This article first appeared in New Jersey Lawyer Magazine
(August 1999, The Law and the Internet Issue)

     Computer technology and the Internet have become indispensable assets in the workplace. However, the courts and the legislature are one step behind in interpreting and creating laws that will adequately reflect the interaction between this new technology and society. As a result of this absence of clear legislation and judicial precedent, it is difficult to advise a client as to the implementation of computer and Internet policies. The prudent lawyer should, therefore, recommend a computer and Internet policy that accounts for all reasonably foreseeable interpretations of the law.

     One growing area of concern is the issue of employee privacy in the computer age. Employees commonly engage in computer and Internet related activities in the workplace and the majority of such activities are conducted on computer systems owned and operated by the employer. Electronic communications are routinely sent, received and stored with the aid of employer computer systems and electronic documents are routinely stored in these systems. This begs the question of whether an employee has a privacy interest in any of these communications or documents and, if so, what the nature and the scope of that privacy interest is. Confusing matters, is the case of employees who are tele-commuting, especially when they are using company-owned computers.

     There are currently four main sources of law that are relevant to the “electronic privacy” of employees. First, there is a common law tort for the “unreasonable intrusion on the seclusion of another”. Second, there is a constitutional action available to public employees under the search and seizure provisions of the Fourth Amendment of the U.S. Constitution. Third, there are statutory causes of action under both federal and New Jersey law. Finally, there may be statutes that create a property interest in electronic data that are relevant to an employer’s ability to delete employee e-mails, electronic documents and other data files. New Jersey, for example, has two such statutes. The first half of this article explores these applicable sources of law and suggests protocol that employers may wish to implement to prevent and avoid liability for monitoring, viewing, taking or erasing electronic communications, documents or data in the workplace. The second half will address issues of student privacy in the public schools.

 Common Law Tort Actions

     Those who offend the privacy interest of another may be held liable in tort for an “unreasonable intrusion upon another’s seclusion.” An “unreasonable intrusion” is measured from the standard of what a reasonable person would find “highly offensive,” and the tort consists of an intentional intrusion into the “private affairs or concerns” of another. The law does not demand that the intrusion be physically perpetrated, and a cause of action may properly arise out of “the use of the defendant’s senses to oversee or overhear the plaintiff’s private affairs” in an investigation or examination. An arguably unreasonable intrusion by an employer will not form the basis of liability if the employee has consented to the intrusion.

     The intrusion must be both objectively and subjectively unreasonable for the claim to be properly brought. There is generally a lowered employee expectation of privacy in the workplace, and furthermore, there can be no expectation of privacy if an employee conducts the activity in a manner “open” to other employees. One federal district court (applying Pennsylvania law) has held that there is no recognizable privacy interest in employee e-mails, even when middle management has guaranteed that employee e-mails would remain confidential. Presumably, if an employee is working at home, his or her expectation of privacy would be greater than if at the office, and greater still if the employee was working on his or her own computer.

     In the event that the employer is a public employer, a damages claim for an unreasonable intrusion upon another’s seclusion may be greatly limited by state legislation. Many states have enacted legislation comparable to the Federal Torts Claim Act which greatly reduces the tort liability of state actors. For example, the New Jersey Tort Claims Act places a severe limit on damage recoveries for pain and suffering. The federal court for the District of New Jersey has interpreted this to limit emotional distress damages that flow from a tortious intrusion on one’s seclusion.

  Constitutional Actions

     A civil action may also be brought under the search and seizure provisions of the Fourth Amendment to the U.S. Constitution if a public employer commits an intrusion on an employee’s privacy. These suits are often times brought as a Section 1983 claim for damages. One relevant question that has arisen in this area is what exactly constitutes the scope of a “workplace” for the purpose of the Fourth Amendment right to privacy. In O’Connor v. Ortega, the U.S. Supreme Court attempted to answer this question by using a “luggage” analogy.

     First, the Court articulated that the workplace consists of all facilities and physical premises, including the personal workplace office, desk, and filing cabinets of an employee. The Court continued by discussing a hypothetical situation in which an employee brings a piece of personal luggage to the workplace. Although the outward appearance of the luggage may be subject to the diminished expectation of privacy, the contents of such luggage are not. How this analogy may be applied to the electronic context has yet to be seen.

