Latest Thinking

New York Mandates Express Employee Consent to Electronic Monitoring

In late 2021, New York Governor Kathy Hochul signed an amendment to New York’s Civil Rights Law that requires employers to provide prior notice to employees regarding the monitoring of electronic devices and systems. The amendment takes effect on May 7, 2022.

Many employers electronically monitor employees to track the transmittal of confidential information, detect inappropriate behavior, or ensure productivity. Historically, federal and state law have allowed monitoring with the express or implied consent of the employee. The New York legislation now requires employers in the state to obtain employees’ express written acknowledgment of electronic monitoring, and employers should take action now to revise their policies and practices accordingly.

In this article, we discuss various laws that employers should keep in mind when assessing their electronic monitoring policies and practices. We also consider the impact of the New York legislation. Finally, we offer practical suggestions to help employers implement clear policies that navigate the relevant legal requirements.

Background

The federal statute directly applicable to electronic monitoring of employees is the Electronic Communications Privacy Act of 1986 (the ECPA). The ECPA amended Title III of the 1968 Omnibus Crime Control and Safe Streets Act, which addressed eavesdropping and wiretapping, and the amendment was intended to cover new electronic communications.

Title I of the ECPA prohibits the interception of oral, wire, and electronic communications while such communications are in transit. Criminal punishment includes fines up to $10,000 or five years in prison, or both. The statute also creates a private right of action, which remedies include damages, punitive damages in appropriate circumstances, litigation costs and attorney fees. Title II of the ECPA prohibits unauthorized access to stored communications. Criminal punishment include fines up to $1,000 or one year in prison, or both. The section also provides for a private right of action with similar remedies to those available under Title I.

The ECPA contains two key exceptions—the consent of a party and the “provider exception.” The ECPA permits interception of a communication or access to a stored communication when one of the parties to the communication has given express or implied consent. Implied consent historically has required little more than establishing that the employee had knowledge of, and therefore consented to, monitoring. The ECPA also permits interception of or access to communications by the person or entity who provides the electronic communications service or system. For example, an employer can monitor and search emails sent on the company’s email system.

Various states have enacted laws addressing electronic monitoring, some of which include a consent exception. For example, the New York Penal Code prohibits eavesdropping, defining the crime as “unlawfully engag[ing] in wiretapping, mechanical overhearing of a conversation, or intercepting or accessing of an electronic communication.” The terms “wiretapping,” “mechanical overhearing,” and “intercepting or accessing” are defined as acts done without the consent of at least one of the parties to the communication. Delaware and Connecticut both require prior notice to employees of electronic monitoring. Connecticut does not require express consent or acknowledgment by the employee, while Delaware provides employers the option of daily notification of monitoring or a one-time notification that is acknowledged by the employee in writing.

Common law rules also affect whether and how employers may monitor employees. For example, some states recognize a common law right to privacy. Consent of the employee comes into play here as well, because a key element of such a claim is whether the employee had a reasonable expectation of privacy. This is a fact-specific analysis that will depend on the language of the employer’s written policies, the devices or systems in question (for example, whether the device or system is employer-provided), and the nature of the monitoring.

In New York, courts generally consider four factors in evaluating the reasonable expectation of privacy: (1) whether the corporation maintains a policy banning personal use, (2) whether the corporation in fact monitors employees’ computer and email, (3) whether third parties have a right of access to the computer or emails, and (4) whether the corporation notified the employer, or the employee was made aware, of the use and monitoring policies. In re Asia Global Crossing, Ltd., 322 B.R. 247 (S.D.N.Y. 2005). Courts place significant emphasis on the first and fourth factors. See Rissetto v. Clinton Essex Warren Washington Bd. of Coop. Educ. Servs., 2018 WL 3579862, at *6-7 (N.D.N.Y. July 25, 2018). In Rissetto, the court found that the employee had no reasonable expectation of privacy where the employer had a written policy that reserved the right to access and monitor computer and internet usage on employer-provided devices, and the employee had signed a copy of the policy. Id. at *4. Similarly, employees in United States v. Nordlicht did not have a reasonable expectation of privacy where the employee handbook expressly reserved the employer’s right to “monitor all activities involving its computers and the computer system.” 2018 WL 705548, at *4 (E.D.N.Y. Feb. 2, 2018).

