Walking the line in Message Monitoring with Rules
The recent Quon v. Arch Wireless decision has raised many questions about a company's ability and right to monitor employee communications. Fortunately, a deeper read shows that the real issues centered around the employee's reasonable expectation of privacy, which a well documented and communicated policy solves handily. So an employee might ask, "I know that the company owns my email, but do they really read it?"
Unless you are a financial company regulated under NASD Rule 3010 or 3110, you are almost certainly not opening and reading the your employee email without cause. Knowing that the company has the right to review the communications is very different from expecting that it will be done routinely. Most employee's are comforted by the assumption that 'it won't happen to me as long as I follow the rules'. An argument could be made that absent a public practice of routine or random checks, every employee has an implicit reasonable expectation of privacy. A well implemented policy lays the foundation to the employer's rights over the messages, but anything is possible given the right venue, counsel and fact pattern.
This illusion of privacy or at least anonymity encourages improper and unprofessional communication modes. If you knew that your boss would read every one of your email some day, you would think twice about off color jokes, vendor social invitations and other messages that easily give the wrong impression. You would also probably update your resume and find another job outside of such an Orwellian atmosphere. We do not want someone reading our email without cause, period. We have gotten used to thinking of email and IM as being personal modes of communication when they are essentially a form of broadcast communication.
So how is a company to walk this fine line? The burden of checking even a small percentage of random messages has proven less than optimal in regulated environments. The SEC has recently modified rules to allow companies to utilize automatic categorization systems to screen for messages of higher interest. If you dive into these applications, you quick discover that they are nothing more than static rule filters. They are effectively large searches that run on every item as it passes through the message system and then acts on items that meet the rule criteria by placing tags, quarantining the message or sending alerts.
With the increase in SaaS and outsourced messaging/archiving systems, this categorization functionality is now becoming accessible to SMB customers. Estorian's LookingGlass service can actually categorize traffic in motion and alert management to potential loss of trade secrets, fraud activities or HR violations from saved searches that have and action associated to them.
This kind of monitoring by impersonal, rule based filters shows that the company is serious about protecting their information assets and yet avoids the stigma of a person looking over the employee's collective shoulders. No filter or rule is perfect and they will require an investment to create, test and regularly update, but they demonstrate that even a small public company can enforce retention and message system usage policies without breaking the bank or waiving effective ownership of the ESI.