     The Ortega Court continued by stating that employees do not automatically lose their expectation of privacy simply because they are in the workplace. The reasonableness of a workplace privacy expectation may be ascertained by looking to the relationship between the employer and the employee. As a result, the workplace expectation of privacy must be addressed on a case-by-case basis. The Court found that a public-hospital doctor may have a reasonable expectation of privacy in the contents of his personal workplace office under some circumstances.

     The Court then stated that even in the presence of a reasonable expectation of privacy, a public employer might still conduct reasonable searches. A public employer has an interest in “the efficient and proper operation of the workplace” that must be balanced against the employee’s right to privacy. Public employer intrusions on employee privacy may be held reasonable if they are for either: (1) “noninvestigatory, work-related purposes”, or (2) investigations of work-related misconduct. Finally, it should be noted that the privacy intrusion must be justified both at its inception and in its scope.

     As an additional matter, it should be noted that the New Jersey Constitution also provides for a right to privacy. It has been held that the search and seizure provisions of the New Jersey Constitution create a limited right to be free from government intrusions into private affairs. The New Jersey Supreme Court has also indicated that the violation of the right of privacy by a private employer may form the basis of a wrongful discharge suit if the discharge was based on a violation of the employee’s privacy interest.

 Federal and State Statutory Actions

     The federal Electronic Communications Privacy Act (“ECPA”) is another source of employer liability for an intrusion on the electronic privacy of another. The ECPA provides for both civil and criminal liability, and it is broken up into two titles. Title I deals with the unauthorized and intentional interception of transitory electronic communications, and Title II deals with intentionally gaining access to stored communications without authorization.

     In general, Title I of the ECPA prohibits: (1) intentional interceptions of transitory electronic communications, and (2) intentional uses or disclosures of content procured by interceptions of transitory electronic communications. There are two important exceptions to ECPA’s prohibition on intentional interceptions: (1) the “business use exception,” and (2) the “consent exception.”

     The business use exception permits intentional and unauthorized interceptions if the interceptions are “within the regular course of business” and if the employer has a “legal interest” in the subject matter of the communication. Although an employer may monitor business communications, the scope of the exception does not include personal communications. For example, and by analogy, one court has held that when an employee uses an employer’s phone to conduct a job interview with a potentially new employer, such a conversation may not be monitored because it is not within the regular course of business. On the other hand, a court has found a telephone call to be within the regular course of business when the call was: (1) between employees; (2) made during office hours; and (3) when the remarks were about a supervisor. Similarly, it has been held that an employer may monitor an employee’s phone conversation when the employer suspects that the employee is revealing confidential trade secrets and the monitoring is limited in time and purpose.

     If an employer would like to possess the legal ability to continually monitor all electronic communications, it is advisable for the employer to articulate such a policy in writing and define the exact nature and scope of the monitoring process. Again, by analogy, one court has held that a policy of monitoring all telephone calls constitutes a monitoring within the ordinary course of business, provided that all employees were aware that the phones would be monitored for “quality control.” As such, all written policies should be distributed to all employees.

     The consent exception permits intentional interceptions when there has been express or implied consent. This exception requires that an employer give notice of monitoring to employees in order to avoid liability. One court has held that notice need not be formal, but it should be “more than casual” and it should communicate the full scope of the monitoring. Another court has held that notice by itself is not enough and that assent may be required. Finally, it is important to note that the element of consent is satisfied even if only one party to the communication has consented.

     Title II of the ECPA provides for civil and criminal liability for the intentional and unauthorized access to stored electronic communications. Even if an employer does not have the right to “intercept” an electronic message, the employer may still be able to access the message once it is in electronic storage. However, the extent to which an employer may be able to monitor stored employee communications under the ECPA will depend largely on the judicial interpretation of the term, “authorized.” For example, a court may or may not find that employee authorization is implicit since the employee is obviously aware that the communications are being stored on the employer’s own computer.

     When reading Title I and Title II of ECPA together, the question arises: whether an unopened e-mail constitutes a transitory communication or a stored communication? The difference is significant, because statutory damages for stored communications are $1,000 per violation, while statutory damages for intercepting transitory communications are $10,000 per violation. One federal court has held that an unopened e-mail constitutes a stored communication for the purposes of the ECPA, and that the intentional and unauthorized access to an unopened e-mail may lead to liability equivalent to $1,000 per violation.

