Companies that monitor their employees’ emails or Internet activity now have new protections from potential allegations of wiretap violations: Under the Cybersecurity Act of 2015, companies enjoy liability protection for the monitoring of their information systems for “cybersecurity purposes.” (P.L. 114-113) Although intended to specifically cover monitoring of cybersecurity threats, the broad definition of “cybersecurity purposes” within the act provides protections for more general monitoring practices as well as monitoring without user consent. This is a major change for companies that, to-date, may have shied away from deploying monitoring technology for fear of claims that they illegally intercepted private communications.
Existing wiretap rules limit workplace monitoring activities
Prior to the passage of the Cybersecurity Act, federal and state law on wiretapping was fairly straightforward and somewhat restrictive: Interception of electronic communications without consent was prohibited, barring limited exceptions. In other words, employers generally could not monitor their employees’ emails or other Internet communications unless the employee had consented to the monitoring through an employment agreement or employee handbook or otherwise acknowledged their employer’s rights when they logged on to their work computer each day.
The employee consent exception is the federal standard and is followed by most states. A dozen states, however, require all parties to the communication to agree to the monitoring. These all-party consent requirements create a significant compliance hurdle for companies, especially in the case of email monitoring, as companies arguably would need the consent of non-employees exchanging emails with company employees before electronic communication interception could occur. Despite these compliance hurdles, some companies moved forward with monitoring because of the importance of protecting against loss of intellectual property or trade secrets and preventing cyber attacks. Whether to monitor in all-party consent states has never been an easy decision and while some companies may have accepted the risks of the all-party consent laws, the laws did have a general chilling effect on the use of systems-monitoring technology.
The Cybersecurity Act of 2015 creates broad liability protection for workplace monitoring
Congress recently preempted these twelve state all-party consent laws, at least to a certain degree, with the passage of the Cybersecurity Act of 2015, which prohibits causes of action against private entities “for the monitoring of an information system and information” for “cybersecurity purposes.”
A “cybersecurity purpose” is defined by the bill as the purpose of protecting an information system or information that is stored on, processed by, or transiting an information system from a cybersecurity threat or security vulnerability. Thus, an important limitation inherent in the act is that it provides liability protection for monitoring only insofar as that monitoring protects the systems or information from cybersecurity threats or security vulnerabilities.
In general, a “cybersecurity threat” is any unauthorized action that will adversely impact the security, availability, confidentiality, or integrity of information systems or information and “security vulnerability” means any attribute that could enable or facilitate the defeat of a security control. The act’s inclusion of liability protections for cybersecurity activities to safeguard the confidentiality of information suggests that monitoring in order to protect trade secrets and intellectual property could receive liability relief in addition to monitoring for general network security. Monitoring for other employment activities that violate the employee handbook, such as prohibitions against insider trading, might not be covered. These arguments have not been tested in court. Also, neither the House nor the Senate committee reports on the act provide a clear explanation of the intended scope of the act’s liability protections for workplace monitoring. But, a plain reading of the statute suggests that monitoring for the loss of intellectual property or trade secrets would be covered.
To the extent a company’s monitoring practices are carried out strictly for a “cybersecurity purpose,” which may include loss of trade secrets and intellectual property, the company’s practices should be immune to plaintiffs’ or regulators’ actions. This provides significant relief under federal and state wiretap laws, especially the state all-party consent laws. While the final reach of the Cybersecurity Act’s liability protections has not been settled, it is clear that workplace monitoring for certain activities without consent is on much stronger ground. Given this change we are likely to see more organizations install monitoring technologies, and they may choose technology that is more invasive than the kinds that are currently deployed.
If you want to comment on this post, you need to login.