Section Review

Closing the Door on Expectation of Privacy in Workplace E-mail

A recent decision by Judge Rya Zobel of the U.S. District Court for the District of Massachusetts has provided new assurances for employers as they struggle to protect their interests in enforcing workplace anti-harassment policies and maintaining workplace security by reviewing e-mail stored on company computer systems. In Garrity v. John Hancock Mutual Life Ins. Co., 2002 WL 974676 (D. Mass. 2002), Judge Zobel declared that Massachusetts employees have no reasonable expectation of privacy in e-mail sent from or received at work, particularly where their employer provides notice that it may access e-mail stored on, or transmitted from, its computer systems.

The plaintiffs in the case, Nancy Garrity and Joanne Clark, received sexually explicit e-mails on their office computers and forwarded these e-mails to fellow employees. One fellow employee complained after receiving such an e-mail and John Hancock launched an investigation. John Hancock reviewed correspondence contained in the plaintiffs’ e-mail folders, as well as the folders of those employees with whom they regularly corresponded via e-mail.

John Hancock terminated Garrity and Clark for violating its e-mail policy, which prohibited the transmission of obscene or sexually oriented e-mail and which also stated that “all information stored, transmitted, received, or contained in the company’s e-mail systems is the property of John Hancock.” The plaintiffs sued John Hancock for, among other things, invasion of privacy and a violation of the Massachusetts Wiretap Statute, M.G.L. c. 272, § 99.

Invasion of privacy

The court framed the relevant inquiry in the case as whether the plaintiff’s asserted expectation of privacy in the e-mail was reasonable. Garrity and Clark conceded that they knew that Hancock was able to look at e-mail on the company’s intranet system, and that they “had to be careful about sending e-mails.” They nevertheless asserted that they had an expectation of privacy because they used private passwords to access the e-mail system and personal e-mail folders to store their saved e-mail messages. They also acknowledged that they were generally aware of John Hancock’s e-mail policy but argued that the company policy was hard to locate on the company’s intranet system and virtually impossible to understand. The court rejected the plaintiff’s arguments. Judge Zobel noted that John Hancock periodically reminded its employees that each employee was responsible both for knowing and understanding the company’s e-mail policy. Judge Zobel also held that the plaintiffs’ assertions that they had a reasonable expectation of privacy was undercut by their own admission that they realized that their e-mail messages would likely be forwarded to third parties.

Noting the “dearth of case law on privacy issues with regard to office e-mail,” the court looked to other jurisdictions for guidance. The court specifically relied on Smyth v. Pillsbury Co., 914 F. Supp. 97 (E.D.Pa. 1996) in rejecting the plaintiff’s contentions. The Smyth court held that even in the absence of a company e-mail policy, any expectation of privacy is lost when an employee uses the company e-mail system to transmit an unprofessional comment, since the entire company uses the system. The Smyth court specifically held that “once plaintiff communicated the alleged unprofessional comments to a second person (his supervisor) over an e-mail system which was apparently utilized by the plaintiff’s entire company, any reasonable expectation of privacy was lost.” Smyth at 101.

The Court also relied upon the reasoning of a Texas state court case — McLaren v. Microsoft Corp., 1999 WL 339015 (Tex. App. Dallas 1999) — in rejecting the plaintiffs’ argument that the nature of private e-mail folders utilized by the plaintiffs gave rise to a reasonable expectation of privacy. The McLaren court ruled that, even though e-mail messages were filed in plaintiff’s personal e-mail folders, there was no reasonable expectation of privacy since the messages were “first transmitted over the network and were at some point accessible by a third party.” McLaren at *4.

Relying on Smyth and McLaren, the court held that the “plaintiffs’ rationales for their expectation of privacy are not, as a matter of law, sufficient to defeat summary judgment.”