However, in 2010, the New Jersey Supreme Court ruled in favor of a former employee and found that her common law privacy rights had been violated by her employer’s review of personal emails that she had accessed on her employer-issued computer, due in part to a lack of specificity in the employer policy regarding the nature of the employer’s monitoring system. Stengart v. Loving Care Agency, 201 N.J. 300 (2010). In Stengart, the employer’s monitoring system saved images of the web pages visited by the employee, thus capturing images of personal emails between the employee and her attorney, which the employer later retrieved to use in a litigation against the employee. The employer’s electronic communications policy notified employees that “E-mail and voice mail messages, Internet use and communication and computer files are considered part of the company’s business and client records. Such communications are not to be considered private or personal to any individual employee.” The New Jersey Supreme Court agreed with the employee that the policy did not sufficiently disclose the nature of the monitoring system. The employer was required to return the emails, and the court remanded to consider sanctions against the employer’s attorneys for failing to promptly notify the employee’s counsel of the privileged nature of the emails it had found.

Finally, employers outside of the United States should consider similar foreign laws. For example, in the European Union the General Data Protection Regulation (the GDPR) requires employers to establish that they have a lawful basis to collect and monitor electronic data, and to implement a policy notifying employees of electronic monitoring.

Obtaining Employee Consent

Thus, federal and state statutes and common law have historically allowed employers to monitor employees’ electronic communications with the express or implied consent of the employee.

Recent New York legislation now eliminates New York employers’ ability to rely on implied consent. The new legislation, which goes into effect on May 7, 2022, requires New York employers to notify employees of electronic monitoring. New York, therefore, joins Delaware and Connecticut in requiring prior notice to employees of electronic monitoring. The New York legislation goes a step further, requiring employers to ensure that employees acknowledge the notification and consent to monitoring in writing.

The New York law applies to all employers “with a place of business in the state,” but does not define “employee” or clarify whether remote workers who do not live in New York but work for a New York-based employer are covered. The law applies broadly to monitoring of “any electronic device or system,” including “the use of a computer, telephone, wire, radio, or electromagnetic, photoelectronic or photo-optical systems.” The law does not, however, apply “to processes that are designed to manage the type or volume of incoming or outgoing electronic mail or telephone voice mail or internet usage, that are not targeted to monitor or intercept the electronic mail or telephone voicemail or internet usage of a particular individual, and that are performed solely for the purpose of computer system maintenance and/or protection.”

Specifically, New York employers must provide written notice to employees upon hiring that “any and all telephone conversations or transmissions, electronic mail or transmissions, or internet access or usage by an employee … may be subject to monitoring at any and all times and by any lawful means,” and obtain written or electronic acknowledgment of the notification from employees. As written, the legislation applies the written acknowledgment requirement only to new hires and not to current employees. Nevertheless, current employees will also be notified, because the legislation requires employers to post a notice in a “conspicuous place which is readily available for viewing.”

The new legislation does not provide for a private right of action, but the New York Attorney General is authorized to enforce the law, which provides for civil penalties from $500 to $3,000 for each offense. The law does not specify how each offense will be determined—i.e., whether the number of offenses would be calculated based on each employee hired who is not notified.

Recommendations

While employers have always been better served by adopting clear written policies that explicitly notify employees if their electronic activity will be monitored, New York employers are now required to do so and to obtain written acknowledgment from employees. New York employers should work now to update employee handbooks or other written policies on electronic monitoring and to put in place a system to receive and maintain records of employees’ written acknowledgement. While the recent legislation does not explicitly address whether it applies to individuals who work remotely outside of the state for New York-based employers, the safest approach is for New York-based employers to extend their new policies and acknowledgment process to all employees working for a New York location. And employers in other states should consider implementing similar practices, as explicit consent may protect the employer in the event of ECPA or similar state or common law claims.

Written policies should clearly indicate what devices and activity will be monitored and how. This specificity is particularly important in instances in which employees work from home and/or conduct work from their personal devices, as well as instances in which employees are allowed some personal use of employer-provided devices. Employers should inform employees as to when and how both employer-provided and personal devices will be monitored, including access to personal email from employer-provided devices, so that employees cannot later argue that they had an expectation of privacy. Finally, employers should be specific with respect to potential penalties for violations of the policies.

Thus, the recent New York legislation serves as an opportunity for employers to reassess their practices and policies, carefully consider the scope of electronic monitoring of employees, revise written policies accordingly, and establish a mechanism to record employees’ written or electronic acknowledgment.

Reprinted with permission from the February 1, 2022 edition of the NEW YORK LAW JOURNAL © 2022 ALM Media Properties, LLC. All rights reserved. Further duplication without permission is prohibited. ALMReprints.com – 877-257-3382 - reprints@alm.com

Legalese