Can company read personal e-mail sent at work?

Do employees have a right to privacy when using personal email accounts, even when they send the messages at work? That depends on the situation, according to a few court cases that have tackled the subject.

Law bookIn one case, an employee sued the company for discrimination. After the suit was filed, the company looked through her work laptop to save all of her files.

The files included e-mails she sent via a personal, password-protected account. Copies of the messages had been automatically saved to her browser’s cache.

Some of the e-mails were conversations between the employee and her attorney, which contained evidence the company felt would help its case.

After the employer presented the messages in court, the employee claimed her rights to privacy and attorney-client privilege had been violated.

The company argued the employee had no such rights — its computer use policy stated that anything done on workplace computers could be monitored.

But the court disagreed. The judge ruled the employee had a “reasonable expectation of privacy,” because the policy didn’t mention that e-mails sent using a personal account would be saved to her hard drive (Cite: Stengart v. Loving Care Agency).

Boss read personal email on personal laptop

However, in a different case, a court ruled that the company was allowed to read personal email messages an employee had sent from his personal laptop.

In this case, an employee at a printing company was fired after he was caught doing work for a competing company owned by his wife while on his employer’s premises.

The employee frequently brought his own laptop to work to conduct business for the competitor. After catching wind of what was going on, his boss entered his office while he wasn’t there, and found an email concerning the brokering of jobs to the wife’s company on the laptop.

The supervisor printed the email and used it as evidence to terminate the employee. The employee then sued, claiming the company violated his right to privacy.

But the court sided with the company, saying it had a right to read those emails because they were sent using the company’s network, concerned a matter affecting the company, and were found as part of an investigation into a serious policy violation (Cite: Sitton v. Print Direction, Inc.).

Co-worker snooped after she forgot to log out

What if an employee forgets to log out of a personal account and the email is read by a co-worker?

That was the issue tackled by yet another court case involving employees’ personal email. In that case, an employee remained logged in to her personal account after getting up from a shared computer, and her email was read by a co-worker.

She sued, but the court ruled against her. The judge said she could not expect the conversations to remain private after leaving her account open on a shared computer (Cite: Marcus v. Rogers).

Email privacy at work – what can companies monitor?

In most cases, whether monitoring is legal or not comes down to two questions:

  1. Who owns and stores the email, and
  2. Did the employee reasonably expect the email to remain private?

In other words, if the messages are stored on the company’s network instead of by a third party, as would be the case with a personal Yahoo or Gmail account, then the company can probably read them without any trouble.

But, as the above cases show, things are trickier when the situation involves a third-party, personal email account.

While employers are normally within their rights to monitor employees’ work e-mail, courts will usually draw the line when the data’s stored by a third party.

However, if employees are appropriately warned that their computer activity in the workplace can be monitored — and if the monitoring doesn’t go beyond what’s laid out in the company’s policies — then employees likely can’t sue if the company reads their personal email.

Article was updated on July 24th to reflect new court cases.

Make Smarter Tech Decisions

Get the latest IT news, trends, and insights - delivered weekly.

Privacy Policy

Related Posts

  • Jeremy

    If an employee links their personal e-mail to Outlook or another e-mail client, there is a higher risk that they can infect the network or other computers when opening a malicious e-mail. In this case, personal e-mails linked to a program on a corporate PC should be monitored. If a user wants to check their web based e-mail through a web browser I am OK with that – as long as they don’t download attachments locally.

  • R. B.

    This makes sense to me. Monitoring e-mail sent from the employee’s company account is one thing, but to actually read e-mail that was sent to and from a personal, password protected account seems unethical to me. Certainly there should not be any expectation of privacy when it comes to company accounts. But even if I could, I would never read personal e-mail, especially when it was sent from the employee’s own personal account. I’m an HR manager and part of my job is to protect the company. I would have felt this was going too far and would have advised NOT to access any personal e-mail.

    Work and home boundaries are so blurred these days, it’s not reasonable to expect that an employee is never going to use work provided equipment to access private accounts…just as they often use their own equipment at home to access work accounts. Because of this, we have to make sure we, as the employer, don’t intrude where we shouldn’t. Otherwise, I think we will lose what we gain by having employees who work from home after hours. If we obtain the right to access their personal password-protected accounts just because we provided the equipment they use or because they use their home computer to do some work, employees will begin to reconstruct those walls and dividing lines and we will lose productivity.

