Electronic Communication Monitoring in the Workplace

Marshall Remmele Jennifer Turner Brian Boyer Jon Maurus

Executive Summary

The dawn of the internet brought with it a boon to workplace efficiency. Shortly following this boon came a myriad of ways to use the same tools to waste time. Although most wasted time in the workplace is a result of surfing the internet, company managers are most concerned about misuse of electronic communication, primarily email. The rationale behind this is that employees will find a way to waste time, whether it is hanging around the water cooler or shopping e-Bay on the clock; email on the other hand, presents a new liability to intellectual property security. Many companies have emerged to offer a solution to this intellectual property risk by offering software that can monitor electronic workplace communication.

Why Monitor?

We have stepped into a revolution when it comes to businesses and employment.
Today’s economy is a mere shadow of what it used to be years ago. In the twenty first century we are concerned with productivity, it is all about quantity over quality. Businesses desire increased production and want to spread their service or product as far across the world as they can in a never ending effort to profit. This is the name of the game, whoever profits the most wins. Efficiency is a key concept that these businesses have been focusing around in order to achieve this end. If a business cannot be effective in using their resources then they are going to have trouble competing in the market and they will eventually cease to exist as a corporation. One of the most important resources that most companies have is labor, or in other words their workers. This is where we start with why monitoring in the workplace is useful and supports the underlying goal of efficiency. Employers hire workers to do a specific job that they request so that they
might reach the ultimate goal of turning profits by using their resources effectively. It is important though that these workers are giving direction in the workplace so that it is certain that they maintain focus on the task laid out by the company. When employers give too much leeway and supervision is not carried out then there leaves room for employees to lose focus and cause serious damage to the company.

Chevron is a company that has learned the supervision lesson all too well; Chevron was hit with a 2.2 million dollar sexual harassment lawsuit when an employee sent inappropriate emails over the company’s network. This is a dent in the financial resources and of the reputation of Chevron which has the possibility of hurting the productivity of Chevron. According to Thomas Shumaker II, an expert in labor and employment law, a company is legally liable for all transmissions over its networks. Mr. Shumaker recommends, in fact insists, that companies take the necessary steps to monitor its employees’ actions in order to prevent such disasters like this from ever happening. If Chevron had taken appropriate measures, such as monitoring employee actions, specifically emails, they would have avoided the legal entailment of a lawsuit and having to spend significant financial capital. Beyond the internal threats that a company faces if they do not monitor their workers it is important for a company to protect against the privacy of files, records and any other information about clients/cases from external sources.

Over the last decade we have seen a tremendous surge in technological advances. America has seen rapid advancements in communication over these past ten years. We have gone from being a nation divided by distance and time to new, stylish cell phones, email accounts, AOL, and other devices that allow us to keep in constant communication with anyone and everyone that we want to. With these advances comes an increasing need for security and responsibility on the behalf of those offering these services. This
technology has left private information of people and companies vulnerable to sabotage, hackers and other security threats. Monitoring its networks can allow a company to know if there is a breach in security, or an attempt to steal pertinent information that the company has an obligation to protect.

The leaking of certain information, such as a law firm leaking files on clients, can lead to major lawsuits against that firm. This too, can lead to unexpected set backs that would hinder productivity of the company. This leads to the last aspect of why a company needs to implement monitoring. Monitoring activity of a company’s resources allows it to protect its own resources. The company owns the resources that its employees use, it owns the files, computers, fax machines and everything else that resides within its walls. Monitoring employee use of these resources help ensure their safety and durability. With the proper safeguards in use (monitoring of employees) a company can prevent the misuse or destruction of valuable equipment and resources that would have the potential to offset the productivity of the
workplace.

As we progress through time it is important that we adapt to the surrounding
changes that occur around us. The biggest change that we are experiencing today is a the enormous amount of technology that is presented before us. No longer is information only accessible through physical paper copies. Today information is accessible through all different kinds of mediums. A report done in China can be accessed over the internet from a small town in Indiana. Information is highly transferable all over the world. We live in a world where anything about anyone can be learned given time. It is for this reason that companies have an obligation to protect not only their interests but
those of their employees as well. Monitoring the workplace can provide the proficient security to protect against internal damage, external infiltration and the misuse or destruction of company property. Monitoring is an effective tool that should be integrated into workplace life.

