The difference between having a trade secret and not can come down to the steps that a company takes to protect its secrets.  The Uniform Trade Secrets Act, a version of which has been adopted in 46 states, provides that information qualifies for trade secret protection only if the owner takes steps that are reasonable under the circumstances to protect its secrecy.  Employers commonly take the obvious steps to protect their trade secrets – for example, requiring employees to sign confidentiality agreements or restrictive covenants, implementing electronic controls; and let’s not forget sending demand letters and threatening litigation.  These steps are obvious and therefore widely observed.  But what about proactive monitoring?  If you have a trade secret, you ought to keep an eye and ear out to make sure it’s not being used or disclosed.  But, be careful; doing so is not without its risks.

With recent (and not so recent) advances in technology, employers have substantial means at their disposal to monitor their employees’ conduct and communications.  Available options range from reviewing employees’ email communications and computer usage to monitoring telephone discussions.  In general, these tactics are lawful unless specifically prohibited by statute or the employee has a reasonable expectation of privacy under the circumstances. 

Surveillance of Employee Email

The Electronic Communications Privacy Act, 18 U.S.C. § 2510 (“ECPA”) was originally enacted to address the interception of wire, oral and electronic communications.  The statute was specifically amended to cover email communications. Under the ECPA, electronic communications may be intercepted with the consent of one party to the communication, or under certain conditions, by a service provider if necessary incident to the provision of the service or to protect the provider’s rights and property.  Some courts have held that a “service provider” includes an employer who provides email access to its employees.  The “service provider” exception becomes even stronger if the employer is monitoring emails once they are in storage (as opposed to during transmission) because such communications are subject to Title II of the ECPA, known as the Stored Communications Act (“SCA”). 

Despite these employer friendly exceptions under the ECPA/SCA, employers can make life easier for themselves by obtaining the express written acknowledgment and consent of employees.  To this end, employers should provide employees with clear and simply written policies noting the employer’s right to monitor all employee communications that involve the use of employer-provided technology.  It is a good idea to require employees to sign a written statement that they have been advised of the employer’s right to monitor communications.  Employers might even consider providing employees with electronic notification of these rights that requires employees to manually acknowledge receipt of the employer’s policy and understanding of its content through the clicking of certain boxes on screen.  Posting open and conspicuous notices throughout the work area will likewise serve to establish that employees lacked a reasonable expectation of privacy in their electronic communications.  (While you are at it, a well written policy may make the difference between having and not having a claim under the Computer Fraud & Abuse Act.)

Monitoring Use of Computers

Employers often provide employees with computers to use for work purposes that are capable of accessing workplace computer networks via direct and/or remote internet access.  Employees commonly can access the internet from workplace computers enabling them to receive and transmit information related to the employer’s business.  Employers should reserve, and just as importantly, employers should exercise, the right to monitor employees’ activities on these networks and via the internet.  The need to do so is heightened when there is cause to believe an employee has engaged in misconduct.  As with email communications, it is prudent to unambiguously advise employees that their activities are subject to monitoring, and to require their express acknowledgment.

Surveillance of Telephone Communications

Interception of telephone communications is yet another way to monitor the use and potential misuse of your trade secrets, but it is here that the ECPA has great potential to apply.   The ECPA generally prohibits interception of telephone calls, but a number of notable exceptions leave employers well positioned to monitor such calls.  The most notable includes interception with prior consent.  Consequently, if an employer intends to monitor telephone calls, the strongest form of consent is express consent.  Consequently, the best practice requires that employees should be informed and their consent obtained in writing.  This will leave little room to doubt whether employees had a reasonable expectation of privacy in their communications.  As noted below, some state laws require consent of all parties to the communication.  For this reason, we have all heard at one time or another the prerecorded message that “this call may be recorded for quality assurance purposes.”  In the absence of express written consent, other exceptions may apply.  Consult your counsel for details.

A Final Thought

As noted at the beginning of this article, employers are generally free to monitor their employees unless specifically prohibited by statute.  Federal statutes such as the National Labor Relations Act (NLRA) and the Labor Management Relations Act (LMRA) impose significant restrictions on employers’ abilities to monitor the union organizing activities of employees.  In addition, the ECPA does not preempt more stringent state laws, and accordingly, many states offer greater protection.  For example, California, Delaware, Florida, Massachusetts, and Pennsylvania are a handful of the many states that require “two-party consent” before an employer can intercept or record a telephone call in real time.  Similarly, Delaware and Connecticut have enacted statutes that address email monitoring.  Consequently, employers operating in multiple states or communicating with third parties from other states are wise to consider state law.

The bottom line?  If you have a trade secret, proactive monitoring of employees to protect your trade secret rights is worthwhile, but not without risks.  Consult your counsel and come up with a plan that balances your need to police use and disclosure of your trade secret, on the one hand, with the statutory rights and reasonable privacy expectations of your employees, on the other hand. 