    I personally work at home after hours on many occasions, but I would immediately discontinue this practice if it gave the company the right to access my personal accounts simply because I was using the same equipment for work and personal use. I’m sure opinions will be all over the board on this one, but I believe in respecting personal privacy while letting employees know they don’t have any privacy when using company accounts, regardless of who’s equipment they are using.

  • Amanda

    This should not be a surprise to anyone. In the EU and in certain countries (France, Italy, Poland), the worker can mark items as personal and/or private and has some level of protection under the law. In the US, the law has generally favored the business at the expense of its employees’ personal privacy. This definitely defines more of the line, but the US does very little to ensure personal privacy on company-owned systems. Users should be well aware of this. To that end, I actually have separate personal devices (smart phones) on which my work is rather well separated from my personal life. I have nothing to hide, but my business is my business and not the business of my employer. There is nothing saying that they would not use any data that should come into their environment to discriminate or make an employee’s life harder! I would rather not give them the ammunition.

  • Gary

    Excerpts from our Acceptable Use Policy already states:

    “XYZ CORPORATION provides its users with Equipment, Services and Technology as required for the performance and fulfillment of job responsibilities. “

    “The equipment, services, and technology provided for these responsibilities remain at all times the property of XYZ. As such, XYZ reserves the right to monitor and retrieve and read any data composed, sent, or received through our online connections and/or stored in our computer systems. All data that is composed, transmitted, received and/or stored via our computer and communications systems is considered to be part of the Data of XYZ CORPORATION…”

    “The Internet connection and e-mail system of XYZ is for business use only and is not to be used for personal purposes. “

    In this case my (non legal) opinion is that we would be covered for a situation like mentioned in this article with those phrases. Part of our standard process is all employees (now, new hires) are required to read the entire document and then sign and return the last page which states they understand the policy and while they may or may not agree with it, they will abide by it.

  • Scott

    Shouldn’t the employee be reading personal email on their own time and with their own equipment? Employees today expect to be able to read their Gmail, Hotmail, post on Facebook and other distractions from the job they are being paid for. Then they turn around and leave 5 mins before the normal work day end?

    Conduct your personal business on your own computer and mobile phone and do it when you are not being paid by your employer.

  • Jules

    i say yes, go ahead and read ‘em. it’s work! it’s a work email, i’m coo’ with that.

  • Mats

    The AUP Gary lists is one I’ve seen a few of, and really isn’t reasonable any longer. I work under one which understands that limited personal usage is okay, under terms described, and it’s a clear recognition that one cannot possibly slice a day into clean chunks of “work” and “personal” as R.B. notes. I think this case really settles nothing, because attorney-client privilege was involved. Any email from an attorney these days will automatically add a line that the communication is so covered, and if the client is smart, they will preserve the line in their own emails, and this would make these messages tainted no matter where they were scraped from, and no matter what policy was involved. I think it will be far more interesting to hear outcomes where such a clear situation does not exist, as that’s the gray area most worry about.

  • TxGeekGirl

    Employees should know that any time they use their work email for personal use, it is subject to to scrutiny by the employer. Your employer owns the computer, the bandwidth, the electricity, and your time while at work. What they should have done was charge her for theft for using her business computer for personal gain.

  • http://www.CoronaServices.net Jay_R

    If as a company I provide a company vehicle, and accompanying that vehicle is a policy that states employees are never to smoke in that vehicle, I, the company, should have the right to monitor whether someone is smoking in that vehicle. Does this sound appropriate? What if I add to the policy that the vehicle is not to be used for personal use–shouldn’t it be appropriate to monitor whether that vehicle is used for other purposes like hauling leaves to the dump, going camping over the weekend, etc.?

    Similarly, if as a company I provide a company computer, and accompanying that computeris a policy that states employees are never to use that computer for personal use, I, the company, should have the right to monitor whether someone is using that computer for personal use.

