Workplace Privacy: Balancing Employees

Rights with their Employers Right to

Know
Kevin Perez
NEMIROW PEREZ P.C.
Employee privacy is always a hot topic for employers, as they must walk the fine line between
protecting their legitimate business interests while avoiding invasion of their employees
reasonable privacy expectations. Employers have a needand in some cases, an obligationto
obtain their employees personal information and monitor their employees behavior in order to
make appropriate decisions, to maintain order, and to protect themselves and their employees from
other employees. Acting on these needs and obligations is not without risk: many laws impact
whether and how employers can obtain their employees personal information. As a result,
employers often need to engage in a balancing test when they deal with privacy issues.
What follows is a summary discussion of several hot topics that involve employee privacy as it
pertains to Colorado employers. Due to the brief duration of the program, these materials are meant
only as an overview to help attorneys in spotting and addressing key issues.
I.

EMPLOYEE PRIVACY VS. THE EMPLOYERS RIGHT TO KNOW

At the forefront of any discussion regarding privacy are the privacy protections afforded to
individuals by the Fourth Amendment to the U.S. Constitution and Colorado common law.
Together, these laws (and others, which will be discussed below) create potential liability for
Colorado employers who go too far in trying to monitor their employees.
A.

Employees Fourth Amendment Rights

In the context of public employee privacy, the protections of the Fourth Amendment are
paramount, as it governs searches and seizures by public employers of their employees private
property.

Page | 1

The Fourth Amendment provides,

The right of the people to be secure in their persons, houses, papers, and effects,
against unreasonable searches and seizures, shall not be violated, and no warrants
shall issue, but upon probable cause, supported by oath or affirmation, and
particularly describing the place to be searched, and the persons or things to be
seized. 1
The seminal case interpreting the Fourth Amendment in the employee privacy context is OConnor
v Ortega. 2
In Ortega, the Supreme Court analyzed the balance between an employees reasonable expectation
of privacy and the employers need for a search. 3 An initial issue for the Court was to delineate
the boundaries of the workplace. The Court noted that not everything present on the employers
premises should be considered part of the workplace, and gave the example that the expectation of
privacy in the contents of an employees closed luggage, purse, or briefcase is very different than
the expectation of privacy in the open contents of the employees office. 4 It went on to state that
public employees' expectations of privacy in their offices, desks, and file cabinets, like similar
expectations of employees in the private sector, may be reduced by virtue of actual office practices
and procedures, or by legitimate regulation. 5 In essence, the focus is on what an employee would
reasonably consider to not be subject to search, given all the factual circumstances, which makes
the question one addressed on a case-by-case basis. 6 In prior case law, this reasonable expectation
of privacy was explained to consist of both a subjective expectation of privacy and an objectively
reasonable expectation of privacy. 7
Once it was determined that the employee had a subjectively, and objectively, reasonable
expectation of privacy, the discussion turned to a balance between invading the employees
legitimate expectations of privacy against the employers need for supervision, control, and the
efficient operation of the workplace. 8 In the context of both non-investigatory, work-related
searches (such as entering the offices and opening the desks of employees looking for
correspondence, files, or reports available only in the employee's office while the employee is
away from the office) and for searches investigating work-related misconduct, the Court set a two1

U.S. CONST. amend. IV.

480 U.S. 709 (1987).
3
Id. at 715.
4
Id. at 716.
5
Id. at 717.
6
In Ortega, the Court found that the employee had a reasonable expectation of privacy with regard to personal
information stored in his desk and filing cabinet, but not with regard to property stored in other locations in his
private office. Id. at 719.
7
Smith v. Maryland, 442 U.S. 735, 740 (1979).
8
Ortega, 480 U.S. at 719-20.
2

Page | 2

pronged standard: (1) whether the decision to search was reasonable at the inception of the search,
and (2) whether the scope of the search that was actually conducted was reasonably related to the
circumstances initially justifying the search. 9
For example, in the situation where an employer has a reasonable basis to believe that a search
will turn up evidence that the employee is guilty of work-related misconduct, the search of the
employee's office by the employer will be justified at its inception. 10 If however, the search had
no reasonable basis at the inception, such as searching to see if the employee might be committing
some unknown misconduct, the search would violate the employees Fourth Amendment
protections even if misconduct is found. Similarly, the scope of the search would satisfy the
reasonableness test if the employer confined the search to places reasonably likely to contain the
evidence. If the employer goes too far, such as opening and searching an employees locked car
when ostensibly looking for evidence of email misconduct, the search would not meet the test and
would violate the employees Fourth Amendment rights. Thus, prior to engaging in any search, a
public employer must have a reasonable basis to believe that the search is appropriate for meeting
work-related or investigatory goals, and the searchs scope is limited in such a way so as to
reasonably meet the goals.
Employees may sue federal employers for Fourth Amendment violations, as the Supreme Court
has held that there exists an implied private right of action for monetary damages for such violation
where there is no other federal remedy. 11 Employees may sue state and local employers for Fourth
Amendment violations through Section 1983 of the Civil Rights Act of 1871. 12 Individual liability
for the public employees involved, however, is often limited under the doctrine of qualified
immunity, which provides that government officials performing discretionary functions are
"shielded from liability for civil damages insofar as their conduct does not violate clearly
established statutory or constitutional rights of which a reasonable person would have known." 13
Damages for Fourth Amendment violations include compensatory damages, which cover actual
past and future economic losses; general damages, which cover non-economic injuries such as
embarrassment, emotional distress, and injury to reputation; and potential punitive damages where
the employee demonstrates the employer had a highly culpable state of mind.
B.

