I. INTRODUCTION – ACCESSIBILITY OF COMPUTER DATA
Employers should make employees aware of the fact that even when an employee attempts to delete information on a computer, such information may be retrieved, in whole or in part, months later. In addition, computers often store data that leaves a trail of e-mails sent and received, internet sites visited, the history of creating or editing a document and accessing another user’s document.
This retention of information provides for a host of potential legal issues concerning confidentiality and privacy, employer/employee liability, copyright or trademark infringement, claims of harassment or discrimination and improper use of bank property. Computer records and e-mail communications are discoverable under both federal and Nebraska law. Once subject to litigation, the bank must ensure that its employees do not destroy material, for willful destruction of evidence may result in heavy court sanctions.
Since the bank has the right (and perhaps a duty) to monitor and inspect its own computers and computer usage, the bank should clearly inform its personnel, in a formalized policy, that they should have no expectation of privacy when it comes to the use of the internet, e-mail or bank computers owned by the bank.
II. LAW ON EMPLOYEE PRIVACY IN ELECTRONIC COMMUNICATIONS
A. Federal
The “Electronic Communications Protection Act of 1986” (ECPA) is a federal statute that protects electronic communications (including electronic mail messages) from being intercepted by and disclosed by third parties. The ECPA covers communications that affect interstate commerce. There is a “business use” exception in the law that gives employers the right to access communications. A provider of electronic or wire communications whose facilities are used in the transmission of a wire or electronic communication, may intercept, disclose or use that communication in the normal course of employment while engaged in any activity that is a necessary incident to the rendition of service or to the protection of the rights or property of the carrier. (See, 18 U.S.C.§ 2510.)
B. Nebraska
Nebraska has its own version of the ECPA, but unlike the federal version, the Nebraska statute may be applicable regardless of whether the electronic communication affects interstate commerce. There is a “Business Use” exception that states that it is not unlawful for an employer to:
Intercept, disclose, or use (wire) communications(s) in the normal course of his, her or its employment while engaged in any activity which is necessary incident to the rendition of his, her or its services or to the protection of the rights or property of the carrier or provider of such communications services.
See, Neb.Rev.Stat. § 86-290. Employers that conduct random monitoring of communications are required to first give reasonable notice of the policy to its employees.
When dealing with issues regarding privacy rights, there must be an expectation of privacy. An employee may claim a right to privacy under the “invasion of privacy” laws of the State. Neb.Rev.Stat. § 20-203 states:
Any person, firm or corporation that trespasses or intrudes upon any natural person in his or her place of solitude or seclusion, if the intrusion would be highly offensive to a reasonable person, shall be liable for invasion of privacy.
In reading the above-cited statutes in tandem, the issue is whether any expectation of privacy exists, particularly in the workplace, using bank computers. An employee expectation of privacy may be eliminated by a bank when the bank implements a clearly stated policy and informs its employees of the policy regarding bank-owned computers and the bank’s right to access.
III. EMPLOYEE USE OF BANK-OWNED COMPUTERS
It should be obvious that bank owned computers are property of the bank. Computers constitute equipment necessary to conduct the business of the bank, but when they misused by employees, the potential for decreased employee productivity and increased bank liability exist. If the bank wishes to protect its interests and limit its liability, it should implement and promulgate a clear policy that eliminates any employee expectation of privacy in the computer that the employee uses.
A bank may also want to further protect itself from internet use liability by its employees. The bank can limit or prohibit employee access to undesirable web-sites through tracking, blocking or filtering software. The bank may develop additional policies that prohibit on-line shopping (or, at least, limit such shopping to break times) and that prohibit (or restrict) employee participation in non-bank-related “chatrooms.”
The use of e-mail by employees carries with it both efficiencies as well as potential risks of abuse, misuse or bank liability. In fact, many companies have been subjected to litigation based on allegations of discrimination via e-mail. In some cases, e-mail has resulted in claims of e-harassment, discrimination and the creation of a hostile work environment. Once again, a clearly stated policy that prohibits the use of e-mail for non-business proposes and that subjects e-mail to electronic monitoring should serve to limit some of the potential risks and eliminate any employee expectation of privacy.
IV. ELEMENTS OF A COMPUTER USAGE POLICY
In considering what points the bank may want to cover in a computer usage policy, the following suggestions may prove useful: