Generally speaking, the monitoring of employees’ emails on an employer’s own server is legal in Florida. Here’s why.
No Florida statute expressly prohibits a company from monitoring emails on its own email server. Florida’s Security of Communications Act, section 934.01 et seq., Fla. Stat., provides in part that it is illegal to (a) intentionally intercept, endeavor to intercept, or procure any other person to intercept or endeavor to intercept, any wire, oral, or electronic communication. §934.03(1)(a). But based on my research, no court has ever held that a company’s monitoring of employee emails constitutes an “interception” of that email in violation of the statute.
If a employee were to challenge a practice of email monitoring, he might do so under a civil tort theory of invasion of privacy. Florida law recognizes the tort of invasion of privacy. See Allstate Ins. Co. v. Ginsberg, 863 So.2d 156, 158 (Fla. 2003). One category of this tort involves intrusion, physically or electronically, into one’s private quarters. Id. (citing Agency for Health Care Admin. v. Assoc. Indus. of Florida, Inc., 678 So.2d 1239, 1252 (Fla.1996), cert. denied, 520 U.S. 1115, 117 S.Ct. 1245, 137 L.Ed.2d 327 (1997)).
But most courts have found that employees do not have a legitimate expectation of privacy in emails stored on their employer’s email system. See Bingham v. Baycare Health System, 2016 WL 3917513, at *3 (M.D. Fla. 2016) (citing numerous cases throughout the country and concluding that “[t]he majority of these cases have concluded that an employee has no reasonable expectation of privacy in computer files, e-mails, or electronic data maintained at his or her workplace.”).
Having said that, the existence of a policy that informs all users of the company’s email system that their emails may be subject to monitoring increases the likelihood that a court would find no expectation of privacy. See, e.g. Leor Exploration & Production LLC v. Aguiar, 2009 WL 3097207, at *5 (S.D.Fla.,2009) (finding no reasonable expectation of privacy in emails transmitted through company server, where employee handbook states that company owns all electronic communications and that individuals using the company email system have no expectation of privacy) (citing In Re Asia Global Crossing, Ltd., 322 B.R. 247, 259 (S.D.N.Y.2005) (noting that “sending a message over [an] e-mail system was like placing a copy of that message in the company files. Short of encryption, … [e]mails could be reviewed and read by anyone with lawful access to the system.”). ‘
Therefore, it is a good practice to inform users of the system that their emails may be monitored.
What about federal law? Can an executive be charged with violating federal law by monitoring employee emails if that is part of his job? And what if he does so for an improper purpose — to target a particular employee he has a grudge against, for example?
The federal Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. §2701 et seq. provides in pertinent part that “whoever … knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value … shall be punished….” United States v. Nosal, 828 F.3d 865, 873 (9th Cir. 2016) (citing 18 U.S.C. § 1030(a)(4)). The CFAA defines “exceeds authorized access” as “access [to] a computer with authorization and [using] such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” Id. (citing 18 U.S.C. § 1030(e)(6). The statute does not define “without authorization.” Id.
Where an employee has permission to access an employer’s computer systems, he cannot be prosecuted under the “without authorization” provision of the CFAA. As noted by the Ninth Circuit in LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009), a person uses a computer “without authorization” under the CFAA only “when the employer has rescinded permission to access the computer and the defendant uses the computer anyway.” Id. at 1135. The Department of Justice’s 2015 manual on “Prosecuting Computer Crimes” notes that “[p]rosecutors rarely argue that a defendant accessed a computer ‘without authorization’ when the defendant had some authority to access that computer.”
The DOJ manual goes on to note that “to prove that someone has ‘exceeded authorized access,’ prosecutors should be prepared to present evidence showing (a) how the person’s authority to obtain or alter information on the computer was limited, rather than absolute, and (b) how the person exceeded those limitations in obtaining or altering information.” Where there are no specific guidelines limiting the individual’s access to the computerized information, there is no basis for charging him with a CFAA violation for “exceeding authorized access.”
Indeed, the DOJ manual notes that in numerous civil cases under the CFAA, courts “have rejected the idea that users can exceed authorized access within the meaning of section 1030(e)(6) when they access information that they are authorized to access, even if their access is motivated by an implicitly improper purpose.” (citing LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1135 n.7 (9th Cir. 2009) (stating in dicta that defendant does not “exceed authorized access” under the CFAA when he breaches a duty of loyalty to authorizing party); Bell Aerospace Services, Inc. v. 12 Prosecuting Computer Crimes U.S. Aero Services, Inc., 690 F. Supp. 2d 1267 (M.D. Ala. 2010); Orbit One Communications, Inc. v. Numerex Corp., 652 F. Supp. 2d 373 (S.D.N.Y. 2010); National City Bank v. Republic Mortgage Home Loans, 2010 WL 959925 (W.D. Wash. 2010); RedMedPar, Inc. v. Allparts Medical, LLC, 683 F. Supp. 2d 605 (M.D. Tenn. 2010); U.S. Bioservices Corp. v. Lugo, 595 F. Supp. 2d 1189, 1192 (D. Kan. 2009) (collecting cases); Jet One Group, Inc. v. Halcyon Jet Holdings,Inc., 2009 WL 2524864, at *5-6 (E.D.N.Y. 2009); Brett Senior & Assocs, P.C.v. Fitzgerald, 2007 WL 2043377, at *4 (E.D. Pa. 2007).
A recent case, Tank Connection, LLC v. Haight, 161 F.Supp.3d 957 (D. Kan. 2016), illustrates this principle of law. Haight, an employee of Tank Connection, LLC, a few days before his resignation accessed the personal folder of the company’s president that had inadvertently been made available to other employees on the network; the president’s folder was located in a directory that was labeled as public or shared and was accessible by other employees for at least five months. The employer never conveyed to the employee or others that they were restricted from accessing any information in shared folders generally or from the president’s folder in particular. The court held that “[w]hen an employee has been granted general authority to access a particular area of a computer or server, as was Haight, the fact that his employer had an unexpressed desire or intent to limit his access to a portion of that area does not establish unauthorized access within the meaning of § 1030.” Id. at 969.
Another federal statute, the Stored Communications Act (“SCA), 18 U.S.C. §2701 et seq., is potentially applicable — but only if the employee accessed the emails at issue by accessing a third-party Internet service provider. See K.F. Jacobsen & Co., Inc. v. Gaylor, 947 F.Supp.2d 1120, 1125 (D. Or. 2013) (noting that “because the SCA governs only the privacy of stored Internet communications, it serves to protect only information held by the third-party providers that facilitate those communications, not information stored by the customers of those providers that either initiate or receive the communications.”). The reason for this is that the owner of equipment through which third parties can engage in electronic communication is not a provider of “electronic communication services”, but rather a user of such services. Id. (citing Noel v. Hall, Civ. No. 99–649–AC, 2012 WL 3241858, at *8 (D. Or. April 27, 2012)).
The bottom line is that a manager who is given access to employee emails is probably not in violation of any federal law by monitoring those emails, even if he does so for an improper purpose. Employees, beware.