Approximately 40 million Americans have Internet and/or e-mail access at work.⁽¹⁾ This figure represents nearly 1/3 of the entire United States workforce and is continuing to grow as more businesses, both big and small, add online capability to their offices. The number of workers online is a clear indication of the utility of electronic communications such as e-mail and Internet access for business purposes. Cheap and instantaneous, electronic communication can improve employee efficiency and productivity and provide convenient ways to not only communicate with clients and co-workers, but also to gather and disseminate information over much broader populations. Given the obvious advantages of electronic communication it is no wonder that so many employers make those resources available to their employees.

However, as might be expected, providing these resources to employees is not without its risks. Employees, who now find themselves with the ability to carry on an extended back and forth personal conversation throughout the course of the day, or pass along jokes via e-mail, or check the scores from the previous night's games, or buy and sell stocks, or find out when and where movies are playing, or any number of other distractions may face temptation to misuse their employer provided online access. While wasted time is clearly an important and legitimate concern, employers may face even greater risks than distracted employees. For example, employers may face potential liability for harassing or offensive communications made by their employees using the e-mail or Internet access provided by the employer. A recent survey found that almost 10% of U.S. companies have received subpoenas for employee e-mail.⁽²⁾ The ease with which sensitive documents can be attached to e-mail communications (both intentionally and accidentally) and sent with the press of a button creates potential for loss of trade secrets or other proprietary information. Incoming messages and downloads from the Internet raise the possibility of importing computer viruses or violating copyright laws when employees open e-mail attachments or download software from the Internet

The problem facing employers is how to balance the obvious benefits of online access for their employees with the risks inherent in providing those tools to employees. Many employers have sought to achieve this balance by monitoring the use that their employees make of e-mail and Internet access. Monitoring however, brings into conflict the employer's legitimate interest in protecting against the risks associated with online access for employees and the privacy interests of the employees. The conflict between employers' need to monitor and employees' right to privacy is, of course, not limited to electronic communication; but certain characteristics of e-mail and the Internet such as the use of passwords to access communications and the apparent ability to delete files may create an illusion of a higher level of privacy than is actually the case with electronic communication. The most effective and simplest way for an employer to protect its ability to monitor employees' online activities and avoid legal challenges to that monitoring is to put in place a policy which clearly informs employees that their use of e-mail and the Internet will be monitored and ensure that all employees are aware of the policy.

EXTENT OF EMPLOYEE MONITORING

Two recent studies into the extent of monitoring have been widely cited on the subject.⁽³⁾ The annual American Management Association (AMA) survey of "Workplace Monitoring & Surveillance" found that in 2001 "[m]ore than three-quarters of major U.S. firms (77.7%) record and review employee communications and activities on the job, including their phone calls, e-mail, Internet connections, and computer files." The figure in the second study, "The Extent of Systematic Monitoring of Employee E-mail and Internet Use" conducted by the Privacy Foundation is significantly lower. That study found that about 35% of employees have their online activities monitored by their employer. Although there is a vast gap between the figures, that does not necessarily mean that the studies conflict or that certain fundamental conclusions are not supported by both studies. In large part the discrepancy can be explained by differences in methodology between the studies. The AMA study included spot checks by employers in its tally of total monitoring while the Privacy Foundation study included only continuous and systematic monitoring; the AMA study also included surveillance of telephone conversations and voice mail messages while the Privacy Foundation study included only e-mail and Internet usage; and the subjects of the studies were not the same since the AMA study mirrors the corporate membership of its client base but does not include many smaller firms while the Privacy Foundation study included firms of all sizes.

In any event, both studies clearly support the conclusion that monitoring of employees' use of e-mail and Internet access is pervasive in the workplace. The figures for 2001 show an increase in monitoring from previous years, and according to the Privacy Foundation study, "[o]ver the past few years, employee monitoring has been increasing about twice as fast as the number of employees with Internet access." As monitoring software continues to become cheaper, more flexible and effective, and employers' incentive to monitor does not change, or actually increases, it seems likely that this trend will continue unabated.