     Employers need to be cognizant that their voice-mail systems may be covered by the ECPA. Many voice-mail systems today store telephone phone messages electronically on a computer server. Thus, the ECPA would prohibit accessing (hearing) of these telephone messages unless the employer’s activities falls within one the ECPA’s exceptions.

     In addition to the ECPA, there are other federal statutes which may touch on the issue of electronic monitoring. One such law is the Economic Espionage Act of 1996 (EEA). The EEA criminalizes theft of trade secrets, even if the secret electronic files are copied onto a diskette owned by an employee. The law closed a loop-hole in criminal statutes that required there be a theft of physical property. Arguably, when a file is copied onto a diskette or other magnetic medium, there is no taking of physical property.

     Other federal statutes which may be relevant on the issue of electronic monitoring are: the Mail Privacy Statute, the Cable Communications Policy Act, the Privacy Act of 1974, the Fair Credit Reporting Act, the Privacy Protection Act of 1980, the Right to Financial Privacy Act, the Telephone Consumer Protection Act of 1991, and the Federal Records Act. Depending on the facts of a particular case, it may be prudent for a concerned employer or employee to research these laws.

     The New Jersey Wiretapping and Electronic Surveillance Act (“WESA”) is New Jersey’s analogous statute to the ECPA, and the two statutes are similarly structured. The WESA provides for both civil and criminal liability, and contains both a “consent” exception and the “ordinary course of business” exception. Like the ECPA, the WESA is divided into two provisions that separately address stored communications and transitory communications. Furthermore, punitive damages are available for the interception of transitory communications, while only compensatory communications are available for an unauthorized access of stored communications.

Employer Destruction or Alteration of Stored Employee Communications

     While the ECPA and the WESA deal exclusively with a party’s privacy interest in their electronic communications or documents, other statutes protect a party’s property interest in their electronic communications or documents. For example, New Jersey has two statutes that address the civil and criminal liability of a defendant who has deleted, altered, or committed any other similar destructive act to data belonging to another. It is possible that these two New Jersey statutes might be construed in a manner which creates an employee property interest in electronic communications and documents.

     N.J.S.A. Section 2A:38A-3 (the civil statute) provides that a party who destroys, alters, damages or takes the electronic data of another may be liable for damages to the owner of the data. Because employees often have personal data on an employer’s computer system, a New Jersey employer should think twice before knowingly or purposely deleting these files without employee authorization. The civil statute has yet to be interpreted by the courts, and consequently, two important issues remain unclear.

     First, the civil statute does not indicate whether the destroyed data must be on a computer system belonging to a party other than the defendant in order for a claim to be properly maintained. This is relevant because the destroyed data (or altered, etc.) was probably stored on the employer’s own computer system. Second, although the civil statute includes intangibles within the scope of its protection, it does not indicate who is deemed to own the intangible data once it is loaded onto the employer’s computer system. Despite these ambiguities, N.J.S.A. Section 2A:38A-3 may be a source of employer liability if the employer takes steps to “cleanse” its computer system of employee data. Under the civil statute, an employer may be liable for damages equaling: (1) the fair market value of the data provided that a both “willing buyer and willing seller” exist, or (2) the cost of “generating or obtaining [new] data and storing [it] within a computer or computer system.”

     In addition to civil liability, such activities may open a New Jersey employer up to criminal liability. N.J.S.A. Section 2C:20-25 (“the criminal statute”) provides for criminal liability and it utilizes similar language to Section 2A:38A-3. The criminal statute states that a party is guilty of “computer theft” if the party knowingly or purposely damages, alters, destroys or takes the data of another without authorization. The degree of the criminal penalty for committing “computer theft” is dependent on the monetary value of the destroyed data. Unfortunately, the criminal statute suffers from the same ambiguities as the civil statute.

Suggested Protocol for Employers

     Employers would be wise to implement a formal, written policy that governs the use of its computer system and addresses issues of electronic privacy. The policy should also account for other computer and Internet issues that are not the subject of this article, such as copyright and trademark infringement, defamation, sexual harassment, and document retention policies. Moreover, new computer and online legal developments occur continually. For example, Virginia has recently passed a statute barring public employees from the unauthorized retrieval of sexual material on state-owned computers. This law was found to be constitutional and must be accounted for when drafting a computer and Internet policy for a Virginia employer.

