April 2011 IT Business Consulting Newsletter

A Reasonable Expectation of Privacy...

By Tom K

Is Your Business complying with and protected by a Reasonable Expectation of Privacy?

Civil Lawsuits abound. A husband gets charged with a felony (up to 5 yrs) for reading his wife’s email…

* Is your Company fulfilling the public’s Reasonable Expectation of Privacy as they communicate with your Company?

* Are your outbound communications ensuring they are handled with a Reasonable Expectation of Privacy?

* Can your staffs’ default Reasonable Expectation of Privacy cause problems for your Business?

This month’s article discusses the Reasonable Expectation of Privacy as it relates to how your Business handles incoming communications (email, phone, and US Mail), outbound email, and corporate resources utilized by your staff.

The article is based on general research and observations. It is meant to get you thinking about potential liabilities, present ideas to begin protecting your Company from those liabilities, but mostly to help protect your Company’s reputation.

The article is NOT meant to provide any legal groundwork or opinion. Research indicates that statutes concerning privacy vary between jurisdictions and are very subject to interpretation by the various courts. If this article generates any concerns of a legal nature, please consult with an attorney.

But, while legal is important, one huge key to your Business’ long term success is its public reputation, and how it is perceived by your guests, homeowners, and staff. I wrote this article, therefore, leaning towards the conservative, providing suggestions that would be perceived as "the right thing to do” and cover those broad “reputation building” bases.

Your Staffs’ Reasonable Expectation of Privacy

I’ve seen this go both ways in the court cases I reviewed. In some states, the employee has no right to privacy concerning company owned resources, period. In others, the employee has every right to privacy, unless explicitly told otherwise. But, if the employee is advised as to her specific privacy rights within the company environment, and she acknowledges those rights, then her Reasonable Expectation of Privacy is re-defined.

Regardless of your regional situation, I strongly recommend that you define your Company rules and policies concerning the use of corporate resources, and your employees’ privacy rights within the corporate environment. Include these rules and policies in your Company’s Employee Handbook, and have your employees sign a statement of understanding as part of the annual review process. Not only will this help establish your rights to monitor the resources you own, it will also clearly establish your employees’ Expectation of Privacy and ensure they understand them. See my January 2012 artical "Employee IT Use & Abuse Policy - Retain Control, Reduce Liability" for more details on creating and using a Use and Abuse Policy.

Define Your Company’s Reasonable Expectation of Privacy

Most people realize in the back of their minds that companies have some level of rights to read their staffs’ email. What they tend not to consider (in the front of their minds) is this means companies can read mail they have sent to individuals in that company. While everyone “knows” email is not really private, most people have an emotional expectation that their day-to-day email communication is private. As I discuss in the following section, depending on the receiving company’ policies, this may or may not be so.

I suggest that you do what you can to protect your Business’ Expectation of Privacy by tagging all your outbound corporate email with a Privacy Statement. The legal effectiveness of the statement varies, but its message is clear and advises the recipient to “do the right thing” regardless of the local statutes.

A typical example is:

“The contents of this email transmission, including any documents transmitted by or accompanying this email transmission, contain confidential information, belonging to the sender that is legally privileged. This information is intended only for the use of the individual or entity named above. This email and its content may not be forwarded to any other recipient except as authorized by law. If you are not the individual or entity named above, or you have received this email in error, please notify...”

The Public’s Reasonable Expectation of Privacy

The public typically initiates communications with your Business through three mediums: US Mail, Phone Calls, and e-Mail. Research indicates that the general public believes they have a Reasonable Expectation of Privacy in all three mediums, unless they are specifically advised otherwise. We should not be as concerned with legalities here as we are with the public’s expectations because, legal or not, these expectations are what will impact the reputation of your Company.

U.S. Mail

This one is pretty straight forward. Everyone believes it is a federal crime to open someone else’s mail (it is). The public, therefore, has a reasonable expectation that only the recipient will open the envelope. While there do appear to be some legal gray areas, the public’s expectation seems very well defined. So, unless you are the recipient, or you have been specifically authorized by the recipient or the sender, don’t open the envelope.

