Employee privacy and wiretapping in the workplace

Many SMBs (small to medium-sized businesses) are unaware of the Federal Electronic Communications Privacy Act (“ECPA”). ECPA deals with the interception and interception of electronic communications: telephone calls, voicemail, email, instant messaging chats and other online interactions fall within ECPA’s sights. Violations of ECPA are punishable by fines or imprisonment of up to five years; Any person harmed by an ECPA violation is entitled to seek appropriate legal protection, covering up to $10,000 in damages and attorneys’ fees. With many SMBs monitoring and intercepting their employees’ electronic communications, understanding the ECPA business use exceptions can reduce the risk of legal exposure from ECPA claims filed by employees.

ECPA extends federal protections to employee communications in the workplace, but those protections are limited. Presumably employers want to monitor electronic communications to ensure quality control and protect intellectual property, investigate cases of wrongdoing and so on, and ECPA provides “business use exceptions” to allow the employer to do these things.

A few rules regarding interception of transmissions and surveillance of employees in the workplace:

consent of a party. Interception and monitoring are allowed if either the sender or the recipient agrees before it happens.

Decent course. ECPA business use exceptions require that the interception or interception be conducted in the ordinary course of business of the employer and that the item is in the legitimate interest of the employer. Employers should be aware that if a conversation becomes personal, the employer may lose their exemption as they no longer have the right to monitor such conversations.

BACA JUGA:  Increase your business prospects with iOS app development

Device Restriction. Employers can only monitor and tap into equipment that they own and that is being used in the regular course of the employer’s business.

E-mail. Employers have the right to monitor and access employee email communications stored on their assets (client workstations and servers). This is difficult because employers are not authorized to monitor or access emails hosted by third parties (such as AOL or MSN), even if such communications could traverse the company’s network.

Proposals for SMEs to remain ECPA compliant revolve around creating good administrative controls (policies) to manage employee expectations. Example:

1. Employees should be offered some form of notification required either through a statement, a written policy signed at the time of hiring, or a record on the phone system.

2. Employers should provide a policy to prohibit the personal use of communications devices (telephones, cell phones, computers, personal email systems and instant messaging) that would establish acceptable usage practices to limit employee use to business communications only restrict.

3. An acceptable use policy that prohibits the use of personal communications and storage devices — MP3 players, digital cameras or recorders, cell phones, USB flash drives — to conduct Company business.

4. A privacy policy should be established to identify personally identifiable information (PPI) collected from employees, defining how that PPI is used and maintained.

ECPA compliance in SMBs is now more important than ever: employee personal devices, software and protected communications constantly interact with company resources, wirelessly and effortlessly. The intermingling of protected communications and devices can both put an organization’s assets at risk and limit what legal forms of corrective action can be taken to protect them.

BACA JUGA:  The next generation of BI tools - cloud BI solutions

ECPA compliance is generally policy-driven: as long as the employer puts good administrative policies in place that define expectations upfront, and understands what is and is not allowed under the ECPA business use exceptions, compliance is fairly easy . It starts with management’s intention to create a good acceptable use policy.