Legitimate business interest trumps privacy interest

Judge Zobel did not end the inquiry at whether the plaintiffs’ had a reasonable expectation of privacy in workplace e-mails. Providing employers with greater confidence in their ability to conduct legitimate workplace investigations without fear of liability for violations of privacy rights, Judge Zobel held that, even if the plaintiffs had a legitimate privacy interest, John Hancock’s legitimate business interest in protecting and preventing workplace harassment “would likely trump that privacy interest.” The court pointed out that both Title VII of the 1964 Civil Rights Act and its Massachusetts counterpart, M.G.L. c. 151B, require an employer to affirmatively investigate and take remedial action following any complaints of workplace harassment. The court was obviously mindful of an employer’s potential liability for failing promptly to conduct an investigation into allegations of workplace sexual harassment, citing the Supreme Court cases Faragher v. City of Boca Raton, 524 U.S. 775 (1998) and Burlington Indus., Inc. v. Ellerth, 524 U.S. 742 (1998). The court also cited as support for its ruling the case Autoli ASP, Inc. v. Department of Workplace Serv., 29 P.2d 7 (Utah 2001), in which the Utah Supreme Court held that employers may be subject to sexual harassment and sex discrimination lawsuits based upon the transmission of sexually explicit or offensive e-mails. Judge Zobel specifically held that “[O]nce defendant received a complaint about the plaintiffs’ sexually explicit e-mails, it was required by law to commence an investigation.” Garrity at *2.

Massachusetts wiretap statute

The Garrity decision squares with other federal decisions holding that John Hancock’s retrieval of the plaintiffs’ e-mail did not constitute an “interception” and thus did not violate the Massachusetts Wiretap Statute, M.G.L. c. 272 § 99. Although no Massachusetts case is directly on point, the Garrity court relied upon Eagle v. Investment Serv. Corp. v. Tamm, 146 F.Supp.2d 105 (D. Mass. 2001), which held that in order to violate the federal Electronic Communications Privacy Act of 1986, the e-mail must have been acquired during transmission. Id. at 111-113; See also Thompson & Thompson, 2002 WL 1072342 (D.N.H. May 30, 2002)(same). Keeping in line with the Eagle decision, Judge Zobel interpreted the Massachusetts Wiretap Statute as requiring “interception” to occur during transmission of the e-mail ruling that “the act of ‘interception’ cannot proceed after the e-mail is received.” Garrity at *3. The court found that the plaintiffs’ wiretap claim also failed as a matter of law.

Security for employers

Neither federal nor state appellate courts have explicitly held that an employee can never have a reasonable expectation of privacy in e-mail stored on or sent from company Internet or intranet systems. In fact, in one of the few Massachusetts cases concerning this issue — a Massachusetts Superior Court case, Restuccia v. Burk Technology, Inc., 1996 WL 1329386 (Mass. Super. Aug. 13, 1996) — the court (Lopez, J.) denied summary judgment to an employer who had been sued by a former employee for invasion of privacy. In that case, the employer accessed employee e-mail from a back-up system and terminated the plaintiff for excessive use of the e-mail system for personal purposes. In Restuccia, however, the employer had no policy against using e-mail for personal purposes. The employer in Restuccia, moreover, did not inform its employees that it could retrieve employee e-mail stored on its computer system.

What emerges from Garrity and the scant other authority on the issue is that the circumstances in which an employee may still successfully argue that he or she had a reasonable expectation of privacy in workplace e-mail are limited, if not non-existent. Clearly, an employer that promulgates an e-mail policy restricting the sending of offensive or excessive personal e-mail and that routinely reminds employees that the employer may access e-mails sent and received by employees will not be held liable for invasion of privacy or wiretapping when that employer gains access to employee e-mail on its computer system — and will likely be able to defeat such claims at, or even prior to, summary judgment. Where a compelling interest in retrieving employee e-mail exists, such as maintaining workplace security or investigating allegations of sexual harassment, moreover, that employer interest would most certainly trump any employee right to privacy in such e-mail.

©2017 Massachusetts Bar Association