We’ll be at Compliance Week National 2024 in Washington, D.C., April 2-4. Learn more or schedule a time to meet with us at the show here.

#Article

Investigation Options Without a Signed Technology Use Policy


Investigation Options Without a Signed Technology Use Policy

Creative solutions may be risky, but the risks of leaving unlawful behavior unaddressed may be greater

Posted by on

Every employer knows the feeling. You know some inappropriate or illegal activity is taking place involving one or more of your employees. You or somebody else has observed just enough irregular behavior from employees who have given you just enough cause in the past to question their integrity to make you almost certain the company has a problem on its hands. But you are lacking that piece of firsthand evidence to justify taking action on your strong hunch without putting the company at risk. There is no specific victim to interview as there would normally be in a harassment scenario, and there are no witnesses.

Temptation to Snoop

A few targeted minutes looking through one or more employees’ e-mail activity might very well give you what to need. But when you go to confirm that the employee(s) you need to investigate have signed off on the company’s technology use policy consenting to the company’s accessing their electronic communications, you cannot find it. It was just one of those details that was not properly attended to at the time of initial hire, or in some other way it fell through the cracks.

Your training tells you there are risks to not having the proper documentation in place. That's where technology use policies came from in the first place, to provide the notice and consent needed to limit the company’s risks under federal and state wiretapping and stored communications laws.

For the first decade or so of those policies’ existence beginning in the mid- to late 1990s, there were few challenges to employers relying on those policies as a basis for searching employee e-mail. In recent years, though, it seems that courts have more closely scrutinized employers’ monitoring policies and practices. So there is risk to the company in charging into electronic investigation mode without proper policies and sign-offs in place.

Getting Law Enforcement Involved

As an initial matter, if there is criminal activity suspected, contacting law enforcement is likely a good first step. Make the laws regarding information gathering their problem. Law enforcement will have an entirely different set of tools at their disposal, as well as restrictions on their ability to utilize those tools, but the risk to the company of making a good faith report to law enforcement agencies is slight.

FREE Investigation Report Template

Prepare thorough, consistent investigation reports with our free report template.

Download Template

Further, to the extent there is potential exposure to the company for not having taken appropriate action in response to concerns, for example by arguably endangering other employees or even third parties by not responding properly to suspected drug use, the company’s duty of care should be satisfied by reporting the issue to a law enforcement agency.

Stealth Consent Approach

Also consider whether you can get a “stealth” consent that may put the company in a stronger position with respect to compliance with applicable laws governing monitoring. Needless to say, it likely will not be a successful strategy to approach a suspected wrongdoer and tell him that, in a routine personnel file audit, you learned that he did not properly sign the consent to the company’s technology use and monitoring policy.

However, the employer might be able to implement a blanket electronic consent that does not raise red flags and enable the offending party to destroy incriminating evidence. This could be done under the guise of a routine update/reminder via the company’s computer system.

As a general rule, the more specific and express consent is, the more likely that it will be treated as legal consent. So the “stealth consent” approach is not airtight, but it may strengthen the employer’s position enough that the risk/reward analysis tilts in favor of moving forward.

Look for Other Avenues

Also remember that every e-mail has more than one party. If the “suspect” is e-mailing with other employees in any respect, you may have the proper consents in place with the other employees. Look at their e-mail activity to see what communications they have had with the suspected problem employee.

These tricky situations require a balancing of risk and rewards. Of course the ideal situation is that updated policies are in place and consented to. Where they are not, employers need to choose among imperfect situations and, after consulting with counsel, may reasonably conclude to proceed under less than “laboratory” conditions under the monitoring laws. While there are certainly risks in doing so, the risks in leaving unlawful behavior unaddressed may be greater.