July 21, 2021

Employment Law

Do I Have a Right to Privacy in the Workplace?

Electronics permeate our daily lives, in the workplace as well as at home. Ever more employees use company-issued cellular telephones in addition to computers, often (with an employer’s consent) for personal as well as work-related purposes. The blurring of lines between our work and private lives adds a special urgency to the issue of privacy in electronic communications. Unfortunately, the law gives few clear-cut answers to basic questions. The answers, to some extent, depend on who you work for and the invasion’s level of egregiousness.

What privacy rights do private sector employees have?

Unlike public employees (discussed below), employees of private companies have no Fourth Amendment right to privacy in the workplace. That doesn’t mean they leave their privacy rights at the door entirely when they head out for work. In Lake v. Wal-mart Stores, Inc., 582 N.W.2d 231 (Minn. 1998), the Minnesota Supreme Court made our state one of the very last to recognize a common law right to privacy. The three privacy rights pronounced in Lake are “appropriation,” “publication of private facts” and “intrusion upon seclusion.” The latter two have potential application to the workplace. Publication of private facts consists of (1) the publication of facts concerning a person’s private life, (2) which would be highly offensive to a reasonable person, where (3) the matter publicized is not a matter of public concern. Intrusion upon seclusion, in the court’s words, occurs when one “intentionally intrudes, physically or otherwise, upon the solitude or seclusion of another or his private affairs or concerns […] if the intrusion would be highly offensive to a reasonable person.” That standard was met in the Lake case, in which a Walmart photo lab employee copied and distributed a female customer’s nude vacation photos.

There is a paucity of case law in Minnesota addressing intrusion upon seclusion in the workplace. The few reported cases suggest that courts will impose a rigorous standard. In Gates v. Wheeler, No. A09-2355, 2010 WL 4721331 (Minn. Ct. App. Nov. 23, 2010), a business owner secretly accessed a co-owner’s personal and work emails, the latter of which was not subject to any employee email policy. Without deciding whether private employees have expectation of privacy over work email, the court noted that decisions of courts in other states are mixed on the issue.

By contrast, the court in Groeneweg v. Interstate Enterprises, Inc., No. A04-1290, 2005 WL 894768 (Minn. Ct. App. Apr. 19, 2005) had no difficulty dismissing plaintiff employee’s invasion of privacy claim based upon the mere fact that other employees were present at a meeting in which plaintiff was fired from her job for alleged insubordination. The facts were simply not sufficiently egregious. Similarly, the court in Walker v. Minnesota Mining & Mfg. Co., No. C4-99-1715, 2000 WL 520254 (Minn. Ct. App. May 2, 2000) dismissed a 3M employee’s privacy claim premised on an employee of a treatment consulting firm engaged by employer acquiring plaintiff’s medical records, accompanying plaintiff to treatment appointments, and sharing information from medical reports with the employee’s supervisor at 3M. As stated by the court, “Courts are not empowered to fashion and enforce remedies for callous, boorish, or petty behaviors.”

There are relatively more cases involving publication of private facts. One federal court applying Minnesota law has opined that publishing social security numbers and salary information of individuals without their consent would satisfy the elements of an invasion of privacy claim. Purdy v. Burlington N. & Santa Fe Ry. Co., No. 0:98-CV-00833-DWF, 2000 WL 34251818 (D. Minn. Mar. 28, 2000).

Three years later, the Minnesota Supreme Court clarified the legal standard concerning publication of private facts. The case, Bodah v. Lakeville Motor Express, Inc., 663 N.W.2d 550 (Minn. 2003), involved an employer trucking company faxing the names and social security numbers of 204 of its drivers to the managers of 16 freight terminals. In dismissing the proposed class action brought by the effected employees, the court explained that to state a publicity-based privacy claim, a plaintiff must “communicat[e] it to the public at large, or to so many persons that the matter must be regarded as substantially certain to become one of public knowledge.”

Under this standard, publishing private information to a public internet blog or website, such as LinkedIn, would easily qualify. Compare Yath v. Fairview Clinics, N.P., 767 N.W.2d 34 (Minn. Ct. App. 2009) (hospital employee’s temporary posting on public MySpace page of information about plaintiff’s sexually transmitted disease obtained from private medical records satisfied publicity element of claim, regardless of how many people actually visited the page) with Doe v. Kmart Corp., No. A16-0465, 2017 WL 474404 (Minn. Ct. App. Feb. 6, 2017) (Kmart employee’s disclosure of a customer’s Viagra prescription just to his estranged wife dismissed for lack of publicity.) Less clear would be publishing private information to a closed group, such as a private Facebook group. Would it depend on whether the individual had 10, 100 or 1,000 friends?

Do anti-hacking laws apply in the workplace?

