This article was written by Philip Gordon, and originally appeared in Corporate Counsel Online. Reprinted with permissed from ALM Media Properties, LLC.
Once seen only in the shadows of the war against organized crime, the Federal Wiretap Act should now be moving steadily and rapidly toward the top of the corporate compliance checklist. Robust civil remedies, recent court decisions and technological developments have transformed the act's risk profile from a nonevent to a statute worthy of significant attention.
Although principally a criminal statute, the Federal Wiretap Act is unique among privacy laws in that it provides for substantial monetary damages without proof of actual harm.
Under the act, an aggrieved party can recover a minimum award of $10,000 or $100 per day of violation — whichever is greater, or, actual damages, plus punitive damages, attorneys' fees and costs. Comparing recent class action litigation involving security breaches with potential class actions involving the Federal Wiretap Act demonstrates the significantly pro-plaintiff aspect of this remedial scheme.
To date, the vast majority of security breach class actions have been dismissed, or resolved in the defendant's favor on summary judgment, because the plaintiff failed to plead or prove that the security breach at issue proximately caused any cognizable damage to class members.
By contrast, under the Federal Wiretap Act, proof that the violation proximately caused cognizable harm is unnecessary, and each individual plaintiff can recover a minimum of $10,000 even in the absence of actual damages.
The act's robust damages scheme triggers a significant risk profile because businesses can now violate the Federal Wiretap Act much more easily and much more frequently than in the past. The act makes it unlawful intentionally to intercept an oral, wire or electronic communication using an electronic, mechanical or other device.
Courts have consistently rejected claims by employees seeking to apply this statutory language to an employer's review of stored e-mail, holding that an "interception" under the act requires the acquisition of the content of an e-mail contemporaneously with transmission, not in storage. Because e-mail, by its very nature, cannot easily be acquired in transmission, this line of authority seemed to insulate employers from the act's rich remedial scheme.
A recent decision by the U.S. Court of Appeals for the Seventh Circuit, however, has raised the specter of substantial civil liability for unlawful interceptions despite extant precedent in the area. In U.S. v. Szymuszkiewicz, the court affirmed the criminal conviction for Federal Wiretap Act violations of an IRS agent who, unbeknownst to his supervisor, activated the supervisor's Microsoft Outlook "autoforwarding" feature.
As a result, duplicates of the supervisor's e-mail were automatically forwarded to the IRS agent without the supervisor's knowledge or consent. The IRS agent received a sentence of 18 months' probation.The Seventh Circuit's decision turned principally on whether autoforwarding e-mail constitutes an "interception" as defined by the Federal Wiretap Act. The court answered that question in the affirmative because the autoforwarding permitted the IRS agent to obtain the content of e-mail stored in his supervisor's e-mail inbox.
The Seventh Circuit's decision is significant for employers because corporate IT departments commonly use Outlook's autoforwarding feature. IT departments, for example, routinely activate this feature after an employee has left an organization, or when an employee is on an extended leave of absence, so that a supervisor or co-worker can promptly respond to e-mail intended for the employee.
It also is not uncommon for corporate IT departments to rely on "e-mail journaling" to create a duplicate set of outgoing and incoming e-mail for archival purposes. Journaling essentially functions the same as autoforwarding except that the duplicate e-mail content is stored on a server for possible future retrieval rather than being transmitted directly to a third party's e-mail inbox.
E-mail journaling is a basic tool of electronic discovery as it permits the automated preservation of e-mail. E-mail journaling is particularly useful for preserving the e-mail of an employee who is unaware that he is the target of an investigation because e-mail journaling eliminates the need for the target of the investigation to be involved in preservation efforts.
Additionally, businesses that rely on a third party to archive e-mail often will rely on autoforwarding to transfer e-mail from the corporate e-mail server to the third party's archive server.
Activating Microsoft's autoforwarding feature is just one way that employers can effectuate an interception of e-mail under the Federal Wiretap Act. Increasingly sophisticated e-mail monitoring programs are capable of capturing e-mail content in real-time.
At least two domestic relations cases, for example, have held that one spouse unlawfully intercepted another spouse's e-mail or Internet chat by installing SpectorSoft software, a commercially available real-time monitoring program, on the other spouse's personal computer. Although statistics are not publicly available, a significant number of corporate IT departments likely have installed SpectorSoft or similar real-time, e-mail monitoring products.
Because consent to an interception by one party to a communication is a defense to liability under the Federal Wiretap Act, employers can reduce the risk of liability by providing employees with notice of the IT processes that constitute an interception and obtaining their express or implied consent.
A recent decision by a Texas federal district court, however, demonstrates that relying on an electronic resource's policy that was drafted without the specific purpose of creating a defense to a Federal Wiretap Act claim could be shortsighted.
In that case, Garza v. Bexar Metropolitan Water District, the employee handbook warned employees that the employer "reserved the right to monitor and access any phone or email messages stored on its voicemail and email systems."
The court rejected the contention that this policy language established the plaintiff-employee's consent to the alleged real-time interception of his telephone calls, reasoning that "[d]efendants did not simply listen to [the employee's] stored voice mail messages; instead, they intercepted and listened to entire telephone conversations."
Following this reasoning, an electronic resources policy that informs employees that they have no reasonable expectation of privacy in their e-mail or that the employer reserves the right to monitor or review their e-mail messages (as most such policies typically do) would not provide a basis for establishing consent to the employer's use of Outlook's autoforwarding feature or the interception of e-mail by a real-time monitoring program, such as SpectorSoft.
Consequently, to provide a more robust defense, an employer should consider revising any such policy to specifically explain how and when the employer will intercept e-mail.
Notably, federal courts will not lightly imply consent to an interception that otherwise would violate the Federal Wiretap Act.
As a result, there remains an open question whether a court would find, for example, that an employee who acknowledged receipt of an electronic resources policy on his first day of employment thereby consented to the interception of his e-mail five or ten years later in the course of the employer's investigation of allegations of sexual harassment. To strengthen its position in this regard, the employer can include notification of e-mail interception in a splash screen each time employees log into the employer's computer system.
Revising the employee handbook and using a splash screen or similar warning may not, however, be enough.
Corporate counsel should encourage IT leaders routinely to communicate how and when the corporate IT department is intercepting employees' e-mail. Corporate counsel can then analyze whether the existing policy provides sufficient notice to establish consent to the interception and, if not, can revise the existing notice or provide individualized notice to targeted employees.
One final caveat: The wiretap laws of 13 states — California, Connecticut, Delaware, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, Nevada, New Hampshire, Pennsylvania, and Washington — provide that consent is a defense to an interception only if all parties to the communication consent.
Employers can satisfy this all-party consent requirement in the context of telephone monitoring by distributing a telephone monitoring policy to their own workforce and notifying incoming callers by automated means that their call will be monitored. In the context of e-mail, however, notifying the sender that his e-mail will be intercepted may not be technically feasible.
To be sure, our research has not uncovered any published decision in any of the all-party consent states upholding a criminal conviction or imposing civil liability for e-mail interception. Nonetheless, the risk remains and should be considered before an organization activates autoforwarding, e-mail journaling or real-time e-mail monitoring software.