Church computers can be a great blessing. Just ask any church employee who was hired before the church purchased its first computer. But, as with many blessings, computers also can be a curse when used for inappropriate purposes. Consider the following examples.
• Example. A church board adopts a motion requiring the covert inspection of every church-owned computer to check for inappropriate use. Two board members come to the church one evening, when no staff members are present, and begin inspecting each computer. On the computer of one of the pastors they discover several bookmarks to pornographic websites.
• Example. A mother accuses a church’s youth pastor of an inappropriate relationship with her teenage daughter. When the youth pastor is out of the office, the senior pastor accesses his church-provided computer and inspects his email account. He discovers several amatory email exchanges between the youth pastor and the girl.
• Example. A pastor is accused of engaging in conduct in violation of the church’s teachings. The church board confiscates his office computer and sends it to a computer forensics firm for evaluation. The computer contains evidence that the pastor has visited several inappropriate websites.
Is the church exposed to liability in any of these cases? If so, on what grounds? What steps can the church take to reduce this risk? This article will address these, and other, questions in light of the recent case, State v. Young, 974 So.2d 601 (Fla. App. 2008).
Pastor Ted served as senior pastor of a church. The church provided him with a desktop computer and a private office. Although the computer was provided to him for use in connection with his pastoral duties, there was no official policy regarding the use of the computer or others’ access to it. Pastor Ted’s computer was not networked to any other computer, and it was kept in his private office. This office had a special lock that could not be opened with the church’s master key. Three keys to the office existed. Pastor Ted kept two of the keys, and the church administrator kept the third key, which she stored in a locked desk drawer in her office.
A previous pastor had requested the special lock for the office door due to concerns about after-hours intruders. The church administrator testified that she regularly opened the door to Pastor Ted’s office for the custodian and visiting pastors, who occasionally used the office to prepare sermons. However, the church administrator acknowledged that no one was permitted to enter the office without Pastor Ted’s permission. Pastor Ted testified to this fact himself and added that when he was absent from the office, even the church administrator’s access was limited to reasonable business purposes, such as delivering paperwork for him to sign. Pastor Ted further testified that the church administrator was not permitted to log on to his computer when he was not physically present.
One day the church administrator received a call from the church’s Internet service provider. A representative from that company informed the church administrator that spam had been linked to the church’s Internet protocol address. In response to this call, the church administrator ran a “spy-bot” program on the church’s computers. She testified that when she ran the program on Pastor Ted’s computer, she saw “some very questionable web site addresses.” The church administrator then contacted a member of the staff-parish committee and an information technology (IT) specialist to set up a time to have the computer examined.
“Over the past decade, there has been a technological revolution in the workplace as employers have increasingly turned to computer technology as the primary tool to communicate, conduct research, and store information. As the use of computer technology has increased, so has concern grown among employers that their computer resources may be abused by employees—either by accessing offensive material or jeopardizing the security of confidential information—and may provide an easy entry point into a company’s electronic systems by computer trespassers. As a result, companies have developed computer policies and implemented strategies to monitor their employees’ use of email, the Internet, and computer files. National surveys have reported that many companies are engaged in such practices. Federal and state laws and judicial decisions have generally given private sector companies wide discretion in their monitoring and review of employee computer transmissions, including the Internet and e-mail. However, some legal experts believe that these laws should be more protective of employee privacy by limiting what aspects of employee computer use employers may monitor and how they may do so.” [From a Report by the General Accounting Office to the Ranking Minority Member, Subcommittee on 21st Century Competitiveness, Committee on Education and the Workforce, House of Representatives, September 2002.]
Later, the chairman of the staff-parish committee contacted an officer of a denominational agency (the “regional church”) with which the church was affiliated to inform him of the situation. The officer instructed the chairperson to contact law enforcement officials and allow them to see the computer. When police officers arrived at the church, the chairman of the staff-parish committee unlocked Pastor Ted’s office and signed “consent to search” forms for the office and computer. Pastor Ted arrived at the church during the morning when the police officers were there. The chairman of the staff-parish committee and the officers instructed Pastor Ted to leave the property immediately, and he complied.
The two police officers later testified that at the time of the search they understood the chairman of the staff-parish committee to be a “representative of the church” whose authority to consent was based on instructions from a supervisor at the church. Neither of these officers spoke with the chairman’s supervisor or asked him further questions about his authority before the search began. However, once in Pastor Ted’s office, one of the officers did speak with an officer of the regional church who approved of the inspection of the church’s computer.
Neither the chairman of the staff-parish committee, nor any officer or employee of the regional church, had ever used Pastor Ted’s computer, worked in Pastor Ted’s office, or kept property there. However, the regional church insisted that it had authority to consent to the search and to instruct Pastor Ted to stay away from the church under the denomination’s Book of Discipline, by which Pastor Ted had agreed to be bound when he was ordained. After searching the office and computer, the police officers went to another location to meet with Pastor Ted. One of the officers advised Pastor Ted of his Miranda rights. Pastor Ted indicated he was willing to talk. During the interview, the officers showed Pastor Ted a printout from his computer, which contained a list of Web sites he had bookmarked. Some of these were associated with child pornography.
During the interview, one of the officers asked, “You have no right to privacy on that computer?” Pastor Ted responded, “I suppose not. I hadn’t really thought about it.” The officer then stated, “It’s like me, my laptop in my truck, if my boss says hand it over, he can look at anything that’s on there because it’s not mine.” Pastor Ted replied, “I suppose technically you’re right.” He also made incriminating statements related to child pornography and signed a form giving the officers consent to search a “memory stick” found in his office. Pastor Ted testified that during the interview, he understood that the officers had been in his office.
Pastor Ted was charged with possession of child pornography. His attorney asked the court to suppress all of the contents of his office computer at his trial on the ground that the police officers did not have authorization to search his office without his consent.
The court concluded that the search and seizure was unlawful and that Pastor Ted’s statements were a product of the unlawful search and seizure. As a result, the trial court ruled that the items seized in the search and the statements taken in the interview could not be used as evidence at trial. The state appealed.
The Court’s Ruling
The court began its opinion by noting that to invoke the protection of the Fourth Amendment against unreasonable searches and seizures, a criminal defendant must demonstrate “a legitimate expectation of privacy in the area searched or the item seized.” The likelihood that a person has an objectively reasonable expectation of privacy in an office setting “is increased where the area or item searched is reserved for [the defendant’s] exclusive personal use. Other factors that have been considered in determining the legitimacy of an expectation of privacy in an item seized from an office include the employee’s relationship to the item, whether the item was in the employee’s immediate control when it was seized, and whether the employee took actions to maintain a sense of privacy in the item. Many times, an employee may have a legitimate expectation of privacy in his or her personal office and in personal items stored in a desk or file cabinet.”
The court then addressed workplace computers:
Evaluation of an expectation of privacy in a workplace computer involves unique considerations, but as with any other item in the workplace, the evaluation should focus on the operational realities of the workplace. When a computer is involved, relevant factors include whether the office has a policy regarding the employer’s ability to inspect the computer, whether the computer is networked to other computers, and whether the employer (or a department within the agency) regularly monitors computer use.
For example, in United States v. Angevine, 281 F.3d 1130 (10th Cir.2002), the court held that a university professor had no legitimate expectation of privacy in his office computer, partly because the university had an extensive policy regarding computer use and provided explicit warnings that the computer would be inspected by university officials. Similarly, in Muick v. Glenayre Electronics, 280 F.3d 741, 742 (7th Cir.2002), the court observed that an employee had “no right of privacy” in the laptop computer his employer had “lent him for use in the workplace” because the employer had announced that it could inspect the laptop.
