The hit song "Somebody's Watching Me"1 made the charts in the 1980s, but today its lyrics reflect reality rather than paranoia--at least at the office. Workplace surveillance has become commonplace in today's business environment, with surveys suggesting that over 78 percent of all companies use some type of surveillance system.2 As for workplace computer use, surveys show that 76 percent of employers monitor workers' Web site connections; 55 percent retain and review e-mail messages; 36 percent track content, keystrokes, and time spent at the keyboard; and 32 percent of companies with 1,000 or more employees hire staff whose primary duty is to read and analyze the contents of outbound e-mail.3 The prevalence of workplace monitoring may be a documented trend, but the critical issue for employers is whether their use of surveillance techniques exposes them to potential liability.
Employees clearly have good reason to believe that they are being watched, but employers likewise have good reason for engaging in surveillance of their employees. One study suggests that 24 percent of employers have had e-mail subpoenaed in litigation, and 15 percent of employers have been defendants in workplace lawsuits triggered by employee e-mail.4 Aside from ensuring that employees do not create a hostile work environment by sending inappropriate e-mails, there are numerous other reasons why employers engage in surveillance, most of which boil down to prohibiting their employees from engaging in improper activity, such as stealing a company's trade secrets or spending all day surfing the Internet.
Employers use a variety of methods to track their employees' computer activities. One type of computer monitoring program often used by employers is a "packet sniffer." This is a program that connects to a particular computer network and then views all the information that passes over that network. Packet sniffer programs can monitor the Internet activity on an employer's network, including the Web sites that employees visit, the contents of their e-mails, and what information is being downloaded from the Internet.5
Another form of computer surveillance used by many employers is desktop monitoring. When an employee logs in to his or her computer, a signal is transmitted that is intercepted by the program. The program then replicates what the employee sees on his or her computer screen at the moment the signals are transmitted.6 Numerous other emerging monitoring technologies are available or will be soon.
Many electronic monitoring methods may be implemented at a low cost, providing a growing number of employers with the opportunity to use them. While computer surveillance appears to be the primary method of monitoring employee activity, employers also use more traditional methods such as videorecording employees in the workplace.
More important, however, than the technological effectiveness of surveillance programs is understanding what kind of surveillance employers in California are permitted to use in the workplace, and to what extent, without violating the privacy rights of their employees. Like so many legal questions, the determination of these issues ultimately may be fact specific. There are, however, a few bright-line rules in California regarding what an employer cannot do.
One of these bright-line rules is set forth in Labor Code Section 435, which directly prohibits audio or video surveillance of employees in rest rooms, locker rooms, or rooms designated for changing clothes, unless authorized by court order. Another is found in Penal Code Section 632, which prohibits anyone (including employers) from tape recording confidential communications without the consent of all parties to the communication. A Section 632 "confidential communication" is "carried on in circumstances as may reasonably indicate that any party to the communication desires it to be confined to the parties thereto...."7 Penal Code Sections 630 through 638 are referred to as the California Invasion of Privacy Act (CIPA).
In Coulter v. Bank of America National Trust and Savings Association, the court of appeal held that an employee who "began secretly tape-recording face-to-face and telephone conversations with various bank employees, supervisors and officers" was properly held liable for violation of the statute.8 Because the statute prohibits recordings in which either party expects the communications to be confidential, "[i]t is sufficient that the bank employees who were secretly recorded expected the conversations to be private."9 Accordingly, a California employer seeking to record conversations of its employees must do so only with the consent of all participants to the conversation.
Beyond the limited bright lines, the question of what an employer can or cannot do in the area of workplace surveillance becomes less clear. The sources of law regarding workplace surveillance in California include federal, state, and constitutional protections.
Federal and State Privacy Law
The Electronic Communications Privacy Act of 1986 (ECPA) updated the federal wiretapping laws to create protections for digital communications. While employees have attempted to use the provisions of the ECPA to bring claims against their employers for privacy violations, courts have been reluctant to hold employers liable under the statute for monitoring their employees' e-mail communications on company computer networks. The ECPA only protects electronic communications while they are in the process of being transmitted.10 For this reason, the ECPA has not proven to be an effective vehicle for privacy claims by employees.11
No federal statutes expressly regulate a private sector employer's right to use video surveillance. However, a public employer whose video surveillance targets areas in which employees have a reasonable expectation of privacy may violate the Fourth Amendment. Courts will not find a reasonable expectation of privacy when workers do their jobs in an open and undifferentiated workspace.12
Privacy claims arising from workplace surveillance most often implicate state privacy laws. This is especially true in California, where courts have extended state constitutional privacy protections to the private sector.