Common Law Rights to Privacy

Under Colorado common law, there are two forms of the invasion of privacy claim that are
applicable in the employee surveillance context. 14 The first is the intrusion upon seclusion claim,
9

Ortega, 480 U.S. at 726.

Id.
11
Bivens v. Six Unknown Named Agents, 403 U.S. 388 (1971).
12
42 U.S.C. 1983.
13
Harlow v. Fitzgerald, 457 U.S. 800, 818 (1982).
14
Denver Publishing Co. v. Bueno, 54 P.3d 893 (Colo. 2002).
10

Page | 3

which is properly made when the employee can demonstrate that the employer intentionally
invaded the employee's privacy, that the invasion would be very offensive to a reasonable person,
and that the invasion caused the employee to suffer injuries or damages. 15 The determination of
whether the intrusion was very offensive to a reasonable person depends on a consideration of
all the evidence, including the degree of and circumstances surrounding the invasion, the reason
for and manner of the employers invasion, the context in which the invasion occurs, and the
employees expectations of privacy. 16 The intrusion on seclusion claim does not require anything
more than an employer unreasonably learning of the employees private affairs; it does not require
the employer to have intended to learn of the affairs.
The second potential invasion of privacy claim in the employee surveillance context is where the
employer publicly discloses private information it learns through the intrusion. To prove such a
claim, the employee must demonstrate private facts were disclosed by the employer to the
public, that such disclosure would be highly offensive to a reasonable person, that the facts
disclosed were not of legitimate public concern, and that the employer acted with reckless
disregard of the private nature of the fact or facts disclosed. 17 For the disclosure to be made to the
public, it must be made to the general public, or at least to a large number of persons; disclosure
to one individual or just a few is not enough. 18 Further, for the employer to have acted in
reckless disregard, the employee must show that the employer knew or should have known that
the fact or facts disclosed were private in nature. 19 There is no bright line as to what constitutes
the public or a large number of persons, other than case law indicating that 20 persons are
enough. 20 As a result, these are jury questions.
The key affirmative defense for employers in invasion of privacy claims is waiver/consent. To
prove the defense, the employer needs to show that the employee, by words or conduct or both,
led the employer to reasonably believe that the employee authorized or agreed to the employers
conduct in obtaining the otherwise private information, and that the employer acted in a manner
and for a purpose either to which the employee agreed/authorized, or to which the employer
reasonably believed the employee agreed/authorized. 21
As with any tort, employees can seek actual past and future economic losses as well as noneconomic losses, such as embarrassment, emotional distress, and injury to reputation. 22 If the
employee can demonstrate that the invasion of privacy was attended by circumstances of fraud,
15

CJI-Civ 28:1 (2013).

CJI-Civ 28:2 (2013).
17
Robert C. Ozer, P.C. v. Borquez, 940 P.2d 371 (Colo. 1997).
18
Id. at 379.
19
Id.
20
Id. at 378, citing Kinsey v. Macur, 107 Cal.App.3d 265, 165 Cal.Rptr. 608, 611 (1980).
21
CJI-Civ 28:13 (2013); RESTATEMENT (SECOND) OF TORTS 652F cmt. b (1977).
22
CJI-Civ 28:14 (2013); Doe v. High-Tech Institute, Inc., 972 P.2d 1060 (Colo.App. 1998), cert. denied (1999);
RESTATEMENT (SECOND) OF TORTS 652H (1977).
16

Page | 4

malice, or willful and wanton conduct, he or she can also seek punitive damages in an amount up
to the actual damages awarded by the jury. 23 These punitive damages can triple the actual damage
award if the employer continues the behavior or repeats the action which is the subject of the
employees claim in a willful and wanton manner, either against the employee or another person
or persons, during the pendency of the case; or if the employer acts in a willful and wanton manner
during the pendency of the action so as to further aggravate the employees damages, when the
employer knew or should have known such action would produce aggravation. 24
II.

SITUATIONS THAT RAISE PRIVACY CONCERNS FOR EMPLOYERS

A.