Michael R. Greco is a partner in the Employee Defection & Trade Secrets Practice Group at Fisher & Phillips LLP.  To receive notice of future blog posts either follow Michael R. Greco on Twitter or on LinkedIn or subscribe to this blog's RSS feed.

Departing employees sometimes access workplace computer systems to obtain information for purposes of using it in competition with their employer.  Sometimes they use the internet at work to send emails concerning their post-employment plans.  And while employers have many tools and tactics at their disposal to investigate their computers and related systems, these investigations are fraught with pitfalls for the incautious employer.

One of the issues employers need to be aware of in conducting such investigations is the unauthorized interception or monitoring of electronic communications – which includes e-mails – by an employee pursuant to the Electronic Communications Privacy Act, 18 U.S.C. § 2510 (“ECPA”).  The ECPA was passed by the United States Congress to update government restrictions on wire taps from telephone calls in order to protect transmissions of electronic data through computers.  In fact, the ECPA was passed by way of an amendment to Title III of the Omnibus Crime Control and Safe Streets Act of 1968, which was intended to curb unauthorized government access and monitoring of private electronic communications.  Through the ECPA, Congress prohibited the acquisition of a communication through the use of any electronic, mechanical or other device by criminalizing unauthorized acquisitions and creating a civil cause of action for victims of unauthorized acquisitions.  Title II of the ECPA, the Stored Communications Act, 18 U.S.C. §§ 2701-12 (“SCA”), protects certain electronically stored communications.

The intersection of the ECPA, the SCA and an employer’s investigation of a departing employee can become fertile ground for mistakes by the investigating employer.  When investigating an employee’s use of workplace computer systems, employers typically review corporate e-mails, corporate servers, and the computer assigned to the employee suspected of disloyal acts.  Such investigations can uncover personal information, like the passwords used by the employee for his or her personal, internet-based e-mail accounts, and this is where investigating employers need to be careful.  Some federal courts have held that improperly using these passwords to open and monitor the employee’s personal, internet based e-mail or social media accounts may give rise to a claim for unauthorized access under the ECPA and SPA.  See, for example, Pietrylo v. Hillstone Rest. Group, No. 06-5754, 2009 U.S. Dist. LEXIS 88702, at *10-11 (D.N.J., Sept. 25, 2009).  (A copy of the Pietrylo opinion is available in pdf format below.)

But the ECPA and SCA are not one-way streets running only in favor of departing employees.  These statutes apply with equal force to allegations of misconduct by disloyal employees, as demonstrated by the recent case of United States v. Szymuszkiewicz, 622 F.3d 701 (7th Cir. 2010).  Szymuszkiewicz was employed as a revenue officer by the IRS, and he was convicted by a jury of violating the ECPA.  In an appellate opinion affirming the conviction, Chief Judge Frank Easterbrook described Szymuszkiewicz’s conduct as:

"monitor[ing] email messages sent to his supervisor, Nella Infusino.  She found out by accident when being trained to use Microsoft Outlook, her email client.  She discovered a “rule” that directed Outlook to forward to Szymuszkiewicz all messages she received.  Szymuszkiewicz was convicted under the Wiretap Act for intentionally intercepting an electronic communication … agents found emails to Infusino stored in a personal folder of Szymuszkiewicz’s Outlook client -- in other words, Szymuszkiewicz not only received the emails but also moved them from his inbox to a separate folder for retention--which is not what would have happened had all of Szymuszkiewicz’s access been legitimate.…The jury could have chosen to believe Szymuszkiewicz’s contention that he received Infusino’s emails legitimately, or by mistake, but the evidence supported the more sinister inference that he obtained them intentionally and without her knowledge."

622 F.3d at 703-4 (internal citations omitted).  (A copy of the Szymuszkiewicz opinion is available in pdf format below.)

The takeaway from Szymuszkiewicz for employers is the importance of exercising extreme caution when conducting investigations of an employee’s use of corporate computer systems, as mistakes committed during these investigations could possibly give rise to independent civil, and potentially criminal, liability.  In addition to consulting with counsel and forensic computer specialists, employers should keep their eyes on the ECPA and SCA, under which one of the touchstone inquiries is whether there is authorization to access the electronic communications.

 US v Szymuszkiewicz.pdf (112.39 kb)

Pietrylo v Hillstone Restaurant.pdf (95.40 kb)

Brent Cossrow is a member of Fisher & Phillips' Employee Defection & Trade Secrets Practice Group.  Mr. Cossrow's practice focuses on e-discovery and other electronically stored information issues.  As always, please feel free to share your thoughts and questions in the comment space below.