We agree with these courts that where an employer has a clear policy allowing others to monitor a workplace computer, an employee who uses the computer has no reasonable expectation of privacy in it. In the absence of such a policy, the legitimacy of an expectation of privacy depends on the other circumstances of the workplace. If these circumstances indicate that the employee has a legitimate expectation of privacy in the place searched or items seized, and the employee has invoked the protection of the Fourth Amendment, the state must prove that the search and seizure was reasonable in order to use the evidence secured in the search and seizure at trial. A search and seizure is reasonable if it is conducted pursuant to a valid warrant or with valid consent. Law enforcement officers may obtain valid consent from the individual whose property is searched, someone who has common authority over the premises, or someone who reasonably appears to have common authority over the premises.
“Common authority” is derived from “mutual use of the property by persons generally having joint access or control for most purposes.” The legal justification behind the doctrine of common authority is that when two people have mutual use of property, each assumes the risk that the other will permit the area to be searched. Even when a third party has the right to enter the property and inspect it for his or her own purposes, that person does not have constitutional authority to invite law enforcement officers to search the property unless he or she has common authority over the property.
In some situations, a person who purports to consent to a search may not have actual authority to do so. Law enforcement officers may rely on that person’s apparent authority to give consent, but only if such reliance is reasonable …. If the basis for the asserted authority is unclear, the officer must conduct further inquiry before relying on the third party’s representations.
The court concluded that Pastor Ted had a legitimate expectation of privacy in his office and his workplace computer, and as a result law enforcement “could not properly access the contents of the office or the computer without obtaining a search warrant or valid consent. Because the officers did not have valid consent, the trial court properly suppressed the evidence obtained from the search.”
The court mentioned the following facts that gave rise to the reasonable expectation of privacy in this case:
- Pastor Ted kept his office locked when he was away, thus taking specific measures to ensure his privacy in the office.
- When others used the office, the use was for limited purposes. The testimony at the suppression hearing indicated that Pastor Ted expected no one to peruse his personal belongings in the office or on the computer.
- The church endowed Pastor Ted with an expectation of privacy “far beyond that which an average employee enjoys.” Not only did the church install a special lock on the door, but it supplied only three keys to the door, two of which were in Pastor Ted’s sole possession. Additionally, Pastor Ted had a recognized practice of allowing visitors into his office only with his permission or for limited purposes related to church business. Although Pastor Ted’s expectation of privacy “would be more compelling if he had never allowed another person to use the office, such a condition would be unrealistic in any office setting. Pastor Ted was required to have an objectively reasonable expectation of privacy, not a compelling expectation. It is difficult to imagine circumstances within a realistic business setting which would give rise to a more legitimate expectation of privacy.”
- Although the church owned the computer, Pastor Ted was the sole regular user. Although the church administrator performed maintenance on the computer, there was no evidence that she or anyone other than Pastor Ted stored personal files on the computer or used it for any purpose other than maintenance.
- “The church in [this] case had no written policy or disclaimer regarding the use of the computer …. Specifically, there was no policy informing Pastor Ted that others at the church could enter his office and view the contents of his computer. The fact that Pastor Ted’s computer was not networked to any other computers further heightens the reasonableness of his expectation of privacy in its files. The only way to access the computer to view its contents was to enter through the locked office door. It is clear under these circumstances that the church trusted Pastor Ted to use the computer appropriately and that it gave no indication that the computer would be searched by anyone at the church. The fact that Pastor Ted violated this trust does not detract from a proper analysis of whether he had a legitimate reason to expect that others would not enter his office and inspect the computer.”
The state claimed that the denomination’s Book of Discipline provided the officers of the regional church with general authority to oversee pastors and churches and that this authority included the right to enter pastors’ offices and inspect their computers. The court disagreed:
While we do not doubt that the [regional church officers] had such authority, we observe that this general authority to supervise a pastor is distinguishable from an explicit policy indicating that a computer will be inspected periodically. Thus, based on the other facts of this case, Pastor Ted’s expectation of privacy was legitimate, even in the face of a church policy allowing the [regional church officers] to supervise him. All employees have supervisors, but many employees may still have a legitimate expectation that others will not examine their personal files, even if these files are brought into the workplace.
Although the [regional church officer] had personal authority to enter Pastor Ted’s office, and to authorize others to do so, this authority did not displace the law enforcement officers’ obligation to respect Pastor Ted’s independent constitutional rights and it did not rise to the level of “common authority” required for valid third party consent. Neither [the regional church officer or chairman of the staff-parish committee] had ever used Pastor Ted’s workplace computer, worked in his office, or kept property there. Instead, the office was kept locked, and the church had no specific policy giving church officials the right to control and use the office. No testimony … revealed that any church officials had ever exerted such authority over the office. Thus, the state failed to meet its burden to prove that the officials had common authority under constitutional standards, and there was no showing that Pastor Ted assumed the risk that church officials would invite police officers in to search the office.
Significance to Church Leaders
What is the significance of this case to church leaders? Consider the following points:
1. In general. A decision by a Florida appeals court is not binding in any other state and is not binding on trial courts in Florida in counties over which the court has no jurisdiction. Further, a decision by a Florida appeals court is not binding on any other Florida appeals court, or the state supreme court. However, there are some aspects to the court’s decision that are instructive for all churches.
2. Office computers. The case reviewed in this article dealt with a criminal prosecution of a pastor who was suspected of possessing child pornography on his church-provided computer. The pastor’s main defense, which the court accepted, was that the inspection of his computer by the police violated his Fourth Amendment right to be free from unreasonable searches and seizures.
The Fourth Amendment is a limitation on government actions and has no direct application to churches. However, the court noted that in order to invoke the protection of the Fourth Amendment a criminal defendant must demonstrate “a legitimate expectation of privacy in the area searched or the item seized.” The court concluded that Pastor Ted had a legitmate expectation of privacy in his office computer, and this conclusion suggests that unauthorized inspections of office computers by church staff may constitute an invasion of privacy that could result in monetary damages in a civil lawsuit.
The concept of invasion of privacy has many meanings, one of which is an intrusion into another’s seclusion. Section 652B of the Restatement of Torts (a respected legal treatise) states that this form of invasion of privacy occurs when one “intentionally intrudes, physically or otherwise, upon the solitude or seclusion of another or his private affairs or concerns … if the intrusion would be highly offensive to a reasonable person.”
One court noted that to establish an invasion of privacy based on intrusion into one’s seclusion the following facts must be proven: (1) an unauthorized intrusion or prying into the plaintiff’s seclusion; (2) the intrusion must be offensive or objectionable to a reasonable man; (3) the matter upon which the intrusion occurs must be private; and (4) the intrusion causes anguish and suffering.”
The court’s decision in the case reviewed in this article suggests that the inspection of a church-provided computer in a staff member’s office may constitute an invasion of privacy. The court mentioned the following facts that gave rise to a reasonable expectation of privacy:
- The pastor’s office door was locked when he was away.
- The church supplied only three keys to the pastor’s office door, two of which were in the pastor’s sole possession.
- The pastor had a practice of allowing visitors into his office only with his permission or for limited purposes related to church business.
- Other staff members could use the pastor’s office for very limited purposes.
- The pastor expected no one to peruse his personal belongings in the office or on the computer.
- Although the church owned the computer, the pastor was the sole regular user.
- Although the church administrator performed maintenance on the computer, there was no evidence that she or anyone other than the pastor stored personal files on the computer or used it for any purpose other than maintenance.
- The church had no written policy regarding the use of the computer. Specifically, there was no policy informing the pastor that others at the church could enter his office and view the contents of his computer.
- The pastor’s computer was not networked to any other computers. The only way to access the computer to view its contents was to enter through the locked office door.
