The HR Specialist

E-Mail and Internet Usage: Legal Risks & Sample Policy


While e-mail and the Internet have revolutionized business, employees can use them for some very unproductive purposes. Employers have any number of legitimate reasons to monitor employees’ e-mail and Internet usage. Beyond personal productivity issues, you risk significant loss should an employee download a virus or other damaging software or engage in illegal activity conducted on company computers.

Many employees may think e-mails are confidential, but you should dispel that myth by clearly communicating your organization’s policy on e-mail/Internet use. Your policy should:

  • State the purpose of electronic mail. Explain clearly whether it is solely for business-related communication or if personal use is authorized.
  • Forbid the use of any derogatory language in e-mail transmissions, even if it’s meant as a joke.
  • Prohibit the use of e-mail for non-job-related solicitations or proselytizing.
  • Make it clear that employees can’t have a private password. Although passwords don’t have to be known by other workers, an exhaustive list of passwords must be available to management.
  • Inform employees that you reserve the right to inspect all e-mail records and correspondence without advance notice.

Federal courts have rejected employees’ claims of their right to privacy in e-mail messages. In one district court decision in Pennsylvania an employee was discharged for transmitting inappropriate and unprofessional comments to his supervisor over his employer’s e-mail system. The plaintiff claimed that his discharge violated public policy because he had a right to privacy. In granting the defendant’s motion to dismiss, the court held that the plaintiff did not have a reasonable expectation of privacy in e-mail communications made over his employer’s system, despite the employer’s assurances that such communications would not be intercepted by management.

The court went on to state that even if the plaintiff had a reasonable expectation of privacy in the messages, an ordinary person would not find the employer’s interception of these messages to be a “substantial and highly offensive invasion of his privacy.” Moreover, the court ruled, the company’s interest in preventing inappropriate and unprofessional comments, as well as possible illegal activity, outweighs any privacy interest the employee may have in the messages. Smyth v. The Pillsbury Co., 914 F. Supp. 97 (E.D. Pa. 1996)

Caution: Employees must follow all state and federal laws directly or indirectly relating to e-mail and Internet use. For example, employees may not violate copyright laws or download pirated software. Furthermore, if you allowed pornography to exist in the workplace, you’d be a prime target for a sexual harassment lawsuit. Likewise, allowing employees to send abusive or harassing e-mail could land you in court.

Deleting e-mails: the legal impact

Courts are increasingly regarding e-mail as just another business document. Like many employers today, do you distribute important policy notices via e-mail? Can employees ask about leave or update their benefits information by e-mailing the human resources department?

If so, you must have a policy in place for retaining a copy of those e-mail communications. That’s because the EEOC requires you to keep such records for at least one year. It’s a good idea to print out your e-mails to and from employees and place a copy in their personnel files.

Before purging e-mail or other electronic information, read through it to determine if it has any legal significance. Although you may wish that some e-mails had never been sent, deleting them may not be much help and may be seen by a court later as intentional concealment or even destruction of evidence. It may be better to have a copy than to be presented with a copy during litigation.

From a practical point of view, you can never be sure that an e-mail you think was deleted from the system isn’t stored somewhere else. Did one of the senders or recipients forward it to others or to herself at another e-mail address?

Perhaps no case illustrates better the potential trouble e-mail can cause than the Enron debacle. Once the story of Enron’s collapse hit the media, it wasn’t long before e-mails between the company’s upper management and its accounting firm, Arthur Andersen, were made public. Conversations that before the era of e-mail company officials would have conducted via phone (and thus not recorded for posterity) were memorialized in a series of damning e-mails.

Recommendation: Although e-mail is convenient, some things are best left to the phone. What you haven't written down doesn't have to be deleted.

Beware liability in blogging, social networking 

New technology enhances workplace communication and collaboration, but employers whose company policies don’t keep pace could pay a heavy price.

Blogs (short for web logs), where employees may freely type messages to one another over the company’s server, have been touted as great team-building tools. Similarly, social networking sites, such as Twitter and Facebook, offer employees communication outlets that didn’t exist a few years ago. While these seemingly benign online chats may be seen as 21st century water-cooler talk, the fact that they appear on the Internet gives them many attributes of a published document.

Generally, courts have held that employers may regulate what occurs on their electronic devices. However, some recent decisions show courts are backing off this absolute protection for employers. In early 2009, a New Jersey appeals court ruled that an employee had the reasonable expectation that his employer would not read e-mails sent and received on his personal account even though they were sent from a company computer. Stengart v. Loving Care Agency, 973 A.2d 390 (2009)

A California court ruled that an employer could not access employee text messages without the employee’s permission if it paid an outside service to send the messages. City of Ontario v. Quon, 529 F. 3d 892 (2008) The employer appealed and the U.S. Supreme Court has agreed to hear the case.

