November 19, 2009
Reading Employee Email: Do Workers Have an Expectation of Privacy?
Today's issue of the Wall Street Journal (page A17) has an interesting article on a topic I track quite frequently here—reading employee email. In "Some Courts Raise Bar on Reading Employee Email," reporter Dionne Searcey (with contributions by Sarah Needleman) writes about recent court cases that may show a trend toward rulings in favor of employees who "feel their employer has violated their privacy electronically."
Some of Proofpoint's own 2009 statistics on outbound email monitoring are included in the article. These are from our annual Outbound Email and Data Loss Prevention in Today's Enterprise report, the latest version of which you can always download from http://www.proofpoint.com/outbound.
As the article notes, courts in the US generally treat corporate computers and anything on them as company property. It's also fairly well accepted that it's OK for a company to monitor data transmissions through thecompany's own network. In fact, many organizations (for example those that are subject to data privacy regulations such as HIPAA, GLBA or those that handle customer credit data) are fairly well obliged to perform such monitoring to ensure the protection of private data.
However, as in all things legal, complications can arise. The WSJ article describes several cases where employers were apparently monitoring more than just an employee's corporate email, but their "personal" electronic communications as well.
As a result, "courts are increasingly taking into account whether employers have explicitly described how email is monitored to their employees."
I'm not going to rehash the entire story here, but based on this information, I would make a couple of policy suggestions to companies that use either manual or electronic monitoring of email and other electronic communications. (And I'm probably sounding like a broken record at this point, but I should note once again that Proofpoint advocates electronic, policy-based monitoring of outbound email for sensitive/private data rather than manual processes [e.g., having staff that regularly reads the contents of other employees' outbound email].):
1. Companies that monitor employees' outbound email and other electronic communications should clearly communicate to them what is being monitored and how. If that includes transmissions to "personal" email accounts via company networks or devices this should be explicitly stated. If the company feels that employees should not have a reasonable expectation of privacy, this should be clearly communicated in a formal, written policy.
2. As part of their electronic communications policies, companies should discourage employees from using personal accounts to conduct company business.
The full article at WSJ.com is well worth a read. And, of course, if you're interested in this topic and have not read Proofpoint's 2009 survey report, well, you're missing out. Download your copy here.