The law is relatively clearer when it comes to an employer hacking into an employee’s personal webmail or cloud file storage accounts. The Federal Stored Communications Acts, 18 U.S.C. § 2701 (“SCA”) prohibits a person from accessing a “wire or electronic communication while it is in electronic storage.” The SCA and its state anti-hacking law counterparts apply in the workplace no differently than off the job. Thus, an employer who obtains an employee’s password without permission and then uses it to access the employee’s personal e-mail account violates the SCA. Even if the password itself was stored on the employer’s workplace computer, and where the employee used his email account to steal confidential information or trade secrets. Pure Power Boot Camp v. Warrior Fitness Boot Camp, 587 F. Supp. 2d 548 (S.D.N.Y. 2008). The proper means of accessing an employee’s personal email messages would have been through discovery in a lawsuit or via a criminal search warrant.

By contrast, an employer does not violate the SCA by hacking into a Gmail or Yahoo! account established by an employee with a password selected by the employee where the particular account was created in the course and scope of employment and, critically, for work and not personal purposes. Estes Forwarding Worldwide LLC v. Cuellar, 239 F. Supp. 3d 918 (E.D. Va. 2017). A different rule applies to downloaded emails, as distinguished from emails stored and accessed in the cloud. Thus, in Owen v. Cigna, 188 F. Supp. 3d 790 (N.D. Ill. 2016), the court dismissed a former employee’s claims under the Computer Fraud and Abuse Act 18 U.S.C. § 1030(a)(2) premised on the employer’s accessing emails downloaded onto a work-issued laptop computer turned in by the plaintiff former employee following her resignation.  The same applies to information on a cellphone. Garcia v. City of Laredo, Tex., 702 F.3d 788, 793 (5th Cir. 2012) (text messages and pictures stored on a cellular telephone do not constitute “electronic storage” for purposes of the SCA).

No court has addressed what constitutes “permission” in the workplace for SCA purposes. Does consent exist where an employer threatens an employee with termination if he or she fails to provide a password for online accounts accessed by the employee from a work-issued computer during the workday? As always, the answer may depend on the particular circumstances of the case.

Can I sue under HIPAA if my private medical records are disclosed?

One common misconception is that employees have an absolute right to privacy concerning medical records maintained by employers. The Health Insurance Portability and Accountability Act, commonly known as HIPAA, makes health records private under federal law. The United States Department of Health and Human Services enforces HIPAA, not individual citizens. Lacking a private enforcement mechanism, HIPAA provides no means for an employee to sue an employer who, for instance, improperly accesses and discloses an employee’s medical records to a third party. I.S. v. Washington Univ., No. 4:11CV235SNLJ, 2011 WL 2433585, at *1 (E.D. Mo. June 14, 2011).

Depending on the circumstances, a HIPAA violation could support a private lawsuit based on a common law invasion of privacy theory. The difficulty with filing such a claim is financial. Unlike laws prohibiting discrimination or retaliation, such as the Minnesota Human Rights Act or the Minnesota Whistleblower Act, there is no right for a prevailing plaintiff to recover attorney’s fees, making litigation in many cases cost prohibitive. To be sure, an invasion of privacy case involving extreme and outrageous facts, such as were present in the Lake case (discussed above), could support a claim of punitive damages. The threat of punitive damages against a large, well-funded business may help to level the playing field and make it at least theoretically possible for an aggrieved employee to find an attorney who might take her case on a contingency fee basis.

Do government employees have privacy rights at work?

The Fourth Amendment prohibits individuals acting under the color of law from subjecting people to unreasonable searches and seizures. The ban applies not just to government in its law enforcement and regulatory capacities, but to its activities as an employer. Skinner v. Railway Labor Executives’ Ass’n, 489 U.S. 602 (1989). That said, government employees’ privacy rights are not unlimited. The test is whether a particular employee has a “reasonable expectation of privacy.” Courts applying this squishy standard do so in a context-specific, case-by-case manner. Summarizing the cases, the Eighth Circuit concludes that “the privacy interests of government employees in their place of work which, while not insubstantial, are far less than those found at home.” True v. Nebraska, 612 F.3d 676 (8th Cir. 2010). Thus, in the True case, the court concluded that random, suspicionless searches of employees’ vehicles, to prevent smuggling of contraband to prison inmates, was rationally related to legitimate state interest of institutional security and therefore constitutional.

A public sector employee has no reasonable expectation of privacy concerning email and internet browsing history on a password protected, work-issued computer where the employer notifies the employee, typically through an employee handbook, that information flowing through the employer’s computer network is subject to employer inspection. United States v. Bailey, 272 F. Supp. 2d 822 (D. Neb. 2003).  An employer’s computer policy giving it “the right to access all information stored on [the employer’s] computers” defeats an employee’s reasonable expectation of privacy in files stored on employer’s computers Wasson v. Sonoma County Junior Coll., 4 F.Supp.2d 893, 905–06 (N.D.Cal.1997). Interestingly, the salary information of all State of Minnesota employees is public information and can be obtained free of charge on the internet. Minnesota’s data privacy laws, however, make public employees’ medical records confidential and off limits to the general public.

Contact Our Minnesota Employment Lawyers

An employee’s right to privacy will depend on who the employee works for, the employer’s workplace policies and the specific facts of the case. If you have questions about your privacy rights in the workplace, contact our experienced employment law attorneys for a free initial consultation.