Existing Hazards

After discussing the legality and reason for monitoring employees, it is important to discuss exactly what employees are getting into. One example was the Chevron fiasco mentioned earlier, but there are far more threats than sexual harassment emails alone. Unproductive time can be spent in the form of web-pages, internet ‘boredom’ games, video archives and just about anything you can click through on the web (Bored at Work, 2006). The entire website is set up just like an entertainment plaza with different rooms to click on; videos, articles, games, and soundboards. They are also displayed right on your computer screen so they’re easy to close out in a rush and the website could very easily make it look like an employee was doing something by looking at the screen and typing or clicking the mouse. While I don’t think that employees try to dodge work all the time, these websites exist for a reason. And that reason this website exists cannot be solely for the creator’s entertainment. An employee can even register for his own account on www.boredatwork.net. Enticing persuasions such as no advertisements and your very own profile page make the time spent on this website that much easier and that much more involved. After registering, which took no more than 5 seconds as a reply to an email was not required, we found that you could easily invite friends and bookmark your favorite boredom websites.

On 27 December, 2005 there was a Superior Court case in New Jersey’s Appellate Division discussing the material readily available on the internet. In Doe v. XYC Corporation it was ruled that, "an employer who is on notice that one of its employees is using a workplace computer to access pornography, possibly child pornography, has a duty to investigate the employee's activities and to take prompt and effective action to stop the unauthorized activity, lest it result in harm to innocent third-parties." In the issue of child pornography and how accessible it is, this case mandates employer responsibility in checking up on employees if there is any belief that employees are accessing this type of material. It’s all morals and ethics, but there may be several more types of material available that should be illegal in the same manner as child pornography; illegal drug or arms-sales websites or terrorist action group websites are just a few examples. While this case is an extremely specific example of what employees are having a problem with and there has to be court-worthy proof of wrongdoing, it shows exactly what is starting to happen with internet access in the workplace. As mentioned earlier, websites all over the world are accessible from anywhere there is a computer with internet access.

It is clear that there are several ways to access material a company may deem illegitimate through the web, but even if web browsers are blocked there is still a significant threat as established earlier; e-mail and instant messaging. These are user-based methods of communication and can be very time consuming practices. In a recent email, one of our researchers’ relatives sent a forwarded message with anecdotal content to several members of her address book (J. Altap*, personal communication, October 10, 2006). After we asked her whether or not she sent this email during work, she admitted having done so and that she would allow us to use this information in a white paper. Her email was just over 1400 words long and took us about five minutes to read it. It took us another minute to forward it to the recipients we thought would like it and it took us another five minutes to get back on topic writing our white paper. If we consider the fact that we received this email while working instead of just using it for research, it becomes clear that we just spent about eleven minutes of our company paycheck on our own personal interests. Perhaps by coincidence, but perhaps not, J. Altap also has a habit of using AOL Instant Messenger while working, according to our researcher. This program makes it very easy to be online and communicate in real time with anyone else who is online. These discussions can become quite extensive and since it is very similar to speaking, these discussions can become quite explicit and revealing as well. The same type of gossip or slander that we come across every day can be communicated just as comfortably through instant messaging. While it may be a good idea to institute the use of instant messaging for company efficiency, it may not be appropriate to contact friends or family for personal interest.

It is completely up to company interpretation as to the actions to be taken after analysis of the above issues. However, as discussed in this section and others, there are several legal parameters that govern a company’s surveillance of employee communication. For this reason, it is extremely important for a company to be aware of what is available to employees, what employees are capable of and if limits need or do not need to be imposed.

Technical Information

With the wide array of software offerings from competing companies comes an equally wide array of product features. As unique as these offerings may be, they all share a feature that allows managers to see all email communication going into and out of the company. When an ECMP has been installed on a network no matter what computer on that network sends an email, the email will be sent first to a secret email account that has been established for the sole purpose of receiving a copy of every email on the network. From this point the administrator can either have the emails proceed to their respective destinations, or stay in the secret email account until the administrator verifies their contents and then releases them. This primary structure is shared by all of the ECMP’s offered on the market, from program to program subtle differences make them adaptable to companies of all sizes.

When a company only wants to monitor specific employees, managers can create lists of the employees they wish to monitor. Then instead of being flooded with thousands of emails a day they can select only employees they are suspicious of and not monitor employees they trust. The obvious advantage of this is that managers will not have to hassle with the high percentage of innocuous emails sent across the network every day. Employees who know a system like this is in place will be less likely to even attempt to leak information using company time or resources. This may be useful if the manager has a hunch that an employee is up to something, but is not sure if they have done anything wrong at this point.

Managers can also create a list of key words so that the ECMP will flag every email containing key words. An example of this might be a manager who is concerned that their third quarter results will be released prematurely to the investing community. The manger could simply tag “third quarter” as a suspicious phrase and all emails going out will be scanned for these words. As opposed to tagging an employee, this is useful when there is information being leaked but no suspect in the violation being committed.

Another common feature that is shared by all of these ECMP’s is the remote monitoring capability. This means no matter where a manager is worldwide, they will still have the capability to monitor the email that is occurring on his companies network. Thereby helping to thwart the “when the cat is away the mice will play” tendency for workplaces where the manager is out of town. The manager can still check the secret email account that all the network emails get sent to. The ECMP’s have web based interfaces that allow the manger to even change and modify settings from half way around the world. IN this increasingly globalized world, the scenario of the manager being out of town is increasingly likely. That doesn’t mean that the manager has to loose control of the workplace.