Employee surveillance

Employee surveillance comes in many forms, with the two primary forms being video surveillance
of the workplace and location tracking of employees, vehicles, and equipment. Due to the different
legal considerations involved, these two types of surveillance will be discussed separately.
1.

Video surveillance

According to the most recent American Management Association survey, about half of employers
surveyed stated that they monitored their employees using video surveillance of some sort. 25 The
reasons for video surveillance typically are to deter or discover theft, sabotage, or violence in the
workplace. In other cases, video monitoring has been used by employers to determine what their
employees actually do while on the clock, or to deter or combat allegations of harassment. Any of
these reasons should constitute a legitimate business need for the surveillance, and the video
surveillance should, thus, not run afoul of the Fourth Amendment or common law invasion of
privacy laws so long as the employer limits the surveillance to public areas where there is no
reasonable expectation of privacy.
However, prior to usingor even installingvideo cameras, employers need to understand the
application of the federal Wiretap Act, the Colorado anti-eavesdropping statute, and the National
Labor Relations Act (NLRA), as the failure to do so could lead to civil and criminal
consequences for employers and the individual actors performing the surveillance.
As amended by the Electronic Communications Privacy Act, the federal Wiretap Act protects the
privacy of wire, oral, and electronic communications and bars their interception or acquisition
through the use of any device. 26 Protected oral communications are those communications uttered
23

C.R.S. 13-21-102(1)(a).
C.R.S. 13-21-102(3)(a).
25
American Management Association, 2007 Electronic Monitoring and Surveillance Survey, available at
http://press.amanet.org/press-releases/177/2007-electronic-monitoring- surveillance-survey/.
26
18 U.S.C. 2510-2522.
24

Page | 5

by a person with the justifiable expectation that the communication is not subject to being
intercepted, 27 i.e., oral communications where there is a reasonable expectation of privacy.
Given the scope of the Wiretap Act, an employers use of cameras that record audio along with
video will expose it to civil and criminal liability if its employees do not know that their oral
communications are being recorded. This liability includes corporate and individual liability for
potential criminal penalties of up to five years in prison, substantial fines, or both. 28 Further,
employers and individual actors can be exposed to civil liability of $10,000 or more, even without
the employee proving that any actual damages were suffered. 29
Aside from federal law, Colorado has an anti-eavesdropping statute which prevents a person not
visibly present during a conversation from overhearing or recording (or attempting to overhear or
record) a conversation without the consent of at least one of the principal parties thereto. 30 Clearly,
an employers use of surreptitious audio recording devices would violate this statute. However,
the state statute provides much lesser criminal penalties than the federal Wiretap Actsix to 18
months in the county jail and/or a $500 to $5,000 fineand no civil private right of action. 31
Even if employees did know that their oral communications were being recorded, an employer
recording both audio and video could face liability for an NLRA violation. Under that Act,
employers are prohibited from visually monitoring known union activity, from giving the
impression of surveillance that would tend to chill union activities, and from photographing or
video recording employees engaged in protected concerted activity absent proper justification.
Importantly, the NLRA applies regardless of whether any of the employers employees are
unionized. However, the NLRA has little bite, as remedies for violations generally include only
cease and desist orders by the National Labor Relations Board, except in the situation where an
employee is terminated as a result of a violation; in that instance, the employee is entitled to back
pay and reinstatement. 32
In order to minimize the likelihood of liability, employers should take steps prior to the installation
and use of video cameras, including: (a) verifying that the surveillance cameras record only video;
(b) installing cameras only in areas where employees would not reasonably expect to be private
(e.g., common areas, rather than bathrooms); (c) ensuring that the cameras are visible to employees
in order to minimize the potential for a claim of some residual expectation of privacy in public
27

18 U.S.C. 2510(1).
18 U.S.C. 2511(4).
29
18 U.S.C. 2520(c)(2)(B) (which provides civil damages of the greater of: (1) the sum of the employees actual
damages and any profits made by the employer as a result of the violation; or (2) statutory damages of $100 a day
for each day of violation or $10,000, whichever is greater. In addition, the employee is entitled to reasonable
attorneys fees and costs, which can dwarf actual damages in many cases, and potential punitive damages).
30
C.R.S. 18-9-304.
31
Id.
32
29 U.S.C. 160(c).
28

Page | 6

areas; (d) creating a policy, and placing it in the employee handbook, providing that the facility is
monitored by video surveillance and that the employee acknowledges the presence of the cameras
and the use of those cameras by employer; and (e) considering posting signs that surveillance
cameras are used on premises to further weaken any privacy claims. Unionized employers also
need to obtain union agreement on the use and placement of cameras, as the failure to do so is a
violation of the NLRA. 33
2.