The court concluded that “it is clear under these circumstances that the church trusted [the pastor] to use the computer appropriately and … gave no indication that the computer would be searched by anyone at the church.”
• Key point. The takeaway point is that church staff members who are provided with an office computer by their employing church may have a reasonable expectation of privacy in their computer if many or all of these factors are present, meaning that the church could be liable for invasion of privacy if it inspects the computer for inappropriate material or usage without the employee’s consent.
• Key point. Some church employees own a laptop computer that they use, either occasionally or regularly, in their church office. The expectation of privacy is even higher for such computers, since they are owned by the employees.
3. Criminal prosecutions. Not only does the inspection of a staff member’s church-provided computer expose a church to civil liability for invasion of privacy, but, as this case illustrates, it also may prevent incriminating evidence from being used in a criminal prosecution as a result of the Fourth Amendment guaranty against unreasonable searches and seizures.
Church leaders who suspect that an employee is engaged in criminal activity (such as possession of child pornography) on an office computer, and who notify the police of their suspicions, should recognize that they may not have the authority to consent to a search of the employee’s office computer. This is one reason why it is important for a church to have a computer access policy which, among other things, includes a consent by employees to the inspection of their office computers.
4. The “consent” defense. The court acknowledged that employees have no reasonable expectation of privacy in an office computer if they have consented to its inspection. Significantly, the court observed: “[W]here an employer has a clear policy allowing others to monitor a workplace computer, an employee who uses the computer has no reasonable expectation of privacy in it”. The court added:
Evaluation of an expectation of privacy in a workplace computer involves unique considerations, but as with any other item in the workplace, the evaluation should focus on the operational realities of the workplace. When a computer is involved, relevant factors include whether the office has a policy regarding the employer’s ability to inspect the computer, whether the computer is networked to other computers, and whether the employer (or a department within the agency) regularly monitors computer use.
“[T]he abuse of access to workplace computers is so common (workers being prone to use them as media of gossip, titillation, and other entertainment and distraction) that reserving a right of inspection is so far from being unreasonable that the failure to do so might well be thought irresponsible.” Muick v. Glenayre Electronics, 280 F.3d 741 (7th Cir. 2002).
The court referred to two federal appeals court cases in which the courts ruled that an employer’s implementation of a computer access policy eliminated any expectation of privacy by employees in their office computers.
(1) United States v. Angevine, 281 F.3d 1130 (10th Cir. 2002)
The court ruled that a university professor had no legitimate expectation of privacy in his office computer since (1) the university had an extensive policy regarding computer use and provided explicit warnings that the computer would be inspected by university officials; and (2) the professor’s university-provided computer was connected to a computer network that was maintained by the university, and accessible by university employees.
The university computer-use policy reserved the right to randomly audit Internet use and to monitor specific individuals suspected of misusing university computers. The policy explicitly cautioned computer users that information fl owing through the university network was not confidential either in transit or in storage on a university computer. The court concluded:
Under this policy, reasonable university computer users should have been aware network administrators and others were free to view data downloaded from the Internet. The policy also explicitly warned employees legal action would result from violations of federal law. Furthermore, the university displayed a splash screen warning of “criminal penalties” for misuse and of the university’s right to conduct inspections to protect business-related concerns. These office practices and procedures should have warned reasonable employees not to access child pornography with university computers ….
The university explicitly reserved ownership of not only its computer hardware but also the data stored within. [The professor] does not dispute the university owned the computer and the pornographic data he stored on it. Because the computer was issued to [him] only for work related purposes, his relationship to the university computer was incident to his employment. Reasonable people in [the professor’s] employment context would expect university computer policies to constrain their expectations of privacy in the use of university-owned computers.
Additionally, the pornographic images seized by police were not within [the professor’s] immediate control. The Supreme Court found a reasonable expectation of privacy in seized records where an employee “had custody of the papers at the moment of their seizure.” Mancusi v. DeForte, 392 U.S. 364 (1968). Unlike Mancusi, [the professor in this case] did not have access to the seized data because he had previously attempted to delete the files from the university computer’s memory. Police only recovered the data through special technology unavailable to [him].
Finally [the professor] did not take actions consistent with maintaining private access to the seized pornography. We are reluctant to fi nd a reasonable expectation of privacy where the circumstances reveal a careless effort to maintain a privacy interest. [The professor] downloaded child pornography through a monitored university computer network. University policy clearly warned computer users such data is “fairly easy to access” by third parties. The policy explained network administrators actively audit network transmissions for such misuse. While [the professor] did attempt to erase the child pornography, the university computer policy warned system administrators who kept file logs recording when and by whom files were deleted. Moreover, given his transmission of the pornographic data through a monitored university network, deleting the files alone was not sufficient to establish a reasonable expectation of privacy …. We have never held the Fourth Amendment protects employees who slip obscene computer data past network administrators in violation of a public employer’s reasonable office policy.
Based on these factors, the court concluded that the professor “could not have an objectively reasonable expectation of privacy,” and therefore it rejected his request to suppress the evidence of child pornography at his trial.
To summarize, the professor did not have a reasonable expectation of privacy in the contents of his employer-provided computer since:
- The university had a computer policy that explicitly warned employees that university-owned computers were subject to inspection, and that “legal action” would result from any violation of federal law.
- The policy informed employees that university-owned computers were on a network, and that network administrators and others were free to view data downloaded from the Internet.
- University-owned computers displayed a splash screen warning of “criminal penalties” for misuse and of the university’s right to conduct inspections to protect business-related concerns.
- The university’s computer policy reserved ownership of not only its computer hardware but also the data stored on computers.
- Pornographic images seized by police were not within the professor’s immediate control since he had attempted to delete the files from his computer’s memory. Police only recovered the data through special technology unavailable to him.
- The professor did not take actions consistent with maintaining private access to the seized pornography. In particular, he downloaded child pornography through a monitored university computer network.
“The companies we reviewed all have written policies that included most of the elements recommended in the literature and by experts as critical to a company computer-use policy. There is a general consensus that policies should at least affi rm the employer’s right to review employee use of company computer assets, explain how these computer assets should and should not be used, and forewarn employees of penalties for misuse. We also found that all companies disseminated information about these policies through their company handbooks, and most discussed their computer-use policies with new employees at the time of hire. In addition, some companies provided annual training to employees on company policies, and others sent employees periodic reminders on appropriate computer conduct.” [From a Report by the General Accounting office to the Ranking Minority Member, Subcommittee on 21st Century Competitiveness, Committee on Education and the Workforce, House of Representatives, September 2002.]
(2) Muick v. Glenayre Electronics, 280 F.3d 741 (7th Cir. 2002)
Another federal appeals court ruled that an employee had “no right of privacy” in the laptop computer his employer had “lent him for use in the workplace” because the employer had announced that it could inspect the laptop. The employee was arrested on charges of receiving and possessing child pornography in violation of federal law. At the request of federal law enforcement authorities, his employer seized from his work area the laptop computer it had furnished him for use at work and held it until a warrant to search it could be obtained. He was later convicted and imprisoned.
The employee sued his former employer, claiming that it violated the Fourth Amendment and invaded his privacy. The court concluded that the employee had no right of privacy in his employer-provided computer. It cautioned that it was possible for such a right to exist under some circumstances. For example, if an employer “equips the employee’s office with a safe or file cabinet or other receptacle in which to keep his private papers, he can assume that the contents of the safe are private.” But, the employer in this case
Announced that it could inspect the laptops that it furnished for the use of its employees, and this destroyed any reasonable expectation of privacy that [the employee] might have had …. The laptops were [the employer’s] property and it could attach whatever conditions to their use it wanted to. They didn’t have to be reasonable conditions; but the abuse of access to workplace computers is so common (workers being prone to use them as media of gossip, titillation, and other entertainment and distraction) that reserving a right of inspection is so far from being unreasonable that the failure to do so might well be thought irresponsible.