CAUSE FOR CONCERN?

In addition to the general unease felt by many employees in knowing that every keystroke may be monitored, big brother like, by their employer, there are important privacy issues that employees have raised in response to employer monitoring. For example, what use may be made of information that an employer gathers through its monitoring program. This may have real consequences for employees. Fifty employees of The Dow Chemical Co. were fired and another 200 disciplined in 2000 for using company computers to e-mail pornography and violent images and earlier Xerox Corp. fired forty employees for spending work time browsing porn and shopping web sites.⁽⁴⁾ These are just two examples which attracted media attention because of the visability of the employer and the number of employees disciplined, but they are not isolated or exceptional occurrences.

Few would argue that employees caught with purloined secrets or caught sending offensive e-mail which raises the specter of employer liability to hostile work environment suits should avoid severe discipline, but should employees lose their jobs for browsing sports and shopping web sites or engaging in other online activities that are neither illegal nor arguably lead to a hostile work environment such as searching for a new job or trading stock? When an employer unintentionally discovers confidential and potentially embarrassing or harmful information about its employees through its monitoring what is the employer to do with this information? If, for example, an employer stumbles across an employee's credit report or medical information does the employer assume any responsibilities to guard that information, or at least to not act on it to the detriment of the employee? The possibility of that type of information coming to light is not just an improbable hypothetical concern. As employees spend many hours at work the ease of conducting some of their business via e-mail or the Internet, such as, for example, banking online, may become a convenience that they are not able to forgo. The result is that information that employees might prefer to keep confidential may be exchanged over the employer's network. Answers to these questions are, obviously, well beyond the scope of this article, but the questions do serve to highlight some of the issues that may concern employees about having their online activities monitored at work, and give some insight into the kind of interests for which employees might believe that they are entitled to legal protection of their privacy.

In May of 2001 one group of employees, after discovering that their e-mail and Internet use was being monitored, ordered staff to disable the monitoring software. The employees were able to accomplish such a bold coup because they were judges of the U.S. Court of Appeals for the 9^th Circuit, in San Francisco Very few employees have the power of federal appellate judges, and as it turned out, even federal appellate judges are subject to monitoring. In August the Committee on Automation and Technology of the U.S. Judicial Conference refused to support the shutdown of the monitoring software by the Ninth Circuit.⁽⁵⁾ Many employees, lacking the power to simply order that the monitoring software be turned off take a different tack in the attempt to preserve a high level of privacy at work -- they sue.

EMPLOYEES' RIGHT TO PRIVACY IN THE WORKPLACE

The Supreme Court addressed the subject of privacy in the workplace in the landmark case of O'Connor v. Ortega.⁽⁶⁾ In that case the Supreme Court recognized that employees may possess legally protected privacy interests, but qualified those rights, holding that employees' individual privacy interests must be balanced against the realities of the workplace.⁽⁷⁾ The Supreme Court noted that even at work there are some legitimate areas in which an employee has a reasonable expectation of privacy. These areas may include, for example, desks and file cabinets. However, the Court also noted that the privacy expectations of an employee "may be reduced by virtue of actual office practices and procedures."⁽⁸⁾ The decision recognized that with the question of privacy in the workplace there are no absolutes. Often whether an employee has a reasonable expectation of privacy is a question of specific practices within the employee's workplace, and the issue of whether an employee has a reasonable expectation of privacy "must be addressed on a case-by-case basis."⁽⁹⁾

The plaintiff in O'Connor, Dr. Magno Ortega, held the position of Chief of Professional Education at Napa State Hospital. When hospital officials became concerned about possible improprieties involving Dr. Ortega he was asked to take an administrative leave while the charges against him were investigated. While he was on leave, hospital personnel searched his office and seized items from his desk and file cabinets. In holding that Dr. Ortega had a reasonable expectation of privacy in his desk and cabinets the Court noted several contributing factors such as the fact that Dr. Ortega did not share his desk or file cabinets with any other employees, public files were kept outside of his office and investigators apparently only found personal items inside his office. Most importantly though, the Court noted that there was no evidence that the hospital had established any reasonable regulation or policy discouraging employees from storing personal items in their offices. The Court hedged the policy issue a little bit stating that "the absence of such a policy does not create an expectation of privacy where it would not otherwise exist." Even with the Court's hedge however, it is apparent that the lack of any explicit policy was an important finding leading the Court to hold that Dr. Ortega's expectation of privacy in his office had been violated by the search.