Location tracking

More and more employers are turning to Global Positioning System (GPS) technology to track
the locations of their employees. Aside from dedicated GPS units, many electronic devices have
mated integrated GPS transceivers with mapping software and/or cellular phone service, such as
the Find My iPhone app and Google Maps Coordinate. These hardware/software integrations allow
employers to track device locations in realtime, in some cases even when the devices are inside
buildings. Clearly, there are significant benefits to employee tracking in certain industries, like
improving efficiency (e.g., with dispatching workers in the field, reducing overtime, and possibly
reducing insurance rates by tracking mileage and speeds), improving safety, and investigating
employee misconduct.
The big question, as always, centers on when location tracking is legal. A key case interpreting
GPS tracking is United States v. Jones, which involved FBI placement of GPS device on a
suspects car and the subsequent tracking of the vehicles movement 24 hours a day, seven days a
week, for four weeks. 34 At the outset, the Court found that the installation of the GPS constituted
a search of property that impacted the suspects Fourth Amendment rights, given that the
installation was an intrusion into the suspects property. 35 The bigger question was whether the
suspect had a reasonable expectation of privacy in his travels in the vehicle, given that driving a
vehicle nearly always takes place in public. This question was addressed at the appellate level in
United States v. Maynard, where the D.C. Circuit drew a distinction between pervasive and nonpervasive tracking in comparing the omnipresent GPS device to potentially less present visual
tracking. 36 In essence, it was the comprehensive log of the patterns of daily life provided by GPS
tracking that make it an intrusion on seclusion, even though the various trips in the vehicle were
visible to the public. 37 Notably, a reading of the Jones case demonstrates the dearth of case law
regarding the privacy impact of GPS tracking as late as 2012, and the author is aware of no cases
involving location monitoring of employees in the United States.

33

Anheuser-Busch, Inc., 342 NLRB 560, 560 (2004).

132 S.Ct. 945 (2012).
35
Id. at 949. Additionally, the Court found that the FBIs placement of the GPS device without the suspects consent
constituted criminal trespass. Id. at 949-950.
36
615 F.3d 544, 563 (D.C. Cir. 2010).
37
Jones, 132 S.Ct. at 955.
34

Page | 7

The takeaway from the Jones case, and similar criminal cases, when combined with an
understanding of the Fourth Amendment and common law privacy rights, is that an employer
should take precautions prior to using location tracking of its employees. These precautions
include: (a) not using location tracking absent a legitimate and articulable business need; (b)
providing advance written notice to employees prior to the use of any tracking devices that the
devices locations will be tracked; (c) obtaining written employee acknowledgement (in advance)
that he or she understands the locations of the vehicles or devices in question will be tracked, and
that he or she consents to the tracking; (d) that the employer track device movements only during
times when the employee is on the clock for work; and (e) limiting dissemination of the tracking
data to a need-to-know basis. Lastly, at no time should an employer place a tracking device on an
employees personal vehicle without the employees consent, as such an action would likely
constitute second degree criminal trespass under a Jones type of rationale, which would subject
the individual actor to up to six months in the county jail and/or a $50 to $750 fine. 38
B.
Physical property searches: desks, smartphones, lockers, vehicles,
equipment, briefcases, etc.
As discussed in Section I above, employees may have a reasonable expectation of privacy at work,
depending on the circumstances. Employee personal information stored in physical form (papers,
photographs, cards, etc.) at the employers place of business will be afforded protection under the
Fourth Amendment and/or common law privacy laws if it is stored in a location and in such a way
as to support both a subjectively and an objectively reasonable expectation of privacy. For
example, storage of personal information in physical form in a locked desk drawer where only the
employee has access should result in privacy protection. Similarly, if the circumstances and history
show that an unlocked drawer in an employees desk is considered off-limits by the employer,
the contents of that drawer could also enjoy privacy protection.
Absent obtaining express authorization for access and keeping within the scope of the
authorization, an employers search of either drawer in the above examples would likely satisfy
privacy concerns if it was undertaken for legitimate business purposessuch as the recovery of
an important business document when the employee was unavailable to retrieve itand if it was
done in a reasonable manner given the reason for the searchsuch as searching only the drawer
where the document was likely to reside, and ending the search when it was found.
Employee storage of personal items in employee-owned physical property left at the workplace is
treated no differently, though in most cases, employers should assume the employee has a
reasonable expectation of privacy as to items stored within purses, briefcases, envelopes, or other
closed containers. The bigger privacy question, though, relates to whether there would be a

38

C.R.S. 18-4-503.

