This is an interesting case where FDA whistleblowers allege that their emails were monitored once they told Congress the agency was approving medical devices that were risky to patients. First, the usual disclaimer: I am not a lawyer--don't take this as legal advice.
FDA employees (and former employees) are alleging that the FDA initiated email monitoring after these complaints, and that in doing so, it violated their Constitutional rights. They call the monitoring an unlawful search and seizure, and a violation of their rights to free speech and association. The FDA, on the other hand, indicated that when logging onto the network, employees are warned they may be monitored and should not have an expectation of privacy. Now, the article quotes the agency, but does not get specific as to what this warning looks like. If it is like many places, it is a click through banner where the employee must accept the warning before proceeding.
Further, the article indicated that the FDA began "surveillance of the employee's personal email accounts, which they accessed from Government computers". So the question is--does the click through banner indicating no expectation of privacy should be held by the employee extend to their personal email accounts when they access them from work? This will be a very interesting case to follow, given some of the rulings we've seen around similar issues.
In Ontario v. Quon, the Supreme Court ruled that employers have the right to read text messages—including personal ones—when they own the equipment (phone) that it was sent/received from, and when they have reason to believe that workplace rules are being broken. In that ruling, Justice Scalia asserts “…that government searches to retrieve work-related materials or to investigate violations of workplace rules—searches of the sort that are regarded as reasonable and normal in the private-employer context—do not violate the …(Fourth) Amendment.”
Now, that ruling addressed cell phone texting on a work-owned phone, and not personal email accounts accessed through a work computer, but the most important point seems to be that because the search was motivated by a legitimate work-related purpose, it was lawful.
In Stengart v. Loving Care Agency, Inc., the New Jersey Supreme Court ruled in a case where an employee sent emails to/from her attorney via her personal Yahoo email account, but using a company laptop. When she left the company and filed suit against them, the employer had a forensic analysis done on the laptop. It obtained copies of some of the emails from the internet cache folders, and even though the emails contained language about privilege and how the emails were intended only for the recipient, the employer asserted they were fair game. The court ruled that just because Stengart was using her employer provided laptop, that doesn’t dispel her expectation of privacy when accessing her personal email account. According to the New Jersey Supreme Court, “a policy that provided unambiguous notice that an employer could retrieve and read an employee’s attorney-client communications, if accessed on a personal password-protected email account using the company’s computer system, would not be enforceable.”
The FDA case seems to fall somewhere in between these two rulings. While the monitoring may be justifiable as a legitimate work-related investigation (not knowing the details, I can only assume), which would make the communications on the company’s email systems subject to monitoring should be within the realm of not violating their Fourth Amendment rights. However, when it extends to their personal email accounts, even if they are not attorney-client communications, it becomes possible that a line was crossed.
The take home for companies should be to make sure their Acceptable Use policies are clear, and that their systems have those click through banners that users must acknowledge that monitoring is a possibility on company owned systems—that is the basic beginning for dispelling that expectation of privacy. However, if during the course of an investigation, private communications are intercepted, the company should be guided by their Legal Counsel on how to proceed.
The outcome of the FDA case will hopefully provide further clarity in this somewhat murky issue.