While O'Connor v. Ortega recognized that employees may, in fact, have a reasonable expectation of privacy in the workplace in certain situations, most legal challenges to employer monitoring of e-mail and Internet access have upheld the right of employers to monitor.

There are several legal bases upon which employees have tried to found suits involving the issue of employer monitoring of online activities. These bases include: (1) common law tort theories, (2) federal statutes in connection with the Electronic Communications Privacy Act ("ECPA"), and (3) for public employees, Fourth Amendment protections against unreasonable search and seizure.

A. Common Law Invasion of Privacy Torts

One of the bases upon which employees have attempted to found claims against employer monitoring of employee online activity is the common law tort of invasion of privacy. Most employees utilizing the invasion of privacy theory have argued that employer monitoring constitutes an "intrusion upon seclusion." In order to prevail under this theory a plaintiff employee must demonstrate that the employer's monitoring intentionally intrudes, either physically or otherwise, upon the solitude of seclusion of the employee or his private affairs or concerns and also that the intrusion would be highly offensive to a reasonable person.⁽¹⁰⁾

The first problem faced by a plaintiff hoping to advance this theory is that the tort of invasion of privacy based upon "intrusion upon seclusion" is not recognized in all jurisdictions. New York, for example does not recognize a cause of action based upon "intrusion upon seclusion." Plaintiffs who overcome that threshold obstacle by suing in jurisdictions where the cause of action for intrusion upon seclusion is recognized have found that courts have not, generally, been sympathetic to this approach. Most courts have followed the reasoning of the leading case in the area, Smyth v. Pillsbury Co.,⁽¹¹⁾ holding that employees may not support a claim based on intrusion upon seclusion because given the context of the work environment and the nature of electronic communication, employees do not have a reasonable expectation of privacy in their e-mail and Internet use in the workplace. Furthermore, even if they did have a reasonable expectation of privacy, that expectation would be outweighed by the employer's interest in making sure that its employees do not abuse the use of its e-mail and Internet systems.

The plaintiff in Smyth claimed that he had been wrongfully discharged by his employer arguing that his discharge had been contrary to public policy because it had been in violation of his right to privacy. The plaintiff, employee, sent several e-mail messages from his home computer, but over the defendant's e-mail system. Some time later the defendant employer accessed those messages and fired the plaintiff based upon their content which was critical of management. The court determined that despite assurances from the defendant that e-mail communication would remain confidential and not be intercepted by management the plaintiff had no reasonable expectation of privacy once he decided to transmit communications over the employer provided e-mail system. Additionally, the court determined that even if there had been a reasonable expectation of privacy the plaintiff could not prevail under his tort theory because a reasonable person would not consider the defendant's interception of the communications to be a substantial and highly offensive invasion of privacy in part because the employer's "interest in preventing inappropriate and unprofessional comments or even illegal activity over its e-mail system outweighs any privacy interest the employee may have in those comments."⁽¹²⁾