Phone Conversations

Privacy rights in this medium are difficult to resolve based on what I’ve seen from the legal end. Individual states have specific laws, the feds have different laws governing inter-state communications, and the statutes can vary depending on whether the conversation is business related or personal, and whether the call initiated from within your facility or came in from the outside.

The public’s privacy expectations, however, are quite well defined. Research indicates that, due to the proliferation of the “this call may be monitored” recording, the general public believes their phone conversations cannot be recorded without their knowledge and consent.

To placate the public’s privacy expectations, I recommend that if there is any chance your Company may monitor or record a conversation, you advise your callers. The recording will establish their privacy expectations up front, which will protect your Company's reputation. The recording could also help if you cross into one of those areas where you can’t monitor without both parties knowledge.

When you do create your recording, I suggest you monitor for “Quality” purposes rather than for “Training” purposes. I came across a case where a recording could not be used in court because “Training” was too restrictive.


Not surprisingly, a company’s right to monitor email is dependent on many variables, but more so than not is legally allowed. Your right to monitor your staffs’ email can be enhanced via published corporate policy, but monitoring staff email typically entails monitoring the public’s incoming email. As noted above, the public tends to believe their day-to-day email is private, and they can feel violated if they find this communication has been intercepted. Remember, in their minds they have a Reasonable Expectation of Privacy, and if they’ve attached a Privacy Statement, they have a potentially Legal Expectation of Privacy. I strongly recommend, therefore, that you not monitor the public’s email unless you have specific cause, and that you limit monitoring in duration and scope.

One common reason to monitor an email account is when an employee goes on leave. A very simple means to advise the public that the recipient is not receiving the sender’s email is to set an auto-response using Outlook’s Out Of Office function, ie “Barb is on leave until May 15. Her mail is being forwarded to Carol until her return”.

This is also an excellent method for monitoring a departed employee’s email account for a limited period after the separation. A message like: “Bob is no longer with XYZ. His mail is being forwarded to Carol” advises the sender that her email is being forwarded and re-establishes her privacy expectations.

In either instance, whoever has been tasked with monitoring the account needs to check it daily and respond in a timely manner.

When an Employee Leaves

This is a much broader topic that I will discuss in a future article, but there are some aspects of the topic that relate directly to this article:

1. Change their password. This leaves their account live, but prevents them from accessing it.

2. Assuming you have a privacy policy in place, assign someone to review their existing email and forward mail important to your Business to the appropriate staff.

3. Have the departed employee’s replacement(s) telephone the departed’s contacts (from their Outlook contacts) to introduce themselves and provide new contact information. This is a very valuable touch point! And, it will redirect most of the departed employee’s incoming business email to the correct staff.

4. Assuming you have a privacy policy in place, assign someone to review their personal storage space on your servers, and on his PC.

5. After gathering any email or data of value to your Business, delete the user’s account. This will also remove the email account, and is undoubtedly the cleanest way to proceed. Anyone emailing to this account will get a non-delivery message stating the user no longer exists. If the sender was using this account to contact your company, they can easily find an appropriate alternative contact address via your web site if they haven’t already been introduced to their new contact.

6. If you feel it is necessary to keep a departed employee’s email account live for more than a month, ensure that you use an auto-response message and check the account daily as noted above. Failing to do either can impact your Company’s reputation.

My previous employer has kept my old email account live and continues to monitor it (I can’t imagine why) without using an auto-response message. Senders who have eventually learned the account was being kept live to monitor their incoming email were quite upset, especially those using Privacy Statements!

As always, if you have any questions or comments concerning this article, I’d be happy to discuss them with you at your convenience. Feel free to contact me at TomK@TomKConsulting.com, or via my cell 443.310.5110.

Next month I’ll shift back to the technical management side of the business with the promised discussion of Group Policy. (See "Use Group Policy to Centrally Tune YOUR Business Computing Environment"). This is an awesome systems management tool that absolutely shines in a Windows Active Directory environment (your typical Windows network). Group Policy is a tool that globally controls processes and functionality on all your servers and PCs. Priceless!