Workplace Privacy, Data Management & Security Report : Privacy Lawyers & Attorneys : Jackson Lewis Law Firm : Data Security, HIPAA & Confidentiality Issues

A U.S. District Court in Indiana has ruled that a company's use of keylogger software to access an employee's personal e-mail account may have violated the Stored Communications Act (“SCA”).  

Keylogging or keystroke logging is the tracking of the keys struck on a keyboard, typically in a covert manner.  

In Rene v. G.F. Fishers, Inc.,the company utilized keylogger software and was sued by one of its employees for violations of the SCA, the Indiana Wiretap Act (“IWA”), and the Federal Wiretap Act.  The company generally prohibited personal use of its computers, however, it permitted the employee to access her personal checking account and personal e-mail account from the company computer.  The employee was later notified that the company had installed keylogger software on the computer.  Utilizing the keylogger software, the company accessed the employee’s personal e-mail account and personal checking account (acquiring the passwords utilizing the keylogger software), and reviewed and discussed the messages and contents. 

The employee was fired for “poor performance” after complaining about the access. She sued her former employer, alleging the company violated the SCA, IWA, and the Federal Wiretap Act.  While the court did not address certain factual issues under the SCA (e.g., whether the company accessed the employee’s e-mail messages before the employee opened them), it held that by alleging that the employer accessed her e-mail messages the employee had satisfied the burden of asserting a violation of the SCA.  The court also denied the company’s motion to dismiss the former employee’s IWA claim, but it did dismiss the Federal Wiretap Act claim. 

As we have previously discussed, jurisdictions are at odds over the use of keylogger software in the employment context.  Employers should carefully consider their use of keylogger or monitoring technology and consult counsel as to best practices for the jurisdiction in which you are located.   

• Email This
• Print
• Comments
• Trackbacks
• Share Link

A Minnesota Court of Appeals panel has affirmed the issuance of a temporary injunction against a co-owner of an LLC blocking him from accessing emails of his partner from the company's server in the midst of their business dispute.  The unpublished decision, Gates v. Wheeler A09-2355 (Minn. App. November 23, 2010), raises some interesting issues regarding email privacy under unsettled Minnesota law.

The parties were co-owners of a limited liability company called Residential Science Resources. After a falling out, Gates sued Wheeler under a Minnesota law which allows the court to grant equitable relief in the case of a management deadlock. Wheeler was the designated administrator for the company's server. Without informing Gates, Wheeler hired an outside information technology contractor to obtain access to Gates' personal and business emails. The information included correspondence between Gates and his wife, financial and password information, discussions with his accountant, and communications with his lawyer regarding the pending lawsuit. After learning of the interception at a deposition, Gates sought an injunction halting Wheeler's access. The district court granted the injunction, concluding that Gates had established a "probability of success on the merits for claims of invasion of privacy, violation of the Minnesota Privacy of Communications Act, violation of the Federal Wire and Electronic Communications and Transactional Records Access Act, conversion, and unjust enrichment." Gates had not asserted these claims prior to his request for an injunction, but did so later by amending his complaint. In response to Gates's challenge, the Appellate Court held that the court's authority to issue an injunction is not limited to matters raised in the underlying complaint, relying in part on the court's broad equitable powers in business disputes.

The Court also affirmed the district court's analysis that the privacy claims had a probability of success on the merits, noting however that there were no published Minnesota cases applying common law invasion of privacy claims to interception of email. Although noting that Gates and Wheeler were partners and not employer and employee, it also cited the analysis in In re Asia Global Crossing Ltd, a Bankruptcy Court decision from the Southern District of New York regarding employee expectations of privacy in workplace email. The court also stated that

the division of Gates' account into personal and  private business files indicates that Gates expected the personal file would be private.

This suggests that individuals with company email accounts should take similar steps to differentiate personal information. Surprisingly, the court did not delve into the issues of privilege regarding Gates' communications with his attorney.

The decision reflects increasing tensions over the privacy of information contained on employer email servers and may encourage more litigation in Minnesota under state and federal privacy laws involving emails.  

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Keystroke logging (or “keylogging”) is the noting (or logging) of the keys struck on a computer keyboard. Typically, this is done secretly, so  the keyboard user is unaware his activities are being monitored.

Several cases throughout the country have examined an employer’s use of keylogging.  Recently, the Criminal Court of the City of New York held in New York v. Klapper  that an employer who installed keylogging software on office computers and subsequently monitored an employee's e-mail activity did not, absent some showing of contrary e-mail protections or acceptable use policies, access a computer “without authorization” in violation of New York law. 

In some of the strongest language against the premise of e-mail privacy to date, the Court stated in its April 28, 2010 opinion:

[t]he concept of internet privacy is a fallacy upon which no one should rely. It is today’s reality that a reasonable expectation of internet privacy is lost, upon your affirmative keystroke. 

The Court found that e-mails are more akin to a postcard than a letter, as they are less secure and can easily be viewed by a passerby. An employee who sends an e-mail from a work computer sends a communication that will travel through the employer's central computer and will be commonly stored on the employer's server even after it is received and read. Once stored on the server, the employer can easily scan or read all stored e-mails or data. The same holds true once the e-mail reaches its destination, as it travels through the Internet via an Internet service provider. Accordingly, this process diminishes an individual's expectation of privacy in e-mail communications.

In contrast to the strong language from New York, the U.S. District Court for the Northern District of California ruled in Brahmana v. Lembo that a plaintiff could proceed to trial in his case alleging his employer committed an impermissible “interception” under the Electronic Communications Privacy Act (ECPA) by using keylogging to discover the password to his personal e-mail account, and using the logged password, accessed his personal e-mail.  However, another California District Court found in United States v. Ropp that because the keylogger recorded the keystroke information in transit between the keyboard and the CPU, the system transmitting the information did not affect interstate commerce as the required by the ECPA.  Further complicating the issue, a federal court in Ohio questioned Ropp, suggesting in Porter v. Havlicek that it read the statute too narrowly by requiring the communication to be traveling in interstate commerce as opposed to merely “affecting interstate commerce.”

Because of the numerous issues arising from the use of electronic communications, and the varying court opinions on these questions, employers would do well to reexamine their use of keystroke monitoring or logging technology on a regular basis.

• Email This
• Print
• Comments
• Trackbacks
• Share Link