Most other courts weighing suits brought under the intrusion upon seclusion theory have reached similar results. For example, in McLaren v. Microsoft Corp.⁽¹³⁾ the court held that though Texas does recognize the tort of invasion of privacy through intrusion upon seclusion, an employee who had been fired based upon information recovered from his e-mail could not establish the necessary elements of the tort. In parallel fashion to Smyth, the court held that first, there was no reasonable expectation of privacy because the e-mail messages which were sent over a company-owned computer were not even the employee's property, but rather were "merely an inherent part of the office environment."⁽¹⁴⁾ Additionally, despite the fact that the messages were stored in the employees "personal folders" and were only accessible through the use of a discreet password there was never a reasonable expectation of privacy because the messages were transmitted over the network where at some point they were stored on the company server and accessible to the employer. Secondly the McLaren court noted that even if there had been a reasonable expectation of privacy the employer's "interest in preventing inappropriate and unprofessional comments, or even illegal activity, over its e-mail system would outweigh McLaren's claimed privacy interest in those communications."⁽¹⁵⁾

While the clear majority of courts have held that employees do not have a reasonable expectation of privacy in the content of their e-mail, at least one court has been willing to consider at least the possibility that an employee might have a reasonable expectation of privacy in those messages. In Restuccia v. Burk,⁽¹⁶⁾ the court declined to grant summary judgment against an employee suing under the theory that employer monitoring had constituted an intrusion upon seclusion. The court said, "there remain genuine issues of material fact on the issue of whether plaintiffs had a reasonable expectation of privacy in their e-mail messages and whether reading of the e-mail messages constituted an unreasonable, substantial or serious interference with plaintiff's privacy." Restuccia is the only reported case of a common law cause of action, based on employer intrusion upon employee seclusion because of the employer's monitoring of e-mail or Internet usage, to be allowed to proceed to trial; all others have been dismissed by the courts prior to trial.

B. Electronic Communications Protection Act

In addition to common law bases, an employee may attempt to found a suit against employer monitoring on statutory protections provided by the Electronic Communications Privacy Act ("ECPA").⁽¹⁷⁾ The ECPA was enacted in 1986 as an amendment to the Federal Wiretap statute. The purpose behind the Act was to update the statute to handle new methods of electronic communication such as e-mail. The results have been mixed. The Ninth Circuit Court of Appeals noted that "[w]hen the Fifth Circuit observed that the Wiretap Act 'is famous (if not infamous) for its lack of clarity,' it might have put the matter too mildly. Indeed, the intersection of the Wiretap Act and the Stored Communications Act, [part of the ECPA], is a complex, often convoluted area of the law."⁽¹⁸⁾

The ECPA provides statutory protection against both unauthorized interception of electronic communications and also against unauthorized access of stored messages. It also prohibits attempted interception and disclosure of the content of electronic messages, and extends to private communication systems operated or subscribed to by most private employers. While on the surface the ECPA appears to provide employees with ample protections against workplace monitoring there are exceptions that may apply in the context of office monitoring. Several factors may go into determining the application of the statute to a given communication, including the medium, the system upon which the message is located, and whether the message is in transit or is in storage.

Because the status of the communication effects the application of the ECPA's protections it is essential to understand the basics of how e-mail works in order to grasp the application that courts have made of the Act. Basically, an e-mail system consists of an e-mail client and at least one e-mail server that combine to deliver the message to the recipient. The e-mail client is the program such as Microsoft Outlook, Eudora, Pegasus, or AOL's e-mail reader, which is used to view and compose messages. The e-mail server is an application that accepts the e-mail message from the client (or another server) and then directs it to its destination. The most simple system would consist of a server with a list of e-mail accounts that can receive e-mail on the server. When someone wanted to send a message to an account on the server they would compose the message on their e-mail client. The e-mail client would then connect to the server and pass the message to the server where it would be stored. Using his own e-mail client program, the recipient would then connect to the server and receive the message. In more complex systems the server may have to connect with other servers to get the message to its destination.⁽¹⁹⁾

Typically, after a message is sent and routed to the server where the recipient has an account, the system stores the message in temporary intermediate storage on the server to await its access by the recipient. The message is also generally stored in a separate location on the server for back-up protection in the event that the system crashes. In the course of transmission from the sender to the recipient, a message passes through both intermediate and back-up protection storage and copies of the message may remain on multiple servers along its path. Most servers are also backed up periodically by copying onto a magnetic tape and any e-mail (or Internet) messages stored on the server would then be stored on the back up tape as well. Transmission is completed when the recipient logs on to the system and retrieves the message from intermediate storage from the server on which the recipient has an account. After the message is retrieved by the intended recipient the recipient may also save a copy in their own personal files on the computer at their workstation. Internet communications follow a similar path from computer to computer with the likelihood of storage on a number of servers along the path and thus Internet communications have been treated similarly to e-mail communications under the ECPA by courts.⁽²⁰⁾

