom line. Do not be afraid to reward good employee behavior that is discovered as a result of monitoring.

  • Employers should selectively monitor electronic and oral communications unless there is a very strong reason to do otherwise.

  • Advise employees, on all levels, that the organization has formal policies and procedures for monitoring. Identify what types of monitoring is going to be conducted such as e-mail, Internet browsing, telephone calls, voice mail, workstation files, server logs, router logs, video surveillance, etc.

  • Advise employees and have them formally acknowledge that all equipment and resources belonging to the organization are for official use only and there is not any reasonable expectation of privacy for any employee, including senior managers. Employees should know that placing a password to protect a file does not ensure privacy. Organizations should determine if they are going to allow employees to use encryption and thereby evade monitoring. Rest assured if encryption is permitted, its use may be corrupted and the organization's intellectual property can be transmitted outside the company with little chance of detection.

  • Should telephone calls between employees and outsiders be recorded, organizations should consider using a intercessory recording announcing that telephone conversations are being recorded for quality assurance or other purposes.

  • Organizations must have designated procedures addressing the manner in which captured communications and recorded behavior will be reviewed for compliance. It is imperative that vigorous controls are in place relating to the dissemination of information obtained through employee monitoring.

Employee Polygraphs

This is a touchy topic and generally only employed by government agencies screening prospective and active employees who will have access to sensitive or classified information. The following are the conditions under which polygraphs are usually administered:

  • Generally, employers cannot use polygraph testing to screen employees, except in cases of national defense or security concerns.

  • Generally, employers can use polygraphs to screen employees who have direct access to controlled substances in the course of their employment.

  • Generally, employers may screen employees who are security guards with access to sensitive areas.

Under the provisions of the federal Employee Polygraph Protection Act, Title 29 United States Code Section 2001-2007, testing employees must fall within the following investigation scope:

  • There must be an ongoing investigation involving an actual economic loss.

  • The employee that is going to be tested must have had access to items that resulted in the loss.

  • There must be a reasonable suspicion that the employee was involved.

  • Employees must be provided with a statement concerning the reasons why the test is to be performed. Employers must provide a statement containing the above listed information at least 48 hours before testing, it must be written so the employee can understand it, and an agency representative must sign it.

During polygraph testing the employee has the following rights:

  • Polygraphs may not be used for random testing or for investigations of unspecified events.

  • Employees may terminate the examination at any time.

  • Employees cannot be asked intrusive or degrading questions.

  • Employees cannot be asked questions concerning religious beliefs, racial opinions, political beliefs, sexual preferences, or beliefs about labor organizations.

  • Employees cannot be tested if a qualified physician has advised, in writing, against testing on mental, physical, or medical grounds.

Popular Posts