     As to the monitoring policy, all employees should manifest their assent to its terms, preferably in writing, and the key points should appear on the log-in screen of every employee’s computer so that the employee’s expectation of privacy will be “refreshed” upon each computer use. The log-in screen should also tell the employee where a copy of the full policy is available, and the computer should condition entry into the system upon acceptance to the terms of the policy.

     A strict policy may disallow any personal use of the computer system whatsoever, but a more liberal policy may allow for some personal use and, consequently, a larger expectation of privacy. Either way, however, the policy should clearly state that the computer system and its contents are the property of the employer and that the system is to be used primarily for business purposes.

     Policies which state that the computer system may only be used for business purposes and that are not enforced may open the employer to attack that enforcement against the plaintiff was selective or discriminatory. If the e-mail system is used by employees seeking a ride home from work, announcing a birthday, selling a car, or for other personal reasons, the employee may claim that the employer should be estopped from selectively enforcing the policy. Moreover, an employee may claim that he or she was singled out due to race, sex, age, religion, national origin, or disability. Employers need to exercise common sense in drafting such policies. Just as an employer may not ban use of the company phone system for personal calls, it may not be practical to prohibit employees from using e-mail for any personal messages. Employers must balance the desire to maintain a pleasant work environment with the need to implement sensible computer policies.

     An employer’s electronic privacy policy should be drafted in a manner which alerts employees that all employer computers may be monitored at any time. The scope of such monitoring may include: (1) all electronic documents or communications stored in the computer system; (2) all electronic information or communications sent, received or stored with the aid of the employer’s computer system; and (3) all other manifestations of electronic data or information that reside on the computer system regardless of who may own the data or information, and regardless of whether it resides on the computer system for a transitory, temporary or permanent amount of time. Having such a policy will diminish the employee’s expectation of computer and Internet privacy, and it may have the legal effect of constituting employee consent to electronic monitoring.

     Regardless as to whether an employer would like a strict or a liberal policy, the policy should articulate detailed specifics about the monitoring process. The policy should effectively communicate who will be doing the monitoring, when the monitoring will be done, how the monitoring will be accomplished, why the monitoring is being conducted, and what types of computer uses are included within the scope of the monitoring process. By precisely defining these details, it is easier for a court to identify whether an employee expectation of privacy was reasonable and whether the employee had in fact consented to electronic monitoring.

     Finally, the policy should also explain that an employee does not have an ownership interest in any data or information that resides either permanently or temporarily on the employer’s computer system. The policy should also clearly state that employees may not copy or load software, data or other information onto the employer’s computer system. Employees should be given notice that any information stored on the computer system may be deleted or destroyed at any time and at the discretion of the employer. The inclusion of these provisions in a written policy may help an employer avoid potential liability under N.J.S.A. Section 2A:38A-3 and Section 2C:20-25.

 Conclusions on Employee Privacy

     There are many issues of employee privacy that may arise in the workplace and the nature of an employee’s reasonable expectation of electronic privacy in the workplace has become a growing concern of many employers. Just as employees may reasonably expect that they have a privacy interest in their personal mail delivered by the post office, employees may also believe that they possess a similar degree of privacy in their electronic mail. An employee may also believe that their computer files are just as private as the documents that they may store in their personal workplace office, desk or filing cabinet. However, employers have a justifiable interest in the oversight of business related employee communications, and in the use of its costly computer systems. These two interests must be weighed against each other in ascertaining whether an employer has violated the privacy of an employee. Consequently, an employer may wish to implement a procedure of electronic monitoring so as to ensure that the systems are being used at least primarily for business purposes as opposed to solely business purposes.

     At the same time, a well-drafted computer policy can decrease the probability of an employer having to engage in drawn out litigation with an employee, and it may help mitigate the potential hardships that result from the uncertainty of judicial precedent in the computer age. These policies can be used to decrease the employee’s workplace expectation of privacy, and they may also serve as a shield if an employer is on the defending side of a lawsuit.

     The increasing wealth of online information can make the Internet an invaluable and creative source of educational materials for students in the public schools. At the same time, however, the Internet harbors much information that may be properly deemed inappropriate for viewing by children. Students can easily locate online content such as pornography, hate speech or even instructions on how to build dangerous explosives. Furthermore, school children may be easily tempted to share personal information with anonymous and ill-intentioned persons, or to use the school’s e-mail system to send or receive inappropriate communications. Despite these problems however, many school systems will continue to exploit the educational potential of the Internet, while, at the same time, instituting a policy to prevent children from online harms. Such a policy may include supervision of students, the use of Internet filtering software, and the utilization of a system of electronic monitoring.