For those with the greatest risks managers can even monitor the keystrokes that are performed on all the computers within the network. Obviously this is only necessary in very extreme cases but it offers the ultimate amount of control available in lieu of standing over the employees shoulder. Managers who use this feature of ECMPs may never even intend to go back and review the data collected on a regular basis. In the case that it is necessary to review these tedious records, the data is at least available. In the meantime though, this features main purpose is to act as a deterrent for anyone considering misusing the system. After all, no manager actually wants to catch their employees in the act of subverting the company. Quite to the contrary they would rather find out that no employee has ever tried to sabotage the company at all. The only way to do this though is to check and make sure that this is the case.

Legal considerations

According to the American Bar Association, the Electronic Communications Privacy Act (ECPA) is the only federal statute that governs workplace invasions of privacy by electronic means. The ECPA prohibits (1) unauthorized and intentional interception of wire, oral and electronic communications during the transmission phase, and (2) unauthorized accessing of electronically stored wire and electronic communications. Electronic communications is email. Section 2701 of the statue prohibits the unauthorized access of an email that is stored in a computer and doing so could get the violator a fine up to $10,000 and/or a sentence up to one year. Section 2511 prohibits the interception of an email while the email is being transmitted and subjects the violator to a fine up to $10,000 and/or a prison sentence up to five years. The ECPA contains two exceptions that pertain to email and those are (1) the system provider exception and (2) the consent exception. The system provider exception grants employer access to electronic communication services if the interception occurs while using a company provided communication service or in protection of the rights or property of the company. These two exemptions can be interpreted as the law does not apply to conduct by an officer, employee, or agent of a provider of electronic communication services if the interception occurs during an activity necessary to the rendition of the service or to the protection of the rights or property of the provider and an employer may intercept electronic communications if the prior consent of one of the parties to the communication has been obtained. This means if an employee is uses equipment belonging to their employer, then presumably employer can intercept any email that they wish because they would be considered an agent of the service provider. The consent exception provides a method of voluntary surveillance in that an employer may intercept electronic communications if prior consent of one of the parties has been previously obtained.

There is not yet a clear judicial ruling on whether or not the employer would be protected on the first exception so the employer should not go by this exemption alone. If the employer has a written policy on employee use of the internet and email, and the employee knows about the policy then that would be implied consent on the employees’ part. The policy can not just suggest that email will be monitored; it must specifically say that it will be monitored to hold up in court.

The written policy should be in effect in advance of a potential problem. The employees should be notified in advance that the firm is actively monitoring going to begin monitoring stored electronic communications or files. According to Lawyers Weekly USA, the key points that the policy should address are: the permissible personal use of the system, a statement of the firm’s intention to monitor email, internet use and other employee use of technology, a statement of the firm’s intention to provide any evidence of possible wrongdoing to law enforcement authorities, disciplinary procedures and sanctions for violations, inclusion of laptops, palm pilots, or other personal technology, a statement prohibiting inappropriate or offensive messages in internal and external communications, a statement that all work performed on the firm’s equipment belongs to the firm and can be used and accessed by the firm, and clear prohibition of accessing, sending, receiving or viewing pornographic materials with the firm’s computer systems. There may be other provisions that the firm may personally want to address and these should also be included in the policy. It is imperative to have the employees sign the policy saying that they have read and understood the policy.

For most employees, just having a policy in effect and having an occasional reminder of the policy will be enough to curb any excessive personal internet surfing. The employers should also be respectful of their employees. If there has been significant overtime, then the employers should expect the employees doing some personal business on company time. This shouldn’t be a threat to the employers as long as it is not excessive. If the employer or manager notices that one employee seems to be using the internet excessively or there are complaints from other employees, it will be easier for the employer to sift through the offending employee’s log of internet and email use. They can use that evidence to reprimand or terminate the employee.

The employee may take the case to court; however in no case has an employer been found to have violated an employee’s right to privacy by reading the employee’s email according to the American Bar Association. Many states have also adopted laws similar to the federal legislation. It is confusing as to what each state considers as an invasion of privacy of an employer when the employee is using the employers equipment. Even in the absence of state legislation, it still appears legal for employers read employees’ emails on the firms’ computers. Employees should understand that emails are sent though many computers and can be intercepted at any time. They should not send any email that they would not mind seeing on the front page of the newspaper or visit any site that mind seeing their name posted next to. Emails are used as evidence in court. Deleted, or what a person thinks is deleted, is often backed up and stored on tape. Back up copies are also stored on the senders or recipients computers. So emails may be asked for in court as discovery although they may be inadmissible when the case comes to trial.