  • Greybeard

    Leaving aside personal prejudices (or at least trying to!) — it seems to me that the key is clearly defining the employee’s “reasonable expectation of privacy.” If the company, like the “XYZ Corporation” in an earlier response, states a clear, unambiguous policy, with a signed commitment by the employee to comply whether or or not the empoyee agrees, then the employee can’t IMO claim any “resonable expectation” to the contrary — so long as supervisors don’t say things that might cloud the matter.

    I would think that the company could further strengthen its hand by stressing the risk of compromising the syste to virused, hackers, etc. and then enforcing an absolute “no personal use” policy — not selectively enforcing it on those who have filed EEO complaints etc.

    I personally wouldn’t like having to abide by such policies, but it would at least clearly define whether or not I had any “reasonable” (plausible, enforcable) expectation of privacy.

  • Mike R

    Gary,

    It looks like you have a good policy that covers the bases. There could be a problem if managers do not follow up with regular training of employees (refresher) or blur the meaning by allowing some to occassionally use equipment for personal use (use the internet system to pay a bill or make a call to a sick spouse, etc.).

    I have seen the argument where the employee states “well, that’s what the handbook says, but that is not the real policy that the company enforces…”

  • Paul

    @Gary – Your AUP sounds pretty good there Gary in terms of covering this situation, I have to agree with earlier poster(s) though, it would make me uncomfortable in almost any situation I can think of to find myself reading emails that the sender clearly felt were secure and confidential. I suspect our AUP does not cover this, but does cover monitoring of web and (company) email, but nor do I see a clear case for wanting to cover it based on this case at least.

  • http://www.bankcda.com Stuart Gant

    The best way to separate personal from business is to block access to webmail like gmail, yahoo, etc. All email correspondence at work should be done through the corporate mail system. Next, make sure the IT policy states “email and Internet usage is monitored” so there are no expectations of prvacy at all. People have no business accessing their personal stuff at work anyway. We do provide a breakroom PC that is off the corporate network so users can check their personal email while on break.

  • http://sbartsch.blogsome.com Stan B.

    I think the judge hit the nail on the head. This isn’t about the policy, it’s about the expectations of privacy that the employee had using an password protected account to contact her attorney. Because most people don’t understand Browser Cache’s, they don’t understand that what they see and type on web-based e-mail sites actually remains long after they log off.

    If the company wished to use the cache as proof that the employee had made unauthorized use of the computer, and hence they had grounds to fire her, that’s one thing. But to use the contents of those e-mails is a completely different issue.

    The other problem is “selective enforcement.” If I am ever called on the carpet for using company resources for personal activity, I have documented a dozen different cases of those who are in positions throughout the company who have done the same, with no consequences. If they want to have such a policy, but only choose to enforce it when it becomes “convenient” to do so, I imagine there are other legal ramifications they would face.

  • Keith

    I’m curious, what if the employee has their personal mail sent to their employer. Does the employer have a right to open it?

  • Cleve Randle

    This is a stick area, that company’s need to be cautious about treading, and make their policies rational, clear, and legally consistent. Else, the company will ultimately end up loosing value added work that good employees often bring to the table.

    A old classic example of this is: An employee often works extra hours consistently providing his/her employer a 110% effort on most tasks. However, there is this manager/supervisor who is insist that employees always be at there desk at the exact starting time of the business day. However, this employee occasionally or maybe even frequently arrives at work 15 to 30 minutes late. But, that same employee is always on time for meetings and gets there work done in a timely manner, frequently works late, and puts in more than the minimum hours required by the company for each work day/week. Well, the manager/supervisor starts bugging the employee about arriving to work on time. Well guess what the employee starts showing up on time but he/she also starts leaving on time. …. and starts providing only 100% effort. …. Well the supervisor/manager got the employee to be at there desk on time each morning. BUT THE QUESTION IS, WAS IT A NET GAIN OR LOSS FOR THE COMPANY?

  • mike l.

    What if the company recorded all your phone calls on company phones? In this day and age, reading personal e-mails is pretty much the same thing.

  • Dana C.

    What about these examples:
    Employee X sends PII to a third party not affiliated with corporation XYZ
    Employee X sends untrue emails to media outlets about the financial health of the company
    Employee X sends confidential corporate information
    All of these are being sent using their personal email account that is password protected.
    I believe that Corporation XYZ has the right and obligation to protect their customer’s information, and their corporate reputation even if in the act of protecting the information/reputation this infringes on the employees right to privacy.