     Electronic monitoring and content filtering are now more important than ever, because the courts have been consistently striking down congressional attempts to regulate Internet content objectionable to school children. The U.S. Supreme Court first struck down relevant provisions of the Communications Decency Act, and then, more recently, a District Court enjoined the government from enforcing the Child Online Protection Act (COPA). COPA required online providers of adult content to verify the age of an Internet user before the user may access the objectionable content. COPA was enacted to keep students and other children away from objectionable content. In the event that the injunction is not lifted in a future proceeding, then COPA will not be able to stop adult content from reaching children. In the case of Mainstream Loudoun v. Board of Trustees of the Loudoun County Library, the court held that it was unconstitutional to filter out content for adults, however it was permissible to do so for children.

     Student Internet use triggers many legal concerns. This segment of the article, however, is limited to addressing the legal implications of electronic monitoring. Furthermore, this article will suggest protocol that a public school system may wish to implement in order to avoid liability for an improper invasion of a student’s “electronic privacy”. The legal issues that this article examines is somewhat interrelated with the issues discussed above in the context of employees.

 Constitutionally Permissible Searches

     A student’s legally protected privacy interest might be implicated when school personnel search a student’s electronic communications or documents. In substance, by monitoring electronic communications, a public school may be conducting a “search” under the provisions of the Fourth Amendment of the U.S. Constitution. Because a public school is a creature of the state, it may only conduct such searches if the search satisfies specific constitutional requirements. In the event that a school conducts a search that is an alleged invasion of privacy, a court will first inquire whether the student had a reasonable expectation of privacy in the subject matter of the search. If the answer is in the negative, then the inquiry ends since there would be no Fourth Amendment invasion of privacy. If the answer is in the affirmative, then the court will look to see if the search was reasonable. If the search was unreasonable, then a court may find an improper invasion of the student’s privacy.

     An unresolved issue is whether it matters who owns the computer or media on which an electronic document is stored (or being transmitted). It remains to be seen if a student has a reasonable expectation of privacy in the electronic communications or documents that they store or transmit with the aid of a computer owned by the public school itself. Although no court has addressed this issue directly, an analogy may be attempted in order to predict how a court might rule in the future.

     In the case of New Jersey v. Engerud, the New Jersey Supreme Court held that students may have a reasonable expectation of privacy in the contents of their school locker. This was because students commonly keep their personal effects in their locker, as the school locker becomes their “home away from home.” In reference to the fact that the school itself owned the locker, the Court stated that “the Fourth Amendment protects people, not places.” In addition, students are justified in believing that the administration will only use the “master key” to open the locker at the student’s request. It should be noted however, that the Court stated that an expectation of privacy may not have existed “[h]ad the school carried out a policy of regularly inspecting students’ lockers.”

     Other jurisdictions have held that there can be no expectation of privacy in a student locker. One case held that a school had the right to inspect because it had assumed joint control of the lockers. Another case held that a school has the power to consent to a locker search. On one occasion, the United States Supreme Court expressly refrained from deciding whether a student is capable of having a reasonable expectation of privacy in a locker, desk or any other “school property provided for the storage of school supplies.”

     If the “locker cases” are applied to a situation entailing student use of school-owned computers, it is unclear whether a court would find a reasonable expectation of privacy. Certainly, if students or their parents are not on notice as to a policy of electronic monitoring, the chances are greater that a court may find a reasonable expectation of privacy. Furthermore, the reasonableness of an expectation of privacy may depend on whether the school has a policy of allowing or disallowing students to store documents or e-mails on the computer system itself or on a floppy discs owned by the student. At the very least, a school district’s “search” is more likely to withstand constitutional scrutiny if it has provided notice to all students and parents that use of the computer system by students is subject to electronic monitoring at any time. The probability of such a finding may be increased if the school has the written assent of students and their parents to the school’s computer policy.

     Assuming arguendo, that students have a reasonable expectation of privacy in their electronic communications and documents, the Fourth Amendment will still permit a search if the search is reasonable. The requirements of “probable cause” do not have to be satisfied. Rather, the standard of reasonableness is intended to reflect a balance between a student’s privacy interest and the school’s interest in maintaining student discipline.