5. The importance of a computer policy. The cases summarized in this article demonstrate the importance of employers having an appropriate computer policy. Such a policy will minimize or eliminate employees’ expectation of privacy in employer-provided computers, thereby providing a viable defense against alleged Fourth Amendment violations and invasions of privacy.
There are several important issues that should be addressed in a church’s computer policy, including the following
- The policy should cover employer-owned and provided computers.
- The policy should clearly describe authorized and unauthorized use of church-provided computers, and give examples of both.
- The computer policy should describe the possible consequences of inappropriate use of church-provided computers.
- The policy should clearly authorize the employer to access, monitor, analyze, and inspect its computers at any time, with or without permission or advance notice. The policy should specify which officers or employees are authorized to inspect church-owned computers. These may include the senior pastor, board members, church administrator, denominational officials, law enforcement officials, computer specialists (whether or not employed by the church), or anyone authorized by the senior pastor or board.
- The policy should state that employees have no “expectation of privacy” in their church-provided computer, or its contents.
- The policy should advise employees that the church will cooperate fully with law enforcement officers in the detection of criminal activity involving church-provided computers.
- All church-provided computers should have a start screen that reminds employees of the terms of the employer’s computer policy.
- The policy should explain the reasons for the employer’s right to access computers. These may include some or all of the following, depending on the circumstances: (1) monitoring inappropriate use of the Internet; (2) monitoring excessive use of the Internet; (3) access to information on employees’ computers in their absence; (4) preventing copyright violations by employees who copy computer software without authorization; (5) minimizing the risk of computer viruses; (6) updating church-owned software; (7) detection of communications among employees that may constitute sexual or other forms of harassment for which the church may be liable.
- Explain the policy to all new employees at the time of hiring.
- Have all new employees sign a statement acknowledging that they understand and agree to the policy “in consideration of their employment.” Alternatively, they can sign a statement agreeing to be bound by the church’s employee policy manual, if it contains the church’s computer policy.
- It is not clear whether a church’s computer policy can apply to current employees unless the church provides them with something of value in return for their consent to the policy. This is a result of the basic principle of contract law that no contractual commitment is binding unless a party receives something of value in exchange for his or her commitment. This problem may be avoided by having current employees sign a written form (agreeing to the policy) at the time they receive a pay raise. This is an issue that should be addressed with a local attorney.
- The computer policy should state that the church retains ownership of both its computers and the data stored on them.
“From our review of the literature and discussions with legal experts, privacy advocates, and business consultants, we identified common elements that should be included in company computer-use policies. These experts generally believed that the most important part of a company’s computer-use policy is to inform employees that the tools and information created and accessed from a company’s computer system are the property of the company and that employees should have no ‘expectation of privacy’ on their employers’ systems. Courts have consistently upheld companies’ monitoring practices where the company has a stated policy that employees have no expectation of privacy on company computer systems. The experts also agreed computer-use policies should achieve other company goals, such as stopping release of sensitive information, prohibiting copyright infringement, and making due effort to ensure that employees do not use company computers to create a hostile work environment for others. Finally, according to experts, employees should clearly understand the consequences for violating company computer policies. For example, one company’s computer- use policy states that ‘violators [of company Internet/Intranet use policy] are subject to disciplinary action up to termination of employment and legal action.'” [From a Report by the General Accounting office to the Ranking Minority Member, Subcommittee on 21st Century Competitiveness, Committee on Education and the Workforce, House of Representatives, September 2002.]
The U.S. General Accounting office has prepared a Table (Table 1) identifying the key elements of a computer-use policy. While the Table leaves out some important elements, it nonetheless is a valuable resource from a repuTable source. The Table is reproduced in this article.
Table 1: Key Elements of a Computer-Use Policy
|Monitoring use of proprietary assets||Statements that company computing systems are provided as tools for business and all information created, accessed, or stored using these systems are the property of the company and subject to monitoring, auditing, or review.|
|Establishing no expectation of privacy||Statements about the extent or limitations of privacy protections for employee use of e-mail, the Internet, and computer files.|
|Improper employee use||Statements that some uses of company computers are inappropriate – including specific notice banning offensive material (e.g., obscenity, sexual content, racial slurs, derogation of people’s personal characteristics), and language relating e-mail and Internet use to general prohibitions of harassment.|
|Allowable employee uses||Statements explaining proper or accepTable uses of the company systems, including whether or not personal use is permitted.|
|Protecting sensitive company information||Statements providing instructions for handling proprietary information on company systems.|
|Disciplinary action||Statements that there are penalties and disciplinary actions for violations of company usage policy.|
|Employee acknowledgement of policy||A statement requiring that employees demonstrate they understand the company policy and acknowledge their responsibility to adhere to the policy.|
Source: U.S. General Accounting Office’s analysis of recommended computer-use policies.
6. Federal and state legislation pertaining to workplace privacy. Congress, and several state legislatures, have enacted legislation that may expose employers to liability for non-consensual searches of employer-provided computers.
Electronic Communications Privacy Act
The federal Electronic Communications Privacy Act, also known as the Wiretap Act, prohibits the intentional interception of “wire, oral or electronic communications.” The Act defines an “interception” as “the acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device.”
The federal Wiretap Act provides that “consent” is a defense to criminal liability:
It shall not be unlawful under this chapter for a person not acting under color of law to intercept a wire, oral, or electronic communication where such person is a party to the communication or where one of the parties to the communication has given prior consent to such interception unless such communication is intercepted for the purpose of committing any criminal or tortious act in violation of the Constitution or laws of the United States or of any State. 18 USCA 2511(2)(d).
The Act specifies that those who violate the Act “shall be fi ned under this title or imprisoned not more than fi ve years, or both.” The Act also specifies that persons whose telephone or other electronic communications are intercepted in violation of the Act may sue the perpetrator for money damages. Private lawsuits must be filed within two years “after the date upon which the claimant first has a reasonable opportunity to discover the violation.”
Electronic Communication Storage Act
The Electronic Communications Storage Act, also known as the Stored Communications Act, was added to the Wiretap Act in 1986. The Act specifies that “whoever (1) intentionally accesses without authorization a facility through which an electronic communication service is provided; or (2) intentionally exceeds an authorization to access that facility; and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system” violates the Act. “Electronic storage” is defined as “(A) any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof; and (B) any storage of such communication by an electronic communication service for purposes of backup protection of such communication.”
Very few courts have applied the Electronic Communications Storage Act to an employer’s access to an employee’s email account. From the limited precedent, it would appear that an employer does not violate the Act by accessing emails on a computer after they have been downloaded by an employee to his or her hard drive. The Act is violated when an employer accesses without consent an employee’s email account directly on the “electronic communication service provider” (such as Hotmail) and in addition “obtains, alters, or prevents authorized access” to an electronic communication “while it is in electronic storage in such system.” While a church may not violate the Act when it accesses an employee’s email after it has been downloaded to the employee’s computer hard drive, it may invade the employee’s privacy by doing so (as noted above).
• Key point. Church leaders should not access an employee’s email without first consulting with a local attorney.
Computer Fraud and Abuse Act
Under the federal Computer Fraud and Abuse Act, anyone who “intentionally accesses a computer without authorization … and thereby obtains … information from any protected computer if the conduct involved an interstate or foreign communication” may have violated the Act. However, in order to maintain a civil action under the Act, an employee must have suffered “damage or loss” by reason of a violation. “Damage” is defined as “any impairment to the integrity or availability of data, a program, a system, or information that … causes loss aggregating at least $5,000 in value during any 1-year period to one or more individuals.” Damages are limited to economic damages. The Act does not define a “loss,” but the courts have interpreted it to cover “remedial expenses.”