1. Interception of Messages

Courts have generally held that interception as used in the ECPA requires that the communication be accessed while it is in transit. For example, in Steve Jackson Games, Inc. v. U.S. Secret Service⁽²¹⁾ the plaintiff, a publisher of role-playing games operated an electronic bulletin board system which it used to post information about its business and games. The bulletin board allowed customers to send and receive private e-mail. The computer on which these messages were kept was seized by the Secret Service pursuant to a warrant because it was believed that the bulletin board contained an unauthorized copy of a computer file containing information about an emergency call system. At the time that it was seized the computer contained 162 items of unread, private e-mail some of which were read and deleted by the Secret Service. The trial court held that there had been an unauthorized access of the computer files, but no interception because the acquisition of the contents of the electronic communications was not contemporaneous with the transfer of those communications.⁽²²⁾ The appellate court agreed. Most other courts that have faced the issue have held similarly that interception requires an element of contemporaneity with the transit of the message. These courts have held that accessing files stored on a server or other location does not constitute interception even if those messages have not yet been viewed by the intended recipient because the messages are in storage and not in transit.⁽²³⁾

However, one recent case rejected the traditional approach, holding that the determining factor of whether there has been an interception is if the message is acquired before it reaches its intended recipient. In Fraser v. Nationwide Mutual Insurance Co. the court explained that "interception of a communication occurs when transmission is interrupted, or in other words when the message is acquired after it has been sent by the sender, but before it is received by the recipient. The point in time when the message is acquired is the determining factor for whether or not interception has occurred."⁽²⁴⁾ Thus accessing an employee's mailbox or stored files does not constitute an interception if it takes place chronologically after the message has been viewed by the recipient, but it does constitute an interception if the message has not been viewed by the recipient even if the acquisition of the message occurs long after the message was originally sent.

It remains to be seen whether more courts will adopt the Fraser approach. With its expanded view of what constitutes an interception more employer monitoring programs may fall within the "interception" coverage of the statute under that analysis. Access of any electronic communication stored on the server would potentially constitute an interception depending on whether or not the recipient had accessed it first.

2. Access of Stored Files

In any event, communications are also protected from unauthorized access of messages in storage under the ECPA.⁽²⁵⁾ Thus any monitoring which does not fall under the interception prohibitions of the statute would likely still be covered by the statute under the unauthorized access provisions regardless of whether the access occurred before or after the message reached the intended recipient.

One recent case may signal a sea change in the way courts read the interception and access to stored messages provisions of the statute. In Konop v. Hawaiian Airlines, Inc.⁽²⁶⁾ the Court of Appeals for the Ninth Circuit rejected any temporal distinction between "interception" and "access" and held rather that "interception" as used in the statute entails actually acquiring the contents of a communication while "access" merely means being in a position to acquire the contents of the communication. Under this reading "access" is a lesser included offense of "interception." In Konop the employee plaintiff maintained a secure website. Access to the website required user names and passwords. The plaintiff posted messages on the site which were critical of his employer, its officers, and the pilots' union. A vice president of the employer gained access to the site using the names and passwords of two employees. The court held that such access constituted an interception under the statute. According to the analysis of the 9^th Circuit, intentionally discovering the contents of stored files would constitute an interception even if the message had already been received by the recipient and did not require contemporaneity with the sending of the message. If courts begin to follow the reasoning in Konop then it seems likely that more employer monitoring programs would potentially run afoul of the interception provisions of the statute as essentially any access of the contents of an electronic communication from any source would constitute an interception and even if the employer never examined the contents of the message the mere ability to do so could be construed as unauthorized access of stored files.

