The Web of social media and compliance: The ECPA and online privacy

Compliance officers should be mindful of the ECPA when drafting social media usage policies that set expectations for online privacy.

Part 1 of this series addressed the expectations employees should have for online privacy using social media over a corporate network. Part 3 addresses what an online privacy policy could include and how it should be shared.

The Web of social media
and compliance: A series
Online privacy regulations

Online privacy policy
A recent court decision on an employee's right to online privacy using a company computer, Stengart v. Loving Care, cast some doubt on the legality of monitoring when it comes to privileged or personal communications. Specifically, "an employer may monitor whether an employee is distracted from the employer's business and may take disciplinary action if an employee engages in personal matters during work hours; that right to discipline or terminate, however, does not extend to the confiscation of the employee's personal communications."

Some state constitutions, most notably California's, provide some online privacy rights in the private sector, but generally in the U.S., statutes and principles of the "common law" serve to protect privacy in the commercial context.

Prohibitions against monitoring employee email or other communications have historically focused on interception of messages, not retrieval from electronic storage. As Yaron Dori, an attorney who specializes in telecommunications and privacy law at Covington & Burling LLP, said, when it comes to an employee's expectation of privacy, there's "very little, especially if the employer has notified the employee they will be monitoring him or her. Even less if the employee has acknowledged or consented to such monitoring."

Another statute has relevance to online privacy. The Electronic Communications Privacy Act (ECPA), passed in 1986 as an amendment to the Wiretap Act of 1968, applies to both government employees and private citizens. The ECPA protects communications in storage as well as in transit. It specifically prohibits a third party from intercepting or disclosing communications without authorization.

The ECPA or its subsequent amendments does not specifically limit any monitoring of social media messaging. As Aaron Massey wrote at The Privacy Place last December in a post on the ECPA and personal health records systems, there are "two main exceptions of the original Wiretap Act, both of which were retained by the ECPA.

"The first exception allows interception when one of the parties has given prior consent. … The second exception allows interceptions if they are done in the ordinary course of business. This could mean that your data would be accessible by third parties such as an information technology vendor that maintains the software."

More from Evan Brown
Listen to Brown discuss social media and the law on Chicago Public Radio.
Any compliance officer working through interpreting the ECPA as it applies to online privacy and social media compliance will encounter a reality best expressed by Paul Ohm, a former attorney for the Department of Justice. Ohm, now an associate professor of law at the University of Colorado Law School, wrote that the ECPA is more complicated than the U.S. tax code.

As attorney Evan Brown pointed out on his blog, Internet Cases, recent court rulings suggest that the scope of the Electronic Communications Privacy Act may not be so narrow. The ECPA only prohibits monitoring of electronic communications if it is done "without authorization" or in a manner that exceeds the authorization given.

"The case instructs us that this court is not willing to read the definition of electronic communication as narrowly as the court did in Ropp," Brown writes. "No doubt there will be some interesting evidence produced in discovery that shows how the keystrokes were allegedly intercepted. But at least we know at this early stage in the litigation that the court will consider whether the transmission of electronic data within a system -- and not crossing state lines -- may still affect interstate commerce."

Part 3 of this series addresses what an online privacy policy could include and how it should be shared.

Let us know what you think about the story; email: Alexander B. Howard, Associate Editor, @reply to @digiphile on Twitter. Follow @ITCompliance for compliance news throughout the week.

Dig deeper on Risk management and compliance

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCIO

SearchHealthIT

SearchCloudComputing

SearchDataCenter

SearchDataManagement

SearchSecurity

Close