State Electronic Privacy Laws
Church leaders should realize that several states have their own electronic privacy laws that may apply to the interception or inspection of emails on church computers. These laws should be consulted.
7. Court decisions. Some of the leading court cases addressing employer liability for accessing employee computers are summarized in the following examples.
In one of the few cases to address the liability of a church for the seizure and inspection of a staff member’s computer, a federal court in Wisconsin ruled that a church and its senior pastor, secretary, and business administrator, could be sued by a former youth pastor who was dismissed as a result of a “pornographic” telephone conversation between the youth pastor and another adult male that had been overheard by other church staff members, as well as pornographic materials that were discovered on his office computer. Fischer v. Mt. Olive Lutheran Church, Inc., 207 F.Supp.2d 914 (W.D. Wis. 2002).
A church employed a young man (“Don”) as its youth pastor. By accepting this position, Don agreed “to teach faithfully the Word of God … in its truth and purity … to exemplify the Christian faith and life, to function in an atmosphere of love and order characteristic of the Body of Christ at work, and to lead others toward Christian maturity, to show a due concern for all the phases of mission and ministry.”
After serving as youth pastor for a few years, Don was criticized by church board members who had received complaints about his job performance. The church personnel committee gave Don a negative performance review and advised him of areas that needed improvement.
Don opened a Microsoft Hotmail email account from a computer terminal at a local public library. Hotmail accounts are web-based, free, and reside on servers that are part of the Microsoft network. Don used his Hotmail account for personal purposes. At the time he opened his Hotmail account, he did not own a computer or subscribe to any Internet service provider. He accessed his Hotmail account from the church’s computers using the church’s Internet service provider, among other places.
On the morning of June 10, 1999, Don arrived early at the church and read the email messages on his Hotmail account. He saw that he had received an email message from “John Jacobsen,” who asked that Don call him. Don did not recognize the name. Later that morning, Don informed the church secretary (with whom he shared an office) that he was going down the hall to the associate pastor’s office. He did not tell the secretary that he was going to make a telephone call, although he often used the associate pastor’s office for this purpose. The church’s senior pastor had told Don to use the associate pastor’s office to make personal phone calls or in any situation in which he needed privacy.
A short time later, the church secretary left her office to place schedules in the mail trays. She took along a cordless telephone because her primary job was answering calls. The church had six telecommunication lines, two for computers and four for telephones. The cordless phone tied into one line of the telephone system. Because the secretary sometimes received church-related calls at home, she tried to call home to check her answering machine for messages. Instead of hearing a dial tone, she heard two male voices involved in a sexually graphic conversation. She recognized one voice as Don’s. According to Don, the other man on the telephone was “John Jacobsen,” a tutor he had known in college who was having a “sexual identity crisis.” The church secretary alleged that Jacobsen talked with Don about his sexual experiences and feelings, at times in graphic detail, and that Don recounted various homosexual encounters of his own. Don later insisted that he had not made any obscene or pornographic statements during this conversation. Rather, he merely listened to Jacobsen because he had been trained as a counselor to listen to people. Don, who was married and had four young children, denied being homosexual or bisexual.
… Don accessed his Hotmail account in the presence of his wife and a neighbor and found no offensive emails in his account.
The church secretary became concerned about the possibility of improper contact between Don and children participating in the church’s youth programs, given Don’s position in the church. Shaking from fear and shock, she walked to the church business administrator’s office because she believed the conversation she had overheard was an extremely serious matter that should be witnessed by another employee. She gave the administrator the cordless phone and whispered something about Don’s being on the line. The administrator heard Don and Jacobsen discussing homosexual acts and making lewd noises (Don later denied this). Believing that the caller was threatening violence to Don or others in the church, the administrator instructed the church secretary to use another phone line to call the police.
The church secretary called the police, and requested that an officer be sent to the church to remove Don from the premises because she was scared and repulsed by the conversation. The administrator walked down the hallway and confronted Don about his phone conversation and asked him to leave the building. Don thought that he had been accused of participating in an obscene conversation over the Internet on the church’s computer. He left the building 10 minutes later.
After Don left the church, the administrator called the senior pastor and described briefly what had happened. A police detective called the church and asked the secretary and administrator to come to the police station and provide statements. Shortly after they returned to the church, Don returned as well. The senior pastor met with Don to discuss what had happened, and told Don that he was being suspended with pay pending an investigation. According to the senior pastor and business administrator, Don stated that he had told his wife “everything,” that his marriage was over, that he had nothing left to live for, and that he had checked his life insurance policy to assure his family would be adequately provided for and that he was contemplating suicide. Don later claimed that he had only told the senior pastor that a suspension would ruin his reputation in the church and community and that he had told his wife of the accusations. However, because of the senior pastor’s concerns that Don was suicidal, he stepped out of his office momentarily and had the church secretary contact the police again. Two police officers arrived a short time later and met with Don and the senior pastor. The officers shared the senior pastor’s concern regarding suicide, and had Don committed involuntarily to a hospital for observation.
The senior pastor visited with Don’s wife that evening, telling her that Don was a “sick” man, that he had had three or four gay relationships, and that he was suicidal.
In response to police recommendations, the senior pastor retained a computer technician on June 10, 1999, to examine the church’s computer files that Don used and to check Don’s email messages for any improper sexual communications with minors. Using the church’s computer, the technician accessed Don’s Hotmail account using a password “guessed at” by the senior pastor. The technician printed the email messages that he found in Don’s Hotmail account. The emails, from senders with male names, referred to Don as “my hot man,” “my favorite stud,” and “sweetie,” and included the statements “miss you babe” and “as always you were a treat!” Don insisted that before June 10, 1999, there were no such email messages in his account.
On June 11, 1999, Don accessed his Hotmail account in the presence of his wife and a neighbor and found no offensive emails in his account. The senior pastor claimed that nothing had been deleted from Don’s Hotmail account and that no Hotmail settings or passwords had been changed. Later that day the senior pastor again accessed Don’s Hotmail account to see whether any new messages had been received that would indicate improper communications with minors. He found two old emails (dated March 27 and April 6, 1999) which contained photographs of nude males. Don did not know how these emails ended up in his account. The next day the senior pastor again accessed Don’s Hotmail account and found a new incoming email, dated June 11, 1999, in which the sender wrote, “Wish I were there to give you a big kiss, hug and more this morning! You take care sweetie! Yours, Bill.”
A few days later the senior pastor, along with the chairman of the church’s board of elders, visited Don at his home to deliver his final paycheck and to encourage him to resign in order to avoid having his misconduct brought to the attention of others. Don’s wife asked what evidence the church had to support its claims. The senior pastor told her that he could provide the information only if Don signed a release. Don refused to do so.
The next day the church’s board of elders unanimously approved a motion to schedule a meeting of the congregation to consider the termination of Don’s employment. At the congregational meeting the church’s attorney described the June 10, 1999 telephone call that had been overheard by the church secretary and business administrator, but he did not refer to any emails. At the meeting, Don implied that the church had no documents to support its charges. The church’s attorney responded that he had copies of Don’s emails with him and asked whether Don would consent to their being read to the congregation. Don declined to give his consent, and so the contents of the emails were not disclosed. The congregation voted 91 to 43 in favor of terminating Don’s employment.
Don sued the church, the senior pastor, church secretary, and business administrator (the “defendants”) claiming that they had all violated federal and state electronic privacy laws by intercepting his telephone conversation on July 10, 1999, and by accessing his Hotmail account without his permission. He also sued each defendant for invasion of privacy and defamation. The defendants filed a motion to dismiss the case.