Page | 8

legitimate business need to access the employees personal property. Depending on the
circumstances (or if there is authorization), access may be appropriate and legal.
Employee personal items stored out of sight in personal vehicles parked on employee property
would be even more likely to enjoy privacy protection, given that access without permission would
constitute second degree criminal trespass in addition to a potential invasion of privacy. 39
All of the discussion and examples in this section have been limited to accessing physical
information or items at the workplace. A hybrid issue arises when the employer is attempting to
access a physical device that holds electronic information, such as a smartphone, a tablet, a
computer, or similar device. The rules for seeking and obtaining the physical device itself are set
out above; the rules governing accessing the electronic information on the device are discussed in
Section II(C), below.
Best practices for employers intending to physically access any property in which the contents are
likely to enjoy privacy protections are to: (a) verify there is an articulable and legitimate business
need for the search; (b) if possible or practicable, obtain written authorization from the employee
prior to the search that notes the anticipated scope (e.g., send an email asking for permission to go
into a locked office to obtain a file); and (c) limit the search to the scope of the consent or the
legitimate business need that gave rise to the search.
Another, though perhaps more draconian, approach would be to prepare and disseminate a written
policy that clearly states that employees have no expectation of privacy to any items stored at the
workplace, that the employer has access to all items stored at the workplace, that the employee is
prohibited from denying the employer access to items stored at the workplace, and that any
changed or additional locks on offices, desks, lockers, cabinets, drawers, etc., may be removed by
the employer to obtain access. In the acknowledgment of the policy, the employees should
authorize and consent to the employers search of offices, desks, lockers, cabinets, drawers, etc.,
whether or not they are locked in any manner.
Regardless of the policies in place, or authorizations obtained from employees, employers must
remember to limit searches to the scope of the employees authorization. The failure to do so can
be costly, as at least one court awarded an employee $1.65 million when Wal-Mart searched the
employees home in excess of the consent given. 40

39
40

Id.
Wal-Mart Stores, Inc. v. Lee, 74 S.W.3d 634, 646-48 (Ark. 2002).

Page | 9

C.

Monitoring employee communications: calls, email, and internet use

Electronic monitoring of employee communications is very common, and well-accepted by

management. According to the most recent American Management Association survey, 66% of
employers monitored websites visited by employees, and 43% or more of employers monitored
employee telephone calls, email, and/or keystrokes entered. 41 Often, this monitoring reveals
inappropriate, unethical, or illegal employee conduct. According to the survey, 28% of employers
have fired employees for email misuse, and 30% have fired employees for internet misuse.
Given the growing use of electronically-stored information as key evidence in lawsuitswhich
some consider the electronic equivalent of DNA evidenceit is easy to understand why businesses
have a desire to monitor employee communications. Further, cases like Faragher and Ellerth
provide an employer defenses to suits where it has reasonable procedures in place to prevent
harassment and discrimination. 42 Cases have also shown that businesses can be held liable for their
employees illegal activities, depending on the circumstances. 43 Thus, while the general rule is that
there is no duty for an employer to monitor its employees absent being on notice of some problem
or issue, a more prudent course may be to monitor employees as a risk management tool.
Like any tool, monitoring has its costs. First, there is the direct cost of monitoring, including the
expenses for software and the diversion of IT personnel from other areas. Second, there is the cost
of learning information the employer would rather not know, possibly losing the Faragher/Ellerth
defense if certain information is not timely acted upon, and the potential for stockpiling bad
evidence. Third is the cost of liability for invasion of privacy or violation of wiretap type laws if
the employer is not careful.
As already discussed, privacy laws prohibit employers from obtaining that which an employee has
a reasonable expectation of privacy, absent a legitimate business need and in an appropriate search.
Examples of potentially private information include the content of personal telephone calls where
such calls are not prohibited, the content of personal emails where such emails are not prohibited,
and the content of personal mail or possessions kept in office. The key question in these cases is
whether the employees claimed expectation of privacy was reasonable.
One case that sheds light on the interpretation of the application of privacy laws to electronic
information is R.S. v. Minnewaska Area School District, as it dealt with accessing text messages

41
American Management Association, 2007 Electronic Monitoring and Surveillance Survey, available at
http://press.amanet.org/press-releases/177/2007-electronic-monitoring- surveillance-survey/.
42
Faragher v. City of Boca Raton, 524 U.S. 775 (1998); Burlington Ind. V. Ellerth, 524 U.S. 742 (1998).
43
Doe v. XYC Corp., 887 A.2d 1156 (N.J. Super. A.D. 2005) (where employer was on notice that employee was
viewing child pornography on his workplace computer, employer breached its duty to exercise reasonable care to
report and/or take effective action to stop employee's illegal activities).

Page | 10

stored on smartphones and Facebook chat messages. 44 In Minnewaska, a student sued her school
for an unreasonable search of her smartphone in violation of the Fourth Amendment. Given the
similarity of chat messages to texts, in that they are visible only to the recipient and not to the
public, the court treated them similarly. The court balanced the need for and scope of the search
with the students right to privacy, and determined that there was a triable issue for a Fourth
Amendment violation given the fact that the school had already obtained the information it sought
prior to engaging in the search.
In addition to Fourth Amendment and common law privacy protections, employers need to be
aware that several statutes impact the ability of employers to seek and obtain electronic information
from employees.
1.

