The Stored Communications Act (SCA) is a federal law that protects the privacy of wire and electronic communications and transactional records stored by third-party internet service providers (ISPs). It was enacted in 1986 as part of the Electronic Communications Privacy Act. The SCA regulates how the government can access stored account information and content from entities such as ISPs, email providers, and social media platforms. It also limits the ability of criminal defendants to subpoena such information for their defense

Posts

As a general principle, employers are legally permitted to monitor their employees online during business hours. Keeping a close eye on workers can help maintain company confidentiality, limit workers from surfing the web on company time, and ensure the prevention of harassment.

But such monitoring does come with caveats, as well as risks.

For example, screening employee email on the employer’s network may be permissible but may require advance notice. In states such as Connecticut and Delaware, laws are in place that require employers to provide prior notice before electronically monitoring employees. A union contract may also place certain limits on monitoring and public-sector employees may have some rights under the Fourth Amendment with regard to unreasonable search and seizure.

Federal law can also come into play. Although the Electronic Communications Privacy Act (ECPA) generally prohibits the monitoring of electronic communications, it contains a “business purpose exception” that permits employers to monitor the electronic communications of workers if the company has a “legitimate business purpose.” The statute also allows monitoring with consent and many companies do this by including such permission as part of the onboarding process for new employees before granting access to the company’s networks or systems.

Another wrinkle: third-party communications. States such as California and Illinois mandate that all parties to a communication provide consent to its interception in transit. For employers, that means providing notice to recipients of employee emails and obtaining their consent before scanning a message from a friend or third party. Many companies post a notice on the company’s website and/or include a statement in employee emails that all messages are subject to monitoring and any response implies consent with the employer’s practices.

Even with all these issues, monitoring emails may be more straightforward than focusing on employee social media accounts. The Stored Communications Act (SCA) addresses the situation of accessing electronic communications stored by a provider (such as Gmail or Microsoft), as distinct from an employer accessing emails on its own system. Under the SCA, employers can be liable for the unauthorized access and disclosure of electronic communications in storage on corporate servers of a provider.

Further, roughly half the states ban employers from either requiring or requesting a worker to verify a personal online account like a Facebook profile, blog or Instagram or to log on to their social media account. While technology is available for employers to get around these laws (using keystroke logging software, for example, or taking screenshots), some of the information being monitored by an employer could itself be protected – such as union organizing activities under the National Labor Relations Act, attorney-client communications or in some states, geolocation data.

Mobile devices add another layer to the analysis. For workers using employer-provided mobile phones or devices, the employer has the right to legally monitor use from contact lists to photos and videos to Internet visits and emails. As for bring-your-own-device (BYOD) situations, the terms are generally dictated by the employer’s BYOD policy, but this is an emerging area of law and therefore murky.

All of these legal considerations are centered in the United States. Companies that operate outside the U.S. borders will have international law to contend with as well, notably the European Union General Data Protection Regulation (GDPR) and regulations found in its member states. As a general matter, EU law and the GDPR offer employees a greater level of privacy than that found in the United States. Last year, the EU’s highest court did rule that companies can monitor employee email – if workers are notified in advance.

Perhaps most importantly, employers should recognize that like all things related to technology, the legalities of monitoring employees online are constantly evolving. Being able to adapt to changing laws, regulation and technology will keep employers on their toes.