Many SMEs (small and medium-sized businesses) are unaware of the Federal Electronic Communications Privacy Act (“ECPA”). ECPA addresses the interception and monitoring of electronic communications: Telephone conversations, voicemail, email, instant messaging chats, and other online interactions fall within the perspective of ECPA. Violations of the ECPA are punishable by fines or imprisonment of up to five years; Anyone harmed by an ECPA violation can seek equitable relief covering damages and attorneys’ fees of up to $ 10,000. Since many SMBs monitor and intercept their employees’ electronic communications, understanding the ECPA business use exceptions can reduce the risk of legal exposure to ECPA claims submitted by employees.
ECPA extends federal protection over employee communication in the workplace, but this protection is limited. Presumably, employers would want to monitor electronic communications to ensure quality control and protect intellectual property, investigate incidents of wrongdoing, etc., and the ECPA provides “business use exceptions” to allow the employer to do these things.
A couple of rules related to interception of transmissions and employee monitoring in the workplace:
Consent of a party. Interception and monitoring are allowed if the sender or recipient gives their consent before it occurs.
Ordinary course. The commercial use exceptions under the ECPA dictate that the interception or monitoring take place within the regular course of the employer’s business and that the subject be one in which the employer has a vested interest. Employers should be aware that if a voice conversation becomes personal, the employer may lose its exemption because it is no longer authorized to monitor such conversations.
Equipment restriction. Employers can monitor and leverage only equipment that they own and that is used in the normal course of the employer’s business.
Email. Employers have the right to monitor and access employee email communications stored on their assets (client workstations and servers). This is complicated because employers do not have the right to monitor or access email hosted by a third party (such as AOL or MSN), even though such communication can traverse the company network.
Suggestions for SMEs to continue to comply with ECPA revolve around creating good administrative controls (policies) to govern employee expectations. Example:
1. Employees must be offered some form of notification, whether through a statement, a written policy signed at the time of employment, or a recording over the phone system.
2. Employers must present a policy to prohibit personal use of communication assets (telephones, cell phones, computers, private email and instant messaging systems) that would establish acceptable use practices to restrict employee use of communications. strictly commercial.
3. An acceptable use policy that prohibits the use of personal communications and storage equipment (MP3 players, digital cameras or recorders, cell phones, USB sticks) to conduct company business.
ECPA compliance in SMBs is more relevant today than ever: Employee personal devices, software and protected communications constantly interact with company assets, wirelessly and effortlessly. The combination of communications and protected devices can expose a company’s assets to damage and restrict the legal forms of corrective action that can be taken to protect them.
ECPA compliance is generally policy driven – as long as the employer puts in place good Administrative Policies that define expectations in advance and understand what is and is not allowed under the ECPA business use exceptions, then compliance is pretty straightforward. . It begins with management’s intent to create a good acceptable use policy.