    I agree that a well written policy as it relates to Acceptable Use is critical, but just as important is the on-going training and education of employees on corporate policies, and the reason for the policies. In addition if the policy states that the company has the right to read all emails then the company better have a way to do that and be doing it across the board. Otherwise a Judge may not be sympathetic when the company violates the employee’s privacy.

  • Jeff K.

    For those arguing that there should _never_ be any personal use of business laptop, re-read the thoughtful post by R.B. above. For many, work and personal time and internet usage are blurred. For many, such a concrete policy would be an end to working extra from home.

  • Sean

    How dumb can you get, don’t send personal email using company hardware or servers. It’s store and forward. And if you’ve busted your company’s e-mail use policies, you don’t have a leg to stand on.

    Freedom of the press belongs to those who own the press. Get your own email account and laptop or iPone (sic) for your personal use.

  • http://www.ays.com JerrySte

    Quite frankly I believe that an employer is paying employees to work, not to e-mail other than work related e-mails. Companies, like Microsoft, Boeing and many others can, and do track every key stroke on company equipment. I feel it’s within their rights to do so. That said, if someone writes and receives e-mail during breaks AT WORK they should do so on the web browser as in yahoo. gmail and msn mail. It doesn’t take up space on a company computer which, by the way, is owned by the employer. An employer provides equipment for the employee to do a job. If, out of the goodness of their heart or for convienence sake, they issue a laptop to an employee to take home for work there or for on the road, it should be kept in mind tht it belongs to the employer. It is not personal equipment. If an employee doesn’t want anyone else to have the ability to read their mail or track their browsing habits, they should do it on their own equipment and on their own time.

  • mooja99

    The ‘P’ in ‘PC’ stands for personal. This applies even more to laptops: Why do companies provide these and then demand they NOT be used for anything ‘personal’? That is unreasonable.

    • http://www.facebook.com/people/Kay-Cee/100002531157762 Kay Cee

      It stands for “personal” only because when the term came into general use the common computer scenario was a mainframe to which a number of users connected via dumb terminal. A personal computer was one which could be used by only one person at a time.

      A PC is simply a one-user, self-contained workstation. The point is, the company purchases the equipment only because a PC is a tool employees need in order to do work for the company. “Personal” does not now mean, nor has it ever meant, company-purchased equipment belongs to the employee. The company spends the money, takes the tax deduction, and keeps the machine when the employee leaves.

      If an employee was fired, and decided to pack up their office PC and take it with them – then tried to use your argument to claim a “personal” PC obviously belonged to them personally – that employee would be charged with theft.

      Your answer indicates you likewise don’t seem to understand the difference between your property and others. An adjective alone, even if you had understood it’s meaning correctly, does not confer ownership.

      Your argument is therefore the argument of your average thief trying claim there was some justification for stealing from someone else.

      As a result, your argument a company is “unreasonable” to prohibit personal use of their own business property is not only illogical and ignorant, it is the same argument as the criminal who has been caught red-handed.

      Now, having written all that, I have to assume you intended your comment as a joke. If so, pick another line of work; you’re no comedian. Jokes are supposed to be funny.

      However, if you meant it seriously, please let us all know where you live, as that will save the businesses in at least one city hiring someone obviously untrustworthy.

  • Rob N.

    I am personally familar with a recent case in which an employee was running a personal business from the office during working hours and using her personal email for that business. I suggested, to our
    H R Manager that since our current HR policy does not address that particular issue of using her personal email that it be included in the next revision of the Employee Policy Manual. H R Manager agreed and sought advice from Legal. When HR ran it by Legal counsel, we were advised that such action might be considered harassment against the employee. Need I say more about the difference in opinions from H R to Legal??????

