Many SMB (small to mid-range businesses) are not aware of the Federal Electronic Communications Privacy Act (“ECPA”). ECPA addresses the interception and monitoring of electronic communications: telephone conversations, voice mail, email, instant messaging chats, and other online interactions fall into ECPA's perview. Violations of ECPA are punishable by fines or imprisonment for up to five years; any persons harmed by an ECPA violation are permitted to file for equitable relief covering damages and attorney fees of up to $10,000. Since many SMB's monitor and intercept the electronic communications of their employees, understanding ECPA business use exceptions can reduce the risk of legal exposure to ECPA claims filed by employees.
ECPA extends federal protection over employee communication in the workplace but this protection is limited. Presumably, employers would want to monitor electronic communications to guarantee quality control and to protect intellectual property, investigate incidents of wrong-doing, and so on, and ECPA provides “business use exceptions” to allow the employer to do these things.
A couple of rules as it relates to intercepting transmissions and monitoring employees in the workplace:
One-Party Consent. Interception and monitoring are allowed if either the sender or recipient consents before it occurs.
Ordinary Course. Business use exceptions under ECPA dictate that interception or monitoring be conducted within the regular course of employer's business and the subject matter be one in which the employer has a vested interest. Employers should be aware that, if a voice conversation turns personal, the employer may lose its exemption because it is no longer authorized to monitor such conversations.
Equipment Restriction. Employers can monitor and tap only the equipment that they own and which is used in the employer's regular course of business.
Email. Employers have the right to monitor and access email communications of employees stored on their assets (client workstations and servers). This is tricky because employers do not have the right to monitor or access email hosted by a 3rd party (like AOL or MSN), even though such communication might transverse the company's network.
Suggestions for the SMB to remain in ECPA compliance revolve around the creation of good Administrative Controls (policies) to govern employee expectations. Example:
1. Employees should be offered some form of notification is required either through a statement, a written policy signed at the time of employment, or a recording over the phone system.
2. Employers should present a policy to prohibit personal use of communications assets (phones, cell phones, computers, private email systems, and instant messaging) which would set acceptable use practices to restrict employee's use to strictly business communications.
3. An acceptable use policy that prohibits the use of personal communications and storage equipment – MP3 players, digital cameras or recorders, cell phones, thumb-drives – to conduct company business.
ECPA compliance in the SMB is more relevant today than it has ever been: personal employee devices, software, and protected communications are constantly interacting on company assets, wirelessly and effortlessly. The commingling of protected communications and devices can both expose a company's assets to harm and restrict what legal forms of corrective action to can take to protect them.
ECPA compliance is generally policy-driven: so long as the employer sets good Administrative Policies into motion that define expectations ahead of time, and, they understand what is and is not permissible under the business use exceptions of ECPA, then compliance is fairly straight forward. It begins with management's intent to create good acceptable use policy.