The California Constitution recognizes a right to privacy in Article I, Section 1. The California Supreme Court, in Hill v. NCAA, found that the state constitution's right to privacy creates a private right of action against private parties.13 The constitutional right to privacy encompasses the common law tort of invasion of privacy. To succeed on a privacy claim, a plaintiff must establish: "(1) a legally protected privacy interest; (2) a reasonable expectation of privacy in the circumstances; and (3) conduct by defendant constituting a serious invasion of privacy."14
The application of the test in the workplace setting is highly fact specific: "[I]n the workplace, as elsewhere, the reasonableness of a person's expectation of visual and aural privacy depends not only on who might have been able to observe the subject interaction, but on the identity of the claimed intruder and the means of intrusion."15 This can make it difficult for attorneys to give definitive guidance on the legality of a surveillance technique in a particular workplace setting, but some guiding principles may be gleaned from California case law.
While video surveillance of employees is expressly prohibited under specific circumstances by Labor Code Section 435, it is probably permissible in a public area and likely impermissible in a private office. In Sacramento County Deputy Sheriffs' Association v. County of Sacramento, the court of appeal found that a nonprivate office in the middle of a jail's booking area was a place in which the plaintiffs would have a diminished expectation of privacy.16 Thus, the videotaping that took place in that area did not violate the plaintiffs' privacy rights. Importantly, the court noted that the video surveillance system lacked audio capabilities and the "defendants' objectives were lawful."17 Relying on this range of factors, the court granted summary judgment to the defendants on the plaintiffs' invasion of privacy claim.18
However, in Hernandez v. Hillsides, Inc., an employer's placement of surveillance equipment in two employees' private offices was found to be an invasion of privacy. The court reasoned that the employer's action allowed anyone who had access to the room in which the surveillance system was housed to activate the system "at any time during the day without plaintiffs' knowledge, thus at least presenting the possibility of unwanted access to private data about plaintiffs."19 This case has been accepted for review by the California Supreme Court, so further guidance may be forthcoming.
Computer monitoring, the most widely utilized technique for workplace surveillance, generally has been upheld by California courts. The main rationale is that "the use of computers in the employment context carries with it social norms that effectively diminish the employee's reasonable expectation of privacy with regard to his use of his employer's computers."20
Employers can significantly increase their protection against invasion of privacy claims by adopting a policy for the use of their computer systems, e-mail, and the Internet, and requiring all employees to read and sign a statement acknowledging receipt of the policy. According to the court of appeal in TBG Insurance Services Corporation v. Superior Court, "employers can diminish an individual employee's expectation of privacy by clearly stating in the policy that electronic communications are to be used solely for company business, and that the company reserves the right to monitor or access all employee Internet or e-mail usage."21 Although it is not clear from case law, an employer's failure to have such a policy may support a finding that an employee had an objectively reasonable belief in the confidentiality of information stored on the employer's computer.22
These rules extend to computers kept in an employee's home that are owned by the employer and are therefore subject to the employer's computer use policy. For example, the TBG court held that the employer was entitled to discovery from an employee's home computer that was owned by the company and subject to the company's policy on computer use. Of course, certain practical difficulties may thwart attempts to obtain information from a home computer, such as the possibility that an employee will simply refuse to produce the computer.23
No California case law directly addresses whether an employer can monitor an employee's use of his or her personal e-mail accounts--such as Gmail and Hotmail accounts--when they are accessed on an employer's computer system. Based on the case law that exists, however, it is likely that this is permissible--especially if the employer has a policy in place. One federal court found that an employer did not violate an employee's right to privacy when it accessed an employee's e-mails from a personal account that had been saved on the employer's network.24 The court found that an employee had no reasonable expectation of privacy in e-mails saved on the employer's network, especially considering the specific warnings contained in the employer's policy.25
An employer's policy can also affect whether an employee's e-mail sent on a work computer to his or her attorney is privileged. In a now depublished decision, one California court held that an employee had an objectively reasonable belief in the confidentiality of his e-mail communications because "[t]he agreement signed by [the employee] did not preclude personal use of the computer or mention anything about [his employer] copying or disclosing the contents of the computer" and the employee "made substantial efforts to protect the documents from disclosure by password-protecting them and segregating them in a clearly marked and designated folder."26 By contrast, a New York decision found that an employee who communicated via e-mail with his counsel over the employer's server waived the attorney-client privilege.27
The New York court distinguished the California decision by noting that the e-mail policy in the California case did not prohibit personal use; the employer's policy in the New York case did. This fact, combined with the employer's retained right to monitor an employee's e-mail communications, persuaded the court that there was no attorney-client privilege in the e-mail communications. The court also dismissed the employee's argument that he was unaware of the policy because it was available on the employer's intranet and also in an acknowledgement form the employee was required to make new employees sign as part of his duties as an administrator.28
The lesson is clear. If an employer wants to conduct electronic or other surveillance of its employees, it pays to have a well-crafted policy and to have employees acknowledge their receipt and understanding of the policy.