Electronic Communications Privacy Act
The federal Electronic Communications Privacy Act, also known as the Wiretap Act, prohibits the intentional interception of “wire, oral or electronic communications.” The defendants conceded that Don’s telephone conversation was a “wire communication.” The Act defines an “interception” as “the acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device.” However, the Act has a “business extension” exemption which permits employees to use company telephones in the ordinary course of business without violating the Act. The court conceded that this exemption would apply to the interception of Don’s telephone call on June 10, 1999 by the church secretary and business administrator if they were using the cordless phone in the ordinary course of business.
The defendants claimed that the Wiretap Act was not violated since the phone was being used for business purposes when Don’s conversation with John Jacobsen was intercepted by the church secretary and business administrator. The defendants noted that Don was allegedly using the phone at the time to “counsel” John Jacobsen. Don insisted that his call was personal and that the secretary and business administrator had an obligation to stop listening as soon as they determined that the call was personal in nature, and in failing to do so they violated the Act.
The court agreed with Don, for two reasons. First, the senior pastor conceded that Don was allowed to make personal calls from the church phone. And second, it was not clear that Don’s duties included conversations “with a college friend, such as Jacobsen, or an adult who is not a member of the congregation, even if the call occurred during work hours.”
Defendants argued that even if the call was personal in nature, they had a legal interest in listening in because it raised concerns about (1) the safety of church personnel, and (2) possible church liability for improper contact between an employee and a minor. The court disagreed:
First, I am uncertain how a private telephone conversation raised safety concerns for church personnel, however sexually graphic and homosexual in nature it may have been …. Second, the church might have a legal interest in continuing to listen to the conversation if Don were speaking to a minor. However, it is undisputed that [the secretary and business administrator] believed that Don was speaking with an adult …. At the point [they] determined that the call was personal and that Don was not talking to a minor, they had an obligation to cease listening and hang up. Any legal interest the church might have had in protecting itself against Don’s conversation with a minor ceased to exist when [the secretary and business administrator] formed the belief that Don was talking with an adult.
Electronic Communication Storage Act
This federal law specifies that “whoever (1) intentionally accesses without authorization a facility through which an electronic communication service is provided; or (2) intentionally exceeds an authorization to access that facility; and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system” violates the Act. “Electronic storage” is defined as “(A) any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof; and (B) any storage of such communication by an electronic communication service for purposes of backup protection of such communication.”
The defendants claimed that the senior pastor did not violate the Act when he accessed Don’s Hotmail account on June 11 and 12, 1999, because Don’s Hotmail email was not in “electronic storage” as defined under the Act. The defendants argued that the Act “does not apply to the accessing of email messages in a recipient’s mailbox for at that point, transmission of the messages has been completed.” The court disagreed. It noted that the Act defines “electronic storage” as either temporary, intermediate storage incidental to the electronic transmission or any storage of such communication by an electronic communication service for purposes of backup protection. The senior pastor accessed Don’s email while it was stored on a remote, web-based server that was owned by Microsoft, an electronic communication service provider. The court concluded that Congress intended the Act to cover the exact situation in this case, as illustrated by an example provided in the Senate Report:
For example, a computer mail facility authorizes a subscriber to access information in their portion of the facilities storage. Accessing the storage of other subscribers without specific authorization to do so would be a violation of the act. Similarly, a member of the general public authorized to access the public portion of a computer facility would violate this section by intentionally exceeding that authorization and accessing the private portions of the facility.
The court noted that accessing Don’s Hotmail account intentionally was not enough to violate the act. Don also had to show that the defendants obtained, altered, or prevented his authorized access to his email account. The court concluded that there was enough evidence that this requirement was met that the defendants’ motion to dismiss had to be denied. It noted, in particular, that there was evidence that the church prevented Don from accessing his email account by changing his password.
The defendants also claimed that it was the computer technician, not they, who accessed Don’s emails, and so they had not violated the Act. The court disagreed. It concluded that the technician was acting as the church’s agent. However, the court concluded that the church secretary and business administrator did not violate the Stored Communications Act because they never accessed Don’s emails.
• Key point. Very few courts have applied the Electronic Communications Storage Act to an employer’s access to an employee’s email account. From the limited precedent, it would appear that an employer does not violate the Act by accessing emails on a computer after they have been downloaded by an employee to his or her hard drive. The Act is violated when an employer accesses without consent an employee’s email account directly on the “electronic communication service provider” (such as Hotmail) and in addition “obtains, alters, or prevents authorized access” to an electronic communication “while it is in electronic storage in such system.” While a church may not violate the Act when it accesses an employee’s email after it has been downloaded to the employee’s computer hard drive, it may invade the employee’s privacy by doing so (as noted below). Church leaders should not access an employee’s email without first consulting with a local attorney.
Computer Fraud and Abuse Act
Under the federal Computer Fraud and Abuse Act, anyone who “intentionally accesses a computer without authorization … and thereby obtains … information from any protected computer if the conduct involved an interstate or foreign communication” may have violated the act. However, in order to maintain a civil action under the Act, Don must have suffered “damage or loss” by reason of a violation. “Damage” is defined as “any impairment to the integrity or availability of data, a program, a system, or information that … causes loss aggregating at least $5,000 in value during any 1-year period to one or more individuals.” Damages are limited to economic damages. The Act does not define a “loss,” but the courts have interpreted it to cover “remedial expenses.” The defendants argued that Don failed to produce evidence that he suffered any damage or loss as a result of their acts of copying his email messages from his account. Don would have had to suffer damages or loss of at least $5,000 in order to maintain a cause of action under the Act. Although Don alleged that as of June 11, 1999, he could no longer access his Hotmail account because the defendants allegedly changed his password, he failed to show that he suffered any damage or loss as a result. As a result, the court granted the defendants’ motion for summary judgment as to Don’s claims under the Computer Fraud and Abuse Act.
After learning of their minister’s role in reporting the allegations of abuse against them, the parents filed a $1 million dollar libel suit against him and the church.
Invasion of Privacy
Under Wisconsin law, an “invasion of privacy” includes “an intrusion upon the privacy of another of a nature highly offensive to a reasonable person, in a place that a reasonable person would consider private.” Don claimed that his right to privacy was intruded upon when (1) the church secretary and business administrator eavesdropped on his telephone conversation, and (2) the pastor and church accessed his email account. The defendants argued that neither a telephone conversation nor an email account is “a place” under the privacy law.
Don conceded that a telephone conversation is not “a place.” He argued, however, that at the time he was on the telephone, he was in an office that the pastor had allowed him to use for private telephone calls and the door to that office was closed. Therefore, Don reasoned, the “place” was the office, not the phone conversation. The defendants replied that it was “absurd” for Don to contend that he had a right of privacy when he was located in his employer’s office. The court was not convinced. It observed, “Defendants argue that it is the call that was intruded upon, not the office. However, Don was in a place (the office) where his privacy right was allegedly violated (via a phone extension). In other words, the fact that defendants used a phone extension to listen in on Don’s conversation rather than pressing an ear against the door is of no consequence …. When A taps B’s telephone wires A has invaded B’s privacy.”
The court conceded, however, that it was not clear that the acts of the church secretary and business administrator in eavesdropping on Don’s telephone call were “highly offensive to a reasonable person” as required to be an invasion of privacy. It left these questions to the jury.
The court then addressed the question of whether the access to Don’s email account by the pastor and church invaded his privacy. It concluded, “On its face, the language, ‘intrusion upon the privacy of another … in a place that a reasonable person would consider private’ does not limit the intrusion to a person’s immediate physical environment but rather encompasses a person’s private belongings as long as the place these private belongings are intruded upon is one that a reasonable person would consider private.”
