As work-from-home arrangements remain widespread, more employees wonder if their employers are monitoring their email, electronic messaging, or Internet browsing activity (whether they work on employer-issued or personal devices) and whether such surveillance is actually legal. While a recently-enacted New York law does not shed light on which forms of electronic surveillance are lawful, it obligates employers notify employees in writing if they are planning to engage in such a monitoring.
Requirements of the New Law
Effective May 7, 2022, New York’s Civil Rights Law § 52-c requires private employers with a place of business in New York State who will be (lawfully) monitoring electronic communications of employees to: (a) provide a prior written notice upon hiring to the affected employees; (b) obtain the employees’ written or electronic acknowledgement of the notice; and (c) post the notice of electronic monitoring in a conspicuous place visible to the employees.
The notice must state that:
Any and all telephone conversations or transmissions, electronic mail or transmissions, or internet access or usage by an employee by any electronic device or system, including but not limited to the use of a computer, telephone, wire, radio or electromagnetic, photoelectronic or photo-optical systems may be subject to monitoring at any and all times and by any lawful means.
(N.Y. Civ. Rights L. § 52(c)). Covered employers, however, are not required to provide notice of activities designed to manage the type or volume of incoming or outgoing electronic mail, telephone voicemail, internet usage, that are not targeted to monitor or intercept the electronic mail, telephone voicemail, or internet usage of a particular individual, or that are performed solely for the purpose of computer system maintenance and/or protection.
How Will the New Law Affect Employees?
What practical effect, if any, will the new law have upon employees? It will largely depend on what they will choose to do with the newly discovered information that their employer is surveilling their electronic activities. Although workers in need of a job may not resign because they feel uncomfortable with the surveillance, those who challenge an employer’s surveillance practices based on a reasonable belief that the practice is unlawful may be protected from retaliation for doing so under New York’s whistleblower law. (N.Y. Labor Law § 740).
Will an employer who fails to provide the required notice be subject to any penalties? Civil Rights Law § 52(c) does not provide employees with a private right of action against the employers in case of such a breach, but the new law empowers the New York Attorney General to enforce its provisions and impose civil penalties of up to three thousand dollars for each failure to provide the notice.
To emphasize the earlier point, however, the new notice law does not specify what types of employee surveillance are “lawful,” which is a subject of a much broader discussion. Suffice it to say that, in many instances, the answer will depend on a multi-factor analysis, including whether the employee had a reasonable expectation of privacy in their electronic communications and the applicability of state and federal privacy laws, such as the federal Electronic Communications Privacy Act of 1986, the Health Insurance Portability and Accountability Act (HIPAA), employment agreements, and collectively bargained agreements. For example, as to state laws, New York’s Wiretap Act (N.Y. Penal Law § 250.05) makes it a felony to “unlawfully engage in wiretapping, mechanical overhearing of a conversation, or intercepting or accessing of an electronic communication.” Because, however, an employee’s “consent” eliminates liability, consent forms are usually among the many pieces of paperwork that employers typically require employees to sign at hire. Another New York law, the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act), N.Y. Gen. Bus. L. § 899aa, et seq., requires covered employers to implement certain data security safeguards to protect employees’ personal information, such as social security and credit card numbers and, since 2019 – user names or email addresses in combination with a password.
In conclusion, although the new data privacy law is a promising step in the direction of employer transparency and accountability, there are still many complex questions when it comes to employee surveillance, particularly in the changing landscape of the workplace.