Electronic Communications Protection Act

The Electronic Communications Privacy Act (ECPA) makes it illegal for an employer to
intercept or access an employees stored messages or data. 45 Intercept has been given a narrow
definition, with Courts stating that it means the acquisition of a communication contemporaneous
with its transmission. 46 Thus, the ECPAs coverage is limited to communications that are in the
process of being transmitted from sender to receiverlike telephone calls, instant messages, and
emails. Though stored communications are not covered by the ECPA, they are covered by the
Stored Communications Act, discussed below.
As with most laws, there are exceptions to the ECPA. The first exception allows access where one
party to the communication consents to monitoring, either impliedly or expressly. Consent can be
obtained by providing prior notice to employees of how, when, and why communications will be
monitored; notifying employees that the use of communications technology after being provided
this notice constitutes implied consent to monitoring; and having the employees sign an
acknowledgment that specifically states that the employee consents to such monitoring. The
second exception allows monitoring where it is necessarily incident to the rendition of the
electronic service or to the protection of the service providers property. This second exception
allows employers to monitor communications to ensure quality of employee performance, to
discover theft, to protect proprietary information from disclosure, or to prevent the development
of a hostile work environment through employee misuse of employers systems.
Employers need to make sure they fall within an exception to the ECPA prior to monitoring, as
the penalty for a violation includes up to a $50,000 fine, five years imprisonment, and forfeiture
of the equipment used for monitoring. Individual actors also face liability.
44

894 F.Supp.2d 1128 (D.Minn. 2012).

18 U.S.C. 2510.
46
See, e.g., Fraser v. Nationwide Mut. Ins. Co., 352 F.3d 107, 113-14 (3rd Cir. 2005) (following the Fifth, Ninth,
and Eleventh Circuits).
45

Page | 11

2.

Stored Communications Act

Another source of employer liability is the Stored Communications Act (SCA). The SCA prohibits
the unauthorized (or in excess of authorization) obtaining, altering, or preventing authorized access
to an electronic communication while it is in storage at a facility through which an electronic
communication service is provided. 47 The SCA does not protect messages in storage on the
employers server or computers, as the employer is not considered a facility through which the
communication service is being provided. Rather, the SCA applies to electronic messages stored
on third party servers, as with web-based email or internet service providers (ISPs) like Yahoo!,
Gmail, and Microsoft. Further, under the USA Patriot Act, voicemails are considered stored
electronic communications rather than communications that are in the process of being
transmitted; thus, the SCA applies to them rather than the ECPA. Importantly, the SCA doesnt
protect electronic messages that are available to the general public, regardless of where they are
stored.
The seminal case interpreting the SCA is Quon v. Arch Wireless Operating Co., which illustrates
the need for employers to have appropriate monitoring policies in place. 48 The employer in Quon
had a written policy that disclaimed any expectation of privacy the employees could have in email
communications and internet use on the employers computers/network. This policy did not
address the privacy of text messages sent or received on employer-provided pagers. Instead, the
employer informally notified its employees that texts would be treated like emails and would be
covered under the email/internet policy, but that the text messages themselves would not be
reviewed if employees paid for any excess usage fees. When the employer later accessed text
message transcripts from the third party provider of the messaging service and reviewed them, the
employer was deemed to have invaded the employees privacy and violated the SCA. On this
privacy issue, the court found it important that the employee had a reasonable expectation of
privacy as to his messages content based on the employers informal policy. Because Quon
involved a public employer, the court also made a Fourth Amendment analysis finding both a
reasonable expectation of privacy and a possible unreasonable search.
The status of texts under the SCA is not clear, however, as the court in Garcia v. City of Laredo
found that because texts were stored in phones rather than in a separate facility such as an ISP,
they were not covered by the SCA. 49 In essence, the court found the texts to be analogous to emails
stored on a computer. Other data stored on the phone, like photos, videos, and the like, were treated
the same way.

47

18 U.S.C. 2701(a).
529 F.3d 892 (9th Cir. 2008).
49
2012 U.S. App. LEXIS 25370 (5th Cir. Dec. 12, 2012).
48

Page | 12

Another recent SCA case is Snyder v. Fantasy Interactive. 50 In that case, an employer accessed
Skype logs on employees personalnot workcomputers that included communications outside
of work hours. In a Memorandum and Order denying a motion to dismiss the employees SCA
claims, the court held that an employer could violate the SCA despite having a written electronic
communications monitoring policy, as the circumstances may demonstrate a search in excess of
the policy. In contrast to Garcia, the Skype logs that were accessed through the computer in Snyder
were stored with Skype, which would be a third-party storage facility under the SCA.
As with many statutes, an employers violation of the SCA can be costly. The SCA provides for
penalties of up to two years imprisonment and fines, even for first offenses. Civil liability for a
violation of the SCA can result in the employee recovering his or her actual damages and any
profits made by the employer as a result of the violation (but no less than $1,000), plus reasonable
attorneys fees and costs. Intentional or willful violations of the SCA also expose the employer to
punitive damages. Importantly, the SCA provides for individual as well as corporate liability.
3.