Searching an Employee's Office and Property
Another issue that can arise in the workplace as a result of an employer's surveillance is whether an employer may search an employee's office or personal property. According to the Ninth Circuit in Schowengerdt v. General Dynamics Corporation:
Ordinarily, a search of an employee's office by a supervisor will be "justified at its inception" when there are reasonable grounds for suspecting that the search will turn up evidence that the employee is guilty of work-related misconduct, or that the search is necessary for a noninvestigatory work-related purpose such as to retrieve a file....The search will be permissible in its scope when the measures adopted are reasonably related to the objectives of the search and not excessively intrusive in light of...the nature of the [misconduct].29
The same search may be unlawful, however, if conducted for an improper purpose:
Because [the employee] had a constitutional right to be free from unnecessary, overbroad, or unregulated employer investigations into his sexual practices, the search of his desk and credenza to find and seize materials relating to such matters would be reasonable only if relevant to his job as a naval engineer. Furthermore, the scope of the inquiry must be no broader than necessary.30
Unlike an employee's office, it is generally not permissible to search an employee's personal property in California. In Greenberg v. Alta Healthcare System, L.L.C., the plaintiff alleged a cause of action "for invasion of privacy, for searching her desk, computer, files and purse."31 The court held that the plaintiff's admission that the employer "had a right to search her desk, computer, and files defeats her cause of action with respect to the search of these items [but] [w]e conclude that rifling the contents of an employee's purse may support an award of punitive damages."32 Employees have a reasonable expectation of privacy regarding their personal property. This is true when they are in their automobiles, although an employer may make a visual inspection of any cars in its parking lot.33
Conducting a nonconsensual physical search of an employee in California raises a number of issues. An employer that conducts a nonconsensual physical search risks being held civilly and criminally liable for battery under Penal Code Section 242. A policy on these types of searches may also be insufficient to overcome an employee's reasonable expectation of privacy:
[A]n employer may not, simply by announcing in advance that all employees will be subject to periodic strip searches, thereby defeat the employees' otherwise reasonable expectation that such searches will not occur. Governing social norms, not the specific practices of an individual defendant or industry, define whether a plaintiff has a reasonable expectation of privacy.34
Surveillance in a Unionized Workplace
The National Labor Relations Board and the courts have created two categories of collective bargaining subjects--mandatory bargaining and permissive bargaining.35 For mandatory bargaining subjects, the employer and the union must bargain until they reach an impasse; that is, until it becomes clear to the parties, and the reviewing authority, that no further progress can be made on the issue.36
In one case, the NLRB analyzed a situation in which the employer had installed hidden video systems throughout its facilities. The board held that the employer's actions affected employment security, and the video systems could not be used unless the employer engaged in collective bargaining on the subject prior to installing the systems.37
Circuit courts also have found that surveillance by employers of their employees is a mandatory subject of collective bargaining in certain circumstances. For example, in National Steel Corporation v. NLRB, the Seventh Circuit upheld the NLRB's decision that a company must engage in collective bargaining with the union as to whether the company could engage in hidden surveillance.38 Moreover, the D.C. Circuit reinstated a union employee who was terminated based on information gathered through the use of a hidden camera. The court held that the employer's use of a hidden camera was a subject that required a prior bargained-for agreement between the employer and the union.39
Other issues may arise in addition to potential bargaining requirements. Surveillance of employees engaged in union organizing activities also may potentially constitute an unfair labor practice.40
Workplace surveillance is a fact of life for virtually all employers and employees. Employers face significant risks of employee data or trade secret theft, vicarious liability for discriminatory or harassing activity, or other harms caused by illegal or unproductive employee behavior. As a result, employers have turned to an increasingly wide array of technological tools that allow them to monitor their employees throughout their workday. The decreasing cost of these techniques will only serve to increase their use.
For employers attempting to minimize potential exposure to an invasion of privacy claim, the best defense is to implement a clear policy explaining what employees can expect in terms of monitoring and what constitutes appropriate use of the company's computer systems, e-mail, and Internet. Employee monitoring should not exceed the guiding principles established by case law, and defined parameters for computer use should limit an employee's reasonable expectation of privacy. Once the policy is established, the employer should require employees to acknowledge its receipt.
For employees worried about an employer intruding on his or her personal life in the workplace, the best approach is simply not to engage in personal activities on the company's computer network. While there are limits on what an employer can do in California regarding workplace surveillance, an employer can employ various monitoring techniques without crossing the line--especially if it has a policy in place. Thus, until legislation or case law imposes new prohibitions on workplace surveillance--and this is always a possibility in California--an employee entering the workplace and using an employer's computer system should expect that "somebody's watching me."