Editor’s note: This is an edited excerpt from an article written by Catherine Pastrikos Kelly that appeared in the July 2022 edition of New Jersey Labor and Employment Law Quarterly. Go here to read the full article and the full edition (login required).In 1986, Congress passed the Stored Communications Act (SCA), which aims to prevent people from accessing private electronic communications. At that time, there was no internet—let alone email or social media, as we know them. As a result, courts have had to adapt the language of the SCA to technology’s rapid evolution.
In addition to the SCA, most states have some form of privacy laws, which protects against the intrusion upon the solitude or seclusion of a person or their private affairs, which has been interpreted to include email and social media.
Courts have ruled that an employer can be held liable under the SCA and state invasion of privacy laws if an employer accesses an employee’s personal email account—even if the employee accessed their account on a company-issued device and the employee saved the username and password on the device.
For example, in Markert v. Becker Technical Staffing, Inc., the United States District Court for the Eastern District of Pennsylvania suggested that a violation of privacy under Pennsylvania law occurred when an employer accessed an employee’s private email messages without the employee’s permission after the employee accessed his personal email on the company computer and failed to logout.
In that case, the employee logged into his personal Gmail account on his work computer and did not log out, causing his personal email inbox to appear on the screen of his work computer. Included in this inbox was an email that discussed what the employer believed was an attempt to divert business away from the employer.
When the employer saw the email, he searched through the rest of the employee’s personal emails. The next day, the employer fired the employee. The court determined that a plaintiff has a claim for invasion of privacy against a person who invaded their privacy by reviewing their personal emails and disseminating the information.
Similarly, the United States District Court for the Northern District of Ohio in Lazzette v. Kulmatvcki determined that an employer was liable for reading a former employee’s emails on a company-issued device. In that case, the employer issued a mobile phone to the employee and gave the employee permission to use it to access her personal email account.
When the employee left the company, she returned the phone believing that she had erased her personal account from the device. Despite her efforts, however her personal email account was still on the phone. Thereafter, the employee’s former supervisor spent the next year and a half parsing through nearly 50,000 personal emails regarding the employee’s family, financial, career and other personal matters.
When the employee discovered what happened, she filed an action against her former supervisor and employer under the Ohio privacy laws and SCA for reading her emails without permission. The court reasoned that the former supervisor and employer did not have permission to read the employee’s messages despite being left on a company-issued device.
Additionally, the Court ruled that the employee’s failure to delete the emails from the device did not provide the supervisor or employer with authorization. On the Ohio privacy claims, the Court noted that a reasonable jury may deem it highly offensive for an employer and supervisor to read a former employee’s private and sensitive emails.
The key inquiry for the court in employer invasion of privacy cases hinges on balancing the employee’s privacy with the employer’s legitimate interest in preventing misuse of its network. In Mintz v. Mark Bartelstein and Associates Inc., the United States District Court for the Central District of California found an employer invaded an employee’s privacy when the employer accessed the employee’s personal email account by retrieving a temporary password to obtain a copy of the employee’s contract with a new employer.
The court held that the employee had a reasonable expectation of privacy in his personal, financial, and employment information and in his web-based, password protected personal email account that he used for personal matters. Moreover, the court found that the employer had no competing interest to justify the invasion of privacy.
Conversely, employees have a lesser expectation of privacy when they communicate using a company email system. In Smyth v. Pillsbury Co., the United States District Court for the Eastern District of Pennsylvania concluded that an employee did not have a reasonable expectation of privacy in emails he voluntarily sent to his supervisor over the company email system, notwithstanding assurances from the employer that such communications would not be intercepted by management.