State Wiretap Laws

When telephone calls or other instant communications are being monitored, employers need to be
aware of the coverage of state wiretap laws, as they can be broader than the federal Wiretap Act
and expose employers and their agents to potential criminal and civil liability.
For example, while Colorados anti-wiretapping law allows monitoring or recording of realtime
communications where at least one party to the call has consented, 51 other states have wiretap laws
that permit monitoring only where both parties to the communication consent. 52 Thus, monitoring
a call legally in Colorado could lead to a violation of another states laws.
Setting aside the penalties for other states wiretapping laws, a violation of Colorados antiwiretapping law is a felony, which carries a penalty of one year to 18 months in prison and/or a
$1,000 to $100,000 fine for both employers and the individual actors. Given this penalty, it is
critical for the employer to analyze each monitoring situation to determine the legality of the
monitoring prior to considering any such monitoring program.
For Colorado employers, the easiest way to minimize potential liability under the applicable
statutes and common law tort principles is to put in place an appropriate monitoring policy where
employee notice and acknowledgment of the policy is properly documented. Employers should
use policies that are narrowly tailored to specifics of their businesses and their particular needs. A
50

11 Civ. 3593 (S.D.N.Y. Feb. 19, 2012).

C.R.S. 18-9-303.
52
California, Connecticut, Delaware, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, Nevada, New
Hampshire, Pennsylvania, and Washington have wiretap statutes that require both/all parties to the communication
consent to monitoring.
51

Page | 13

comprehensive monitoring policy should generally: (1) notify who will be monitored; (2) identify
what technologies will be monitored (computers, PDAs, smart phones, etc.); (3) identify what
means of communication on those technologies will be monitored (IM, blogs, computer files,
voicemail, telephone calls, password protected web-based email accounts, etc.); (4) identify when
monitoring will occur; (5) indicate how monitoring will be accomplished, and the fact that local
law enforcement may be contacted without prior notice to the employee if illegal activity is
discovered; (6) identify the legitimate purposes for which the telephone and electronic systems can
be used; (7) identify the disciplinary action for employee violations and misuse; (8) notify the
employee that he or she has no expectation of privacy when using the employers telephones or
electronic devices; (9) notify the employee that the purpose of monitoring is to ensure the
employers electronic communications policy is being followed and that the employers property
is being used only for legitimate business purposes, or permitted non-business uses; (10) list
examples of what is considered unauthorized personal use; (11) remind the employee that
computers, files, software, and internet access are company property; (12) expressly prohibit
content that is disruptive or offensive, including but not limited to information that is sexually
explicit, racially charged, discriminatory, or otherwise in violation of company policies; (13)
clearly instruct employees not to visit pornographic or offensive websites; and (14) provide notice
that the employees use of passwords, encryption, or other means to shield content from employer
monitoring are impermissible, ineffective, and will not create an expectation of privacy.
To reinforce the fact of employee consent, it can be useful to have a system prompt at login that
all use of the device is subject to monitoring and that the employees use of the device further
implies consent.
D.

Psychological and personality testing

The Americans with Disabilities Act (ADA) prohibits employers from requiring applicants or
current employees to submit to medical examinations and disability-related inquiries, except under
certain limited circumstances. 53 Employment testing for psychological and personality traits may
trigger ADA coverage, depending on the type of test used and what it is meant to determine. For
example, in Karraker v. Rent-A-Center, the Seventh Circuit determined that the Minnesota
Multiphasic Personality Inventory was a medical examination under the ADA because it could be
used to diagnose psychiatric disorders in addition to determining personality traits. 54 Thus, even
though the employer used the exam only to look for personality traits, the use of the test prior to
making a hiring decision violated the ADA because it was considered a pre-employment medical
examination. Even in the post-offer stage, the ADA provides the limitation that an employer may

53
54

See, e.g., 42 U.S.C. 12112(d); 29 C.F.R. 1631.13 and 1631.14.

411 F.3d 831 (7th Cir. 2005).

Page | 14

not require its employees to submit to medical examinations unless they are job-related and
consistent with business necessity. 55
Aside from the ADAs application to tests with medical diagnostic implications, there is no other
federal or Colorado law specific to psychological tests. Given that some tests seek information
regarding religious, sexual, political, and social beliefs, some consideration should be given to the
potential privacy interests at stake, along with Fourth Amendment and common law protections.
In situations where the employer has a compelling need for the information, such as in high risk
occupations, the balance may be struck in favor of testing. 56
E.