  • Ike

    I agree with Stan B about this case being one of expectations of privacy. I also agree with other comments on how the company used the information is what the judge had a problem with–they used the email to attempt to strengthen their case and did not draw a line with the emails to the attorney (big mistake). As for the use of work computers for personal use – the company needs a well defined policy outlining the use and any expectations of privacy which can then be used to determine employee performance. Where I work, access to personal mail sites is blocked at the firewall with a surf control application and our policy explicitly forbids using company computers for personal mail. We can use the equipment to surf the web during our lunch breaks as well as do work on the equipment but it is clearly stated that information written to caches and saved on the hard drive is subject to company review with no expectation of privacy. The rule of thumb I have always used is “if you do not want it broadcast on Times Square then don’t work on it with a company computer”–I keep personal and work physically separate using a personal smart phone and Macbook Air for personal stuff at a local hot site.

  • Gary

    Our policy (my XYZ example above) used to actually allow for limited personal usage (during breaks, after hours, etc.) however some abuses and the fact that you are then making judgement calls about what and when led us to the business only. It also greatly opened up the security risk. To extrapolate out a bit more… if we do/did allow for limited person usage, where do we draw the line? Email? Surfing? What kind of surfing? Basic sites? Social media sites? You Tube? Internet Radio? Job Hunting sites? Using YouTube or Radio as an example, when one user does so, not a big problem. When 10 or 20 or more are doing so, suddenly the internet feed grinds to a halt for those actually doing real business work on it. Solution? Ban usage or buy bigger/more expensive connections.

    The simple fact is that the company paid for the equpiment. The company pays for the access (internet feed, cell usage, etc.). The company is paying you to work. They own all the pieces and should have final say… as long as it is a consistent policy and is communicated to all users. Your laptop? Correction.. Your “Assigned” laptop… I think you get the idea.

  • Pingback: Corporate Security Monitoring - Personal email account privacy - Harry Waldron - Corporate IT Security

  • http://www.uscongress.com The_GIT

    Someone should kick mooja99!!!!!!

    We call computers in the work place “workstations”, not “PC’s”. Get a clue!

  • Andrew G

    It’s not necessarily a matter of what the employee expects or what the company says here – they violated previous precedent which clearly states that an employees private, password protected eMail is none of their business. The same way companies are not permitted to monitor personal telephone calls, they are not permitted to monitor an employees personal, password protected eMail. If the company has a problem with that, then they should block access to all personal eMail and require that employees use only the company eMail system to send/receive mail. It’s far safer and exposes their network to less risk since they are not exposed to potentially malicious downloads. That’s the responsible thing to do.

    But regardless of this, mail sent that is attorney/client privelege remains just that, and is not discoverable in any type of monitoring efforts. That’s the law, and it’s not going to change. It doesn’t matter what your policy includes or excludes; an entity cannot create rules that are in violation of standing precedents or existing privacy laws, just like they would never be permitted to monitor an employees personal telephone calls, regardless of what any stated policy said.

  • http://www.donallenagency.com Amber Amber B-Bamber

    Too many of my co-workers are constantly checking their personal email, facebook, dating sites & other non-work sites seemingly all day long. Management has finally asked IT to start monitoring employees’ PCs & they’ve begun calling in offenders to the COO’s office, so now employees are doing more work. So I have to agree that enforcement is key on top of a good handbook policy, otherwise the non-workaholics will try to get away with whatever they can.
    Personally I like to check my personal emails during the smokers’ breaks at 10am & 3pm for 5-10 minutes, I call it my non-smoking break. If they call me in that’s what I’ll say – while the smokers are hanging around outside smoking I’m checking personal emails, so would they rather I take up smoking instead?

  • http://pcinternetbanking.com/chase-internet-banking Bank online with Chase

    @chels I know what you mean, its hard to find good help these days. People now days just don’t have the work ethic they used to have. I mean consider whoever wrote this post, they must have been working hard to write that good and it took a good bit of their time I am sure. I work with people who couldn’t write like this if they tried, and getting them to try is hard enough as it is.

  • John

    IT questions about your personal cell phone. If your not into carrying 2 cell phones, one for work and one for business, for you agree to allow your company to wipe you cell phone clean if you loose it, let’s say you move on to another job, it is normal for IT to shut you off from the network immediately, but are they allowed to go through your own personal contacts and delete any of those who they feel are contacts they do not want you to possess. Like people who you have developed working relations with, made contacts etc. Is that legal?

  • Pingback: Court: Company can’t read personal email on employee’s smartphone