The court quoted with approval from the Restatement (Second) of Torts (a respected legal treatise), “Intrusion on privacy of another may be by some other form of investigation or examination into his private concerns, as by opening his private and personal mail, searching his safe or his wallet, examining his private bank account, or compelling him by a forged court order to permit inspection of his personal documents.” Because it was disputed whether Don’s email account was a place that a reasonable person would consider private, the court denied the defendants’ request to dismiss the case.
• Example. A federal appeals court ruled that an employee did not have an expectation of privacy in his workplace computer, and therefore the police did not act improperly in accessing the computer and finding evidence of child pornography. The FBI received a tip that an employee (Ted) of a local business had accessed child-pornographic websites from his workplace computer. The company agreed to cooperate with the FBI in its investigation. Company employees entered Ted’s office at 10 PM one evening, opened his computer’s outer casing and made two copies of the hard drive. Forensic examiners at the FBI discovered many images of child pornography on the hard drive. Ted was later charged with several felony offenses pertaining to the possession and receipt of child pornography. Ted pleaded not guilty on the ground that the evidence that was being used against him was unlawfully obtained. The prosecutor insisted that an employee has no reasonable expectation of privacy in a workplace computer when the employee uses a computer paid for by the employer, Internet access is paid for by the employer, in an office where the employer pays the rent, and when the employer “has installed a firewall and a whole department of people whose job it was to monitor their employee’s Internet activity.”
The prosecutor conceded that Ted had a “subjective” expectation of privacy in the computer—”the use of a password on his computer and the lock on his private office door are sufficient evidence of such expectation.” But, “his expectation of privacy in his workplace computer must also have been objectively reasonable.” A federal district court concluded that this requirement was not met, and a federal appeals court agreed:
Though each computer required its employee to use an individual log-in, the employer had complete administrative access to anybody’s machine. It had also installed a firewall, which is a program that monitors Internet traffic from within the organization to make sure nobody is visiting any sites that might be unprofessional. Monitoring was therefore routine, and the employer reviewed the log created by the firewall on a regular basis, sometimes daily if Internet traffic was high enough to warrant it. Upon their hiring, employees were apprised of the company’s monitoring efforts through training and an employment manual, and they were told that the computers were company-owned and not to be used for activities of a personal nature. Ted, who has the burden of establishing a reasonable expectation of privacy, presented no evidence in contradiction of any of these practices. He does not assert that he was unaware of, or that he had not consented to, the Internet and computer policy.
Bob was fired after his employer discovered that he “had repeatedly accessed pornographic sites on the Internet while he was at work.”
The court noted that “other courts have scrutinized searches of workplace computers in both the public and private context, and they have consistently held that an employer’s policy of routine monitoring is among the factors that may preclude an objectively reasonable expectation of privacy.”
The court acknowledged that some courts had found a reasonable expectation of privacy in a workplace computer, but pointed out that in each of those cases the employer “failed to implement a policy limiting personal use of or the scope of privacy in the computers, or had no general practice of routinely conducting searches of the computers.” The court concluded:
Social norms suggest that employees are not entitled to privacy in the use of workplace computers, which belong to their employers and pose significant dangers in terms of diminished productivity and even employer liability …. The abuse of access to workplace computers is so common (workers being prone to use them as media of gossip, titillation, and other entertainment and distraction) that reserving a right of inspection is so far from being unreasonable that the failure to do so might well be thought irresponsible. Employer monitoring is largely an assumed practice, and thus we think a disseminated computer-use policy is entirely sufficient to defeat any expectation that an employee might nonetheless harbor. United States v. Ziegler, 456 F.3d 1138 (9th Cir. 2006)
• Example. A California court ruled that an employee who was fired for using his office computer to access pornographic websites on the Internet was barred from suing his employer for wrongful termination or invasion of privacy because he signed a “computer use agreement” giving his employer the right to inspect his computer and dismiss him for inappropriate or unauthorized use of the computer. An employer provided two computers for an employee’s use, one for the office, the other to permit the employee to work at home. Employees were required to sign a computer use agreement that authorized the employer to monitor employees’ office computers and terminate an employee for misuse of the office computer. One of the employees who signed the computer use agreement was a senior executive (Bob) who used two computers owned by his employer, one at the office and the other at his home. The computer use agreement specified that the employer’s computers would be used “for business purposes only and not for personal benefit or non-company purposes, unless such use is expressly approved. Under no circumstances can the equipment or systems be used for improper, derogatory, defamatory, obscene or other inappropriate purposes.” Bob consented to have his computer use “monitored by authorized company personnel” on an “as needed” basis, and agreed that communications transmitted by computer were not private. He acknowledged his understanding that his improper use of the computers could result in disciplinary action, including discharge.
A few years after signing the computer use agreement, Bob was fi red after his employer discovered that he “had repeatedly accessed pornographic sites on the Internet while he was at work.” Bob insisted that the pornographic Web sites were not accessed intentionally but simply “popped up” on his computer. Bob sued his employer, claiming that his employment had been wrongfully terminated. The employer asked Bob to return the home computer and cautioned him not to delete any information stored on the computer’s hard drive. In response, Bob acknowledged that the computer was purchased by his employer and said he would either return it or purchase it, but said it would be necessary “to delete, alter, and flush or destroy some of the information on the computer’s hard drive, since it contains personal information which is subject to a right of privacy.” The employer refused to sell the computer to Bob, and demanded its return without any deletions or alterations. Bob objected, claiming an invasion of his constitutional right to privacy.
The employer asked the court to compel Bob to return the computer, claiming that it had the right to discover whether information on the hard drive proved that Bob violated the computer use agreement that he signed. In particular, the employer argued that by accessing Bob’s home computer it could establish if he had visited sexually explicit web-sites at home, which would undermine his story that such sites “popped up” involuntarily on his office computer. Further, the employer insisted that Bob had no legitimate expectation of privacy in his computer in light of the computer use agreement that he signed. Bob claimed that he retained an expectation of privacy with regard to his home computer, despite the computer use agreement. He noted that the home computers were provided as a “perk” given to all senior executives, and that while they were provided in order to permit employees to work at home, it was understood that the home computers would also be used for personal purposes as well. He said his home computer was used by his wife and children, and that it “was primarily used for personal purposes and contains significant personal information and data” subject to his constitutional right of privacy including “the details of his personal finances, his income tax returns, and all of his family’s personal correspondence.
A state appeals court agreed with the employer that it had the right to inspect Bob’s home computer. It concluded that any expectation of privacy Bob had in the information on his home computer was nullified by the computer use agreement he signed. It observed:
We are concerned in this case with the “community norm” within 21st century computer-dependent businesses. In 2001, the 700,000 member American Management Association (AMA) reported that more than three-quarters of this country’s major firms monitor, record, and review employee communications and activities on the job, including their telephone calls, emails, Internet connections, and computer files. Companies that engage in these practices do so for several reasons, including legal compliance (in regulated industries, such as telemarketing, to show compliance, and in other industries to satisfy “due diligence” requirements), legal liability (because employees unwittingly exposed to offensive material on a colleague’s computer may sue the employer for allowing a hostile workplace environment), performance review, productivity measures, and security concerns (protection of trade secrets and other confidential information)…. According to the AMA Findings, four out of ten surveyed companies allow employees full and unrestricted use of office email, but “only one in ten allow the same unrestricted access to the Internet. Companies are far more concerned with keeping explicit sexual content off their employees’ screens than with any other content or matter.”