Drug and alcohol testing

Drug testing of public employees constitutes a search under the Fourth and Fourteenth
Amendments. 57 When public employers require their employees to submit to drug testing, the
testing must be reasonable. 58 Because of constitutional protections, testing is allowed only if there
is individualized suspicion of wrongdoing, 59 or if the public employer demonstrates a special
need. 60 The inquiry into whether there is a special need turns on whether the governmental need
is real and adopted in response to documented drug use problems, or whether drug abuse among
the employees to be tested would pose a serious danger to the public. 61
Once the initial special need hurdle is cleared, the intrusion on the individuals privacy interests
must be balanced against the promotion of legitimate governmental interests. 62 One side of the
balancing test requires an examination of the nature of the privacy interest and the character of the
intrusion. 63 On the other side, the courts look to the nature and immediacy of the governmental
concern at issue, and the efficacy of the test meeting the goals of detection and deterrence. 64 To
successfully pass the balancing test, the public employers drug testing scheme must be welldesigned to detect drug use among current or potential employees and be likely to deter illicit drug
use by those individuals. 65 Thus, public employee drug testing should typically be performed
where the timing of the test cannot be predicted in advance, such as on promotion or immediately

55

42 U.S.C. 12112(d)(4).
See, e.g., McKenna v. Fargo, 451 F.Supp. 1355 (D. N.J. 1978), affd 601 F.3d 575 (3rd Cir. 1979) (where the
Court determined that psychological testing of firefighters concerning religious, social, and other private beliefs was
appropriate given the compelling interest of the municipality in determining their emotional makeup).
57
\Chandler v. Miller, 520 U.S. 305, 313 (1997).
58
See Benavidez v. City of Albuquerque, 101 F.3d 620, 623-24 (10th Cir. 1996).
59
Id. at 624.
60
Chandler, 520 U.S. at 313; see also Skinner v. Railway Labor Executives' Assoc., 489 U.S. 602 (1989); National
Treasury Employees Union v. Von Raab, 489 U.S. 656 (1989).
61
Chandler, 520 U.S. at 315-16.
62
See, e.g., Vernonia Sch. Dist. 47J v. Acton, 515 U.S. 646, 652-53 (1995).
63
See Acton, 515 U.S. at 654, 58.
64
Acton, 515 U.S. at 660.
65
Chandler, 520 U.S. at 315.
56

Page | 15

after some other triggering event like an accident. 66 Additionally, public employers should
consider the timing interval between drug tests, as infrequent testing may not support a claim that
the testing detects and deters drug use. 67
Private sector employers do not generally need to deal with the Fourth and Fourteenth Amendment
issues discussed above. 68 For private sector employers, the primary concerns are to verify
compliance with any applicable state drug testing laws, and to tailor the testing to be reasonable
and not seek information outside the legitimate purposes of the test so as to not run afoul of
common law privacy interests.
In Colorado, there is no specific statute on drug testing, and, thus, the focus for Colorado employers
is to ensure that testing is not offensive to the employee and that the tests do not reveal too much.
For example, drug testing through urinalysis where employees are allowed some measure of
privacy, but are monitored by a same-sex individual, is reasonable. However, the test must not
obtain private medical facts in addition to illicit drug use; e.g., where a urinalysis also picks up
EPF or hCG, which are markers for pregnancy, the test would be prohibited as it goes too far.
In both the public and private-sector employment contexts, employers should restrict disclosure of
the results of the drug testing to only those individuals who have a need to know. Under EEOC
regulations and interpretive guidance, drug test results are likely to be considered inquiries into
the ability of an employee to perform job related functions which are entitled to confidentiality. 69
As far as best practices, every employer that plans to use drug testing should first have in place a
substance abuse policy that is disseminated to all employees. The policy should delineate the
employers expectations and make it clear that illegal drug use, both on and off the job, will not
be tolerated and may subject the offending employee to termination or other discipline.
Additionally, it is prudent to have every employee who will be drug tested sign a release of
information so that the drug test results may be disclosed to the appropriate person or persons
within the business. Finally, employers should be counseled to never force employees or applicants
to take drug tests. Instead, the drug testing or other policies can make it clear that failure to submit
to the test is grounds for termination.

66

Von Raab, 489 U.S. at 660; Skinner, 489 U.S. at 628.

19 Solid Waste Dept. Mechanics v. City of Albuquerque, 156 F.3d 1068, 1076 (10th Cir. 1998) (holding that
testing once every four years was not frequent enough).
68
The one exception is where private employers operate in federally regulated industries. In those cases, both state
and federal law may apply.
69
42 U.S.C. 1211(d), 12112(d)(4)(B), 12112(d)(4)(C).
67

Page | 16