So, how far can an employer go when monitoring employee communications? Social networking sites have privacy settings, allowing users to restrict access to parts of their sites. Employers that obtain passwords or access to private sections of social networking sites without the employee’s permission may be subject to invasion of privacy charges.

Employees as well should know how to protect private portions of their sites. For instance, an employee who reveals a disability on Facebook may not want a current or prospective employer to know that. Employers that stumble on such information probably should not act on it. Some plaintiffs’ attorneys argue that seeking personal disability information about a current or prospective employee on the Internet is the same as asking about a disability during an interview. The ADA bars such inquiries.

How should employers handle communication on their employees’ own time and equipment? While your options are limited, here are some guidelines:

  • Employees must never claim to represent the company in electronic communications unless they have express instructions to do so.
  • Employees should be reminded they are not authorized to release confidential information or trade secrets when using social media.
  • Employees should understand that even though they may discuss working conditions, criticisms of bosses and co-workers could be potentially libelous or harassing. Even in social networking, a “just the facts” approach works best as long as those facts aren’t company secrets.

Sample Policy: Employee Computer Usage

The following sample policy was excerpted from The Book of Company Policies, published by HR Specialist, © 2007. Edit for your organization's purposes.


“Employees have access to one or more forms of electronic media and services (computers, e-mail, telephones, voice-mail, fax machines, external electronic bulletin boards, wire services, on-line services, the Internet and the World Wide Web).

“The company encourages the use of these media and associated services because information technology is our business, because they make communication more efficient and effective, and because they are valuable sources of information, e.g., about vendors, customers, new products and services. However, electronic media and services provided by the company are company property, and their purpose is to facilitate company business.

“With the rapidly changing nature of electronic media, this policy cannot lay down rules to cover every possible situation. Instead, it expresses the company’s philosophy and sets forth general principles to be applied to use of electronic media and services. “The following procedures apply to all electronic media and services that are accessed on or from company premises, accessed using company computer equipment, or via company-paid access methods, and/or used in a manner which identifies the individual with the company.


USAGE. “Electronic media may not be used for knowingly transmitting, retrieving or storage of any communications of a discriminatory or harassing nature, or which are derogatory to any individual or group, or which are obscene or X-rated
communications, or are of a defamatory or threatening nature, or for ‘chain letters,’ or for any other purpose which is illegal or against company policy or contrary to the company’s interest.

“Electronic media and services are primarily for company business use. Limited, occasional or incidental use of electronic media (sending or receiving) for personal, non-business purposes is understandable and acceptable—as is the case with personal phone calls. However, employees need to demonstrate a sense of responsibility and may not abuse the privilege.

MONITORING. "The company routinely monitors usage patterns for both voice and data communications (e.g., number called or site accessed; call length; times of day calls). Reasons include cost analysis/allocation and the management of our gateway to the Internet.

"The company also reserves the right, in its discretion, to review any employee's electronic files and messages and usage to the extent necessary to ensure that electronic media and services are being used in compliance with the law and with this and other company policies.

"Employees should therefore not assume electronic communications are totally private and confidential and should transmit highly sensitive information in other ways.

SECURITY. “Employees must respect the confidentiality of other people’s electronic communications and may not attempt to read, ‘hack’ into other systems or other people’s logins, or ‘crack’ passwords, or breach computer or network security measures, or monitor electronic files or communications of other employees or third parties except by explicit direction of company management . No e-mail or other electronic communications may be sent which attempt to hide the identity of the sender, or represent the sender as someone else or from another company.

CONGESTION. “Electronic media and services should not be used in a manner that is likely to cause network congestion or significantly hamper the ability of other people to access and use the system.

COPYRIGHT. “Anyone obtaining electronic access to other companies’ or individuals’ materials must respect all copyrights and may not copy, retrieve, modify or forward copyrighted materials except as permitted by the copyright owner or a single copy for reference use only.

NETWORKS. “Any messages or information sent by an employee to one or more individuals via an electronic network
(e.g., bulletin board, on-line service, or Internet) are statements identifiable and attributable to our company. While some users include personal ‘disclaimers’ in electronic messages, it should be noted that there would still be a connection with the company, and the statement might still be legally imputed to the company. All communications sent by employees via a network must comply with this and other company policies, and may not disclose any confidential or proprietary company information.

“Network services and World Wide Web sites can and do monitor access and usage and can identify at least which company—and often which specific individual—is accessing their services. Thus accessing a particular bulletin board or Website leaves companyidentifiable electronic ‘tracks’ even if the employee merely reviews or downloads the material and does not post any message.

DISCIPLINE. “Any employee found to be abusing the privilege of company-facilitated access to electronic media or services will be subject to corrective action and/or risk having the privilege removed for him/herself and possibly other employees.”

Got a Comment about this article? Drop us a line!