It is hardly surprising, therefore, that employers are told they “should establish a policy for the use of email and the Internet, which every employee should have to read and sign. First, employers can diminish an individual employee’s expectation of privacy by clearly stating in the policy that electronic communications are to be used solely for company business, and that the company reserves the right to monitor or access all employee Internet or email usage. The policy should further emphasize that the company will keep copies of Internet or email passwords, and that the existence of such passwords is not an assurance of the confidentiality of the communications. An electronic communications policy should include a statement prohibiting the transmission of any discriminatory, offensive or unprofessional messages. Employers should also inform employees that access to any Internet sites that are discriminatory or offensive is not allowed, and no employee should be permitted to post personal opinions on the Internet using the company’s access, particularly if the opinion is of a political or discriminatory nature.” For these reasons, the use of computers in the employment context carries with it social norms that effectively diminish the employee’s reasonable expectation of privacy with regard to his use of his employer’s computers.
The court noted that the computer use agreement gave Bob “the opportunity to consent to or reject the very thing that he now complains about, and that notice, combined with his written consent to the policy, defeats his claim that he had a reasonable expectation of privacy.” He knew that his employer could monitor the files and messages stored on the computers he used at the office and at home. He had the opportunity “to consent to the computer policy or not, and had the opportunity to limit his use of his home computer to purely business matters. To state the obvious, no one compelled Bob or his wife or children to use the home computer for personal matters, and no one prevented him from purchasing his own computer for his personal use. With all the information he needed to make an intelligent decision, Bob agreed to the company policy and chose to use his computer for personal matters. By any reasonable standard, he fully and voluntarily relinquished his privacy rights in the information he stored on his home computer, and he will not now be heard to say that he nevertheless had a reasonable expectation of privacy. TBG Insurance Services Corporation v. Superior Court 117 Cal.Rptr.2d 155 (Cal. App. 2002).
• Example. A federal district court in New York ruled that a dismissed employee could not sue his former employer for invasion of privacy as a result of unauthorized access to his office computer. A company hired a new employee (Alan) as a computer analyst. On several occasions Alan’s supervisor met with him regarding a number of job performance issues. The meetings discussed Alan’s failure to save documentation of his work, poor work relations with co-workers and insubordination towards superiors. Alan’s inability to provide supervisors with documentation of his work, failure to complete assigned projects, and on-going disciplinary issues such as insubordination and disregard for protocol led to concerns regarding how he was using his time on his company-provided computer. As a result, an executive decision was made to look into his computer and email records for inappropriate use of company servers and records. When Alan failed to show sufficient improvement in his job performance, he was dismissed. He later sued his former employer in federal court for invasion of privacy. Specifically, Alan claimed that his former employer invaded his privacy by allowing his computer to be accessed by supervisors. A federal court rejected Alan’s claim, noting that New York has no “common law” of privacy. Instead, the right of privacy is based exclusively on a state statute that defines it narrowly to prohibit the unauthorized commercial use of a person’s “name, portrait or picture” without prior written consent. The court concluded: “Since New York’s limited right of privacy does not prohibit an employer from accessing employee email and other documents produced on the company’s system, Alan has no claim to adjudicate.” Chimarev v. TD Waterhouse Investor Services, Inc., 280 F.Supp.2d 208 (S.D.N.Y. 2003).
• Example. A federal court in North Carolina dismissed a lawsuit brought by a pastor against his former church in which he claimed that the church had violated his rights under federal electronic privacy laws by searching his laptop computer for pornography. Formal allegations of misconduct were brought against the pastor during his tenure. These allegations included using his laptop computer in his church office to view pornography, and sexual relations with a female church member. The pastor denied any wrongdoing. Upon hearing of the allegations, members of the church’s investigation committee entered the pastor’s office and attempted to access information on his laptop computer. The pastor later resigned as a result of the allegations, and received a severance package. He then sued the church on the basis of several alleged wrongs, including a violation of the federal Electronic Privacy Act as a result of the church’s inspection of his church-provided computer. The court dismissed the lawsuit on the ground that it was barred by the First Amendment guaranty of religious freedom from resolving what it considered to be a dispute involving the qualifications of a minister. Jacobs v. Mallard Creek Presbyterian Church, 214 F.Supp.2d 552 (W.D.N.C. 2002).
8. Examples. A Table (Table 2) illustrates some of the important points made in this article.
Table 2: Analysis of Computer Inspection Scenarios
|1||A pastor owns a laptop computer that he purchased with his own funds. Church board members receive an anonymous complaint of inappropriate use of the computer, and they secretly inspect it in the pastor’s office while he is temporarily absent. They find evidence that the pastor has visited several Internet pornography websites, and downloaded numerous inappropriate images. None of the websites or downloaded images involved minors. The church does not have a computer access policy.||
|2||Same facts as Case 1, except that the church has adopted a computer access policy that clearly informs all employees that their church-provided computers are subject to inspection by church staff and others.||
|3||Same facts as Case 1, except that the websites and images involved child pornography.||
|4||Same facts as Case 1, except that the pastor’s email account is inspected, and evidence of inappropriate communications with other adults is uncovered.||
|5||A church employee is provided with a computer by the church. While the employee is away on vacation, it becomes important to access information on his office computer. In an attempt to do so, evidence of inappropriate (but not illegal) use of the computer is detected. The employee is terminated. The church does not have a computer access policy, or a computer network.||
|6||Same facts as Case 5, except that the employee’s email account is inspected, and evidence of inappropriate communications with other adults is uncovered.||
|7||Same facts as Case 5, except that the church has adopted a computer access policy that clearly informs all employees that their church-provided computers are subject to inspection by church staff and others.||
|8||Same facts as Case 5, except that all church-provided computers are on a network that is accessible by other church employees.||
|9||A church employee is provided with a computer by the church. While the employee is on sick leave, it becomes important to access information on his office computer. In an attempt to do so, several email messages are uncovered that may constitute sexual harassment. The employee is terminated. The church does not have a computer access policy, or a computer network.||
|10||Same facts as Case 9, except that the church has adopted a computer access policy that clearly informs all employees that their church-provided computers are subject to inspection by church staff and others.||
|11||A youth pastor keeps his church-provided laptop computer in a locked drawer in a desk in his office. An adult member of the church informs the senior pastor that he suspects an inappropriate relationship between the youth pastor and his teenage daughter. The senior pastor has a locksmith come to the church while the youth pastor is out of the office, and the laptop is retrieved and examined. The senior pastor is not able to access the youth pastor’s email account, but he does uncover evidence that the youth pastor has visited several pornographic Internet sites. The youth pastor is terminated. The church does not have a computer access policy, or a computer network.||
|12||Same facts as Case 11, except that the church has adopted a computer access policy that clearly informs all employees that their church-provided computers are subject to inspection by church staff and others.||
|13||A police detective visits a church when the senior pastor is not present and informs the secretary that he has reason to suspect that the youth pastor has been accessing child pornography. He asks the secretary for permission to inspect the youth pastor’s church-provided computer in his absence and without his knowledge. The church does not have a computer access policy, or a computer network.||
|14||Same facts as Case 13, except that the church has a computer access policy that clearly informs all employees that their church-provided computers are subject to inspection by church staff and others.||
|15||Same facts as Case 13, except that the secretary refers the detective to an associate pastor who consents to the search.||
Church Law & Tax Report is published six times a year by Christianity Today International, 465 Gundersen Dr. Carol Stream, IL 60188. (800) 222-1840. © 2008 Christianity Today International. email@example.com All rights reserved. This publication is designed to provide accurate and authoritative information in regard to the subject matter covered. It is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional service. If legal advice or other expert assistance is required, the services of a competent professional person should be sought. “From a Declaration of Principles jointly adopted by a Committee of the American Bar Association and a Committee of Publishers and Associations.” Annual subscription: $69. Subscription correspondence: Church Law & Tax Report, PO Box 37012, Boone, IA 50037-0012.