While both interception and unauthorized access to stored files violate the statute, the classification of access as either an interception or an unauthorized access of stored files does have a practical difference. Statutory penalties are more severe for an interception than for merely accessing stored files.

3. Consent Exception

Assuming that employer monitoring does fall within the reach of the ECPA either as an interception as it has traditionally been treated by the courts, or as an unauthorized access there are still at least two exceptions built into the statute which will likely impact upon an employer monitoring program. Monitoring, both through interception or through access to stored files, is not unlawful if it is done with consent (either express or implied) of at least one party to the communication,⁽²⁷⁾ or if it is "a necessary incident to the rendition of the service or to the protection of the rights or property of the provider of the service."⁽²⁸⁾

Since express consent is not a requirement, the consent exception is likely to be the most used exception to justify monitoring in the office context. Under this exception an employer could monitor communications if either of the parties to an electronic communication had consented to the interception of or the access of the communication. Consent, which as noted, includes implied consent, could be obtained by providing prior notice to employees that their online activities will be monitored. No published cases deal with the consent exception as applied to e-mail or Internet monitoring. In Ali v. Douglas Cable Communications,⁽²⁹⁾ a case brought under the same statutory provisions, but whose facts dealt with monitoring of employee telephone calls rather than e-mail or Internet access, the court noted that the circumstances giving rise to consent must be evaluated on a case-by-case basis. Ordinarily the circumstances will include language and/or acts which tend to prove that a party knows of and assents to the monitoring of their communication. Thus use of the system after being informed that use will be monitored would constitute implied consent. An employer could further protect itself by requiring a written acknowledgment from employees that they are aware that their online activities will be monitored. The consent exception seems to provide the surest and simplest way for an employer to protect itself from suit by employees over monitoring.

4. Ordinary Course of Business Exception

The ordinary course of business exception provides protection for network providers whose interception or monitoring of files is deemed to be in protection of its rights or property and the interception or access of electronic communications is carried out in the regular course of business and for a legitimate business purpose. As with the consent exception judicial opinions dealing with the applicability of ordinary course of business exception are nonexistant. Arguably at least, an employer might be able to make a case for monitoring under this exception in order to ensure quality of performance, discover theft or protect proprietary information, or to prevent the development of a hostile work environment through misuse of the employer's system by employees. However, an employer should be careful not to exceed the scope of monitoring needed to accomplish its purpose.

5. State Statutory Protections

Many states have enacted legislation which mirrors the ECPA. While these state statutes are generally consistent with the ECPA, it is important to be aware that they may exist because they may contain some deviations from the ECPA.

C. Fourth Amendment

Because the Fourth Amendment protects against unreasonable searches and seizures by the government, when the employees being monitored are public employees or if the monitoring is in furtherance of a criminal investigation, Fourth Amendment protections may apply. Courts have addressed the issue of workplace monitoring in the context of the Fourth Amendment in much the same way as invasion of privacy tort claims. The essential threshold determination is whether the employee had a reasonable expectation of privacy in the computer files which are the subject of the monitoring. Courts have generally answered this question in the negative.

In instances where the employee does have a reasonable expectation of privacy the next step of the analysis is a consideration of whether the employee's expectation of privacy outweighs the employer's (government's) need for supervision, control and the efficient operation of the workplace; the final question is whether the search itself, as conducted, was limited in scope so as not to exceed the employer's need.

As described above, most courts that have been faced with a Fourth Amendment challenge to workplace monitoring have found that the employee did not have a reasonable expectation of privacy in the electronic communication. The analysis of the Court of Appeals for the Fourth Circuit in United States v. Simons⁽³⁰⁾ is typical. Simons was an electronic engineer at a division of the Central Intelligence Agency. It was the policy of Simons' employer to monitor the use made of the Internet and e-mail systems by employees. In a situation that is not unusual in the modern workplace, the actual monitoring was done by a separate business entity specializing in providing computer system services and under contract with Simons' employer. Monitoring detected that Simons had visited many pornographic Internet sites from his workstation computer, and upon review it was determined that some of these sites contained child pornography. Computer files were then copied from Simons' computer remotely from the computer of the system manager. Simons argued that the Fourth Amendment protected him from a search of this type and that the evidence obtained against him was therefore not admissible. The Court held that Simons had no reasonable expectation of privacy in his e-mail and Internet usage because the employer had an explicit policy in place informing employees that their online activities would be monitored.

