Yes, they can.
And they do.
Two out of three U.S. employers monitor their employees with reasons ranging from wanting to decrease theft to increasing productivity. Most employers require employees to sign computer and network usage policies that state that an employee’s computer, email, and internet usage has to be used for business purposes only. Many policies also state that all Internet data that is composed, transmitted and/or received by the employer’s computer systems is considered to be property of that employer. Policies of this sort also usually grant the employer the right to monitor email and computer usage.
Courts routinely side with employers in work “digital privacy” cases, finding that employees do not have a reasonable expectation of privacy with email at work. Courts consider the use of company-owned equipment for sending emails as proprietary to the employer. This is also true of any personal emails composed and sent from a personal email account accessed via company provided equipment.
Workplace Email Mishaps
Here are some examples of personal emails at work ‘gone wild’:
- A public relations specialist for the Federal Communications Commission (FCC) received an off-color email at work. She wanted to pass it along to a few friends, but accidentally emailed the joke about ‘Nuns in Heaven’ to 6,000 of the FCC’s Daily Digest subscribers – including journalists and government officials. The FCC who ‘regulates interstate and international communications by radio, television, wire, satellite and cable in all 50 states, the District of Columbia and U.S. territories’ issued another email offering ‘profuse apologies’ saying the joke was highly offensive and ensuring disciplinary action would be taken. The sender of the joke, also sent an apology.
- Chevron Corporation paid $2.2 million to settle sexual harassment charges that were brought forth by four female employees who claimed they were targets of sexual advances, offensive jokes, E-mail messages and comments about their clothes and body parts, and, in one case, a sadistic pornographic image sent through the company e-mail from their colleagues at Chevron's Information Technology Co.
After the women complained, the company began monitoring their phone calls and e-mail, installed a surveillance camera outside the office of one woman, and allegedly labeled the women as troublemakers and threatened the jobs of others who associated with them.
Electronic Protections for Email
Email privacy came from the Fourth Amendment to the U.S. Constitution - the part of the Bill of Rights that prohibits unreasonable searches and seizures and requires any warrant to be supported by probable cause.
The Electronic Communications Privacy Act (ECPA) – a federal statute that prohibits a third party from intercepting or revealing communications without authorization, oversees emails – as does the Patriot Act – which is an Act of Congress that was passed shortly after the September 11, 2001, terrorist attack that gives enforcement agencies extensive authority to use surveillance and other tools to prevent future attacks and bring believed terrorists to justice.
The ECPA was originally set up to safeguard email, yet those safeguards have been broken-down in some ways by the Patriot Act. Some safeguards still exist under the ECPA, but since emails lose their status as a protected communication after 180 days, it is no longer necessary to obtain a warrant to gain access to emails - a subpoena is all an employer will need.
Emails leave a virtual thumbprint behind. They are stored at multiple locations: on the sender’s computer, the senders Internet Service Provider’s (ISP) server, the recipient’s ISP server, and on the recipient’s computer.
Because emails are digital and usually don’t require a lot of room, they can be stored for long periods of time. Unless an employee uses an encryption service, there is not a good way of making sure that emails read or composed at work are private – and the use or installation of third-party applications on employer-owned equipment may violate company policy.
A good rule of thumb is to treat email as if the whole world will be reading it, because that just might be the case.