The right to monitor the performance of an employee by monitoring computer use is recognized by most courts when the employer is a private, as opposed to a governmental, employer. Indeed, in some instances the right to monitor becomes a duty to monitor. Thus, an employer who receives a complaint of sexual harassment and fails to investigate may be liable for the harassing employee’s actions.
Monitoring has become more difficult, however, as banks, medical providers and other entities encrypt their sites, shielding even the fact that an employee has accessed a certain site from his or her employer. As more web browsers turn to encrypting data as a means of securing the information, the benefit to monitoring employees’ computer use is reduced.
Some employers, therefore, are turning to software that enables employers to record all employee activity on company computers or use of the company’s Internet, prior to encryption. Such technology should allow employers to continue to enforce their policies and remove any reasonable expectation of privacy by employees. Taking this approach, however, may subject the employer to unexpected liability.
To date, the software that can record an employee’s activity in an unencrypted fashion cannot screen out information that employers are not allowed to record. Thus, if an employee checks their bank balance or a medical report or fills out a confidential employee survey on the company’s Internet, the software will record their user ID and password, as well as the banking, medical and employee information.
Several statutes, both federal and state, prohibit an employer from collecting certain data on its employees. Thus, the mere acquisition of the data – even if unintentional—subjects the employer to liability. For example, under the Genetic Information Nondiscrimination Act (GINA), it is unlawful for employers to request, require or purchase genetic information. The Equal Employment Opportunity Commission’s (EEOC) regulations define “requesting” genetic information to include not only deliberate attempts to acquire such information, but also actions that are “likely to result” in the acquisition of genetic information. A “request” includes conducting an Internet search of an individual or requesting information in such a way that an individual’s current health status may be divulged to the employer. Software that collects this information from an employee’s use of the company computer violates this act, even if the employer never sees or uses the information.
Further, if the employer receives information contained in the Facebook accounts of employees, it may be deemed to have violated NRS 613.135, which prohibits employers from directly or indirectly requiring, requesting, suggesting or causing employees to disclose user names, passwords or other information that provides access to social media accounts.
Finally, to the extent such software causes the employer to learn new information about the protected classifications to which an employee belongs (e.g., sexual orientation, gender identity or expression, union activity, military service, etc.), and that employee is later terminated or subjected to another adverse employment action, the employer could be in the position of defending against claims that the employer intentionally discriminated against the employee based on this newly discovered information.
To a certain extent, this potential liability can be mitigated by having a third party collect and store the unencrypted data and providing the employer with only that information it is allowed to collect. The use of an independent third party should be coupled with frequent and direct notice to employees of the employer’s monitoring rights. In addition, employers should consider obtaining the employee’s written acknowledgment of the employer’s right to monitor. This acknowledgment should also include the employee’s understanding that use of the company’s Internet will be deemed consent to having the employee’s electronic communications intercepted by the employer for purposes of such monitoring. This acknowledgment and consent should be obtained not only when the employee begins their employment, but periodically throughout the year and every year that the employee works for the employer.
Ann Morgan is the managing partner of the Reno office of the law firm Fennemore Craig Jones Vargas.