The determination that there was no reasonable expectation of privacy was easy in Simons because of the explicit policy. In contrast Bohach v. City of Reno involved city police officers who were faced with an internal affairs investigation based upon information gained from employer access of their pagers where there was not explicit policy in place. The court found that the pager messages were "essentially electronic mail" and thus should be analyzed in the same manner. In assessing whether there was a reasonable expectation of privacy, the court noted its belief that the officers had a subjective expectation of privacy because otherwise they certainly would not have sent the messages. However, although there was no explicit monitoring policy in place the court held that there was no objective, reasonable expectation of privacy because the officers should have understood that the messages would be stored on the computer system and that those stored messages could be accessed. In support of this conclusion the court noted that when the paging system was originally provided to the officers they were told that their messages would be "logged on the network."

Even where there is a reasonable expectation of privacy the Fourth Amendment will not bar searches of an employees' computer files if it is conducted with the purpose of investigating work-related misfeasance. To come within the reach of this branch of the Fourth Amendment inquiry employer monitoring would need to be justified at its inception and limited in scope to the investigatory purposes.⁽³¹⁾

WORKPLACE MONITORING POLICIES

As previously discussed employers have legitimate reasons for monitoring the use that their employees make of e-mail and the Internet in the workplace. Review of the relevant legal bases upon which an employee might seek to protect his privacy demonstrates that the employer can best protect itself and protect the privacy interests of its employees by having in place an explicit monitoring policy which is known to the employees. With such a policy in place employers may monitor their e-mail and Internet systems, and employees will conform their actions to the reality that their messages may be viewed by their employer.

Policies should be tailored to the workplace environment in which they will exist. For example, in many contexts such as telecommuting the line between business and personal use may be very gray while in other contexts e-mail or Internet access may be provided to an employee only for a clearly defined, limited purpose and thus the lines between acceptable and unacceptable use may be clear. Employers need to take these various factors into consideration when drawing up their policies. Generally however, an effective policy should inform employees that the employer is the owner of the e-mail or Internet system and that this includes all communications and stored information. It should also include a statement of the purposes for which the system is to be used as well as the discipline that an employee can expect to face for abuse of the system. There should be a statement advising employees that they should not expect privacy in communications made over the system and that those communications will be monitored by authorized personnel to ensure that the employer's property is being used only for authorized purposes. An employer may also want to include a non-exclusive list of examples of the kind of use that the employer considers unauthorized personal use, or inappropriate use.

CONCLUSION

Electronic communication is becoming more and more vital to the modern workplace. The increase in the number of employees equipped with e-mail and/or Internet access raises risks for employers. Many employers attempt to manage those risks by monitoring the use their employees make of the electronic communication tools provided to them. Monitoring creates its own problems as it inevitably exists in tension with employee privacy interests. The most effective way to deal with the inherent tension between monitoring and employee privacy is to put in place an explicit e-mail and Internet use policy which informs employees that their communication will be monitored.

Even the best policy carefully tailored to the specific workplace context is not a panacea to all ills related to employee e-mail and Internet access. For example, neither the employer nor its employees have complete control over incoming messages. While software may be able to block most offensive or inappropriate material from coming into the system filtering software is not foolproof. Additionally, instances will inevitably arise where e-mail or Internet usage comes within a gray area not clearly delineated by the policy. Such difficulties notwithstanding, a policy carefully tailored to the workplace in which it is applicable is an absolute must for any employer providing e-mail and/or Internet access to its employees.