     In New Jersey v. T.L.O., the United States Supreme Court held that a student search is reasonable, hence permissible, when there are “reasonable grounds for suspecting that the search will turn up evidence that the student has violated or is violating either the law or the rules of the school.” This governs the requirement that a search must be “justified at its inception,” however a search must also be reasonable in its scope.

     To be reasonable in scope, the scope of the search must be “reasonably related to the objectives of the search and not excessively intrusive in light of the age and sex of the student and the nature of the infraction.” For example, if a student reports that he or she has been sexually harassed by an e-mail sent by another student, it might be reasonable for a school official to search all of the electronic communications between the two students. At the same time however, it might be unreasonable for the official to search any electronic communications between the harassing student and his or her family or of other students not implicated.

     In both Engerud and T.L.O., the facts were such that the school’s search was based on a suspicion that a particular person may have been breaking the law or the rules of the school. The courts refer to this concept as individualized suspicion. In the context of electronic monitoring however, a school might not only be monitoring particular students based on an individualized suspicion; the school may have chosen to monitor all students’ electronic communications and documents. The United States Supreme Court has expressly refrained from deciding whether individualized suspicion is demanded by the Fourth Amendment in order for an otherwise reasonable student search to remain so. Generally, however, exceptions to the doctrine of individualized suspicion have been recognized where the privacy interests implicated are minimal and there are other safeguards “to assure that the individual’s reasonable expectation of privacy is not subject to the discretion of the official in the field.”

     In the case of Desilets v. Clearview Regional Board of Education, the New Jersey Appellate Division held that a school official could search student hand luggage without individualized suspicion when the search was conducted in conjunction with a field trip and the search was for contraband. The Desilets court emphasized that the school’s policy was upheld because school officials did not retain the discretion to decide who should be searched. Furthermore, schoolchildren had advance notice of the search and, as such, they could have either refrained from bringing hand luggage on the trip altogether or they could have removed highly personal items from their hand luggage prior to the field trip. Interestingly, the Desilets court did not emphasize in its holding the fact that the schoolchildren’s parents had expressly consented to the contraband search.

     The holding of the Desilets court might be applicable in the context of electronic monitoring in the public schools. A school board may wish to institute an electronic monitoring policy in which the electronic communications and stored documents of students may be indiscriminately searched by some previously announced method. Such a policy should provide for the monitoring of all students or it should contain a prescribed “formula”, devised in advance, to monitor a randomly and indiscriminately chosen student. The policy should also state the school’s interests in monitoring the electronic communications and documents of students.

     Such interests may include, but are not limited to: (1) preventing the downloading of inappropriate materials from the Internet (e.g. pornography); (2) preventing the use of the e-mail system to harass or defame another; (3) preventing the unauthorized downloading of materials protected by copyright; (4) preventing the use of the computer in a manner inconsistent with school rules that properly foster discipline; (5) preventing the use of the school computer system for general, non-educational purposes; (6) preventing students from revealing personal information over the Internet (via e-mail or the World Wide Web); (7) preventing students from perpetrating computer crime.

     A Fourth Amendment claim for invasion of privacy may usually be found in the context of either a Section 1983 action or in a motion to suppress evidence in a criminal proceeding. First, Section 1983 provides a cause of action for damages against state actors when they violate an individual’s federal constitutional rights under color of law. Furthermore, a state actor may be subject to qualified immunity from suit depending on the law of a particular state. Second, the exclusionary rule provides for the suppression of evidence discovered during an improper student search. The exclusionary rule is not universally accepted by all jurisdictions, however it is followed in New Jersey.

 Common Law Tort Actions

     Many jurisdictions allow a tort action against a private entity if there has been an unreasonable intrusion upon the seclusion of another. Similar to the constitutional action, the tort action protects an individual’s privacy interest. However, unlike a constitutional action, a tort action may be barred by a state Tort Claims Act if the action is against a state actor. As such, the availability of a tort remedy for an invasion of privacy may be severely impaired when the action is brought against a school district. Consequently, an aggrieved student may be more “successful” in bringing the claim as a constitutional action.

 Federal and State Statutory Actions

     A school monitoring policy may also implicate the provisions of the ECPA when school officials intercept transitory student communications or when they gain unauthorized access to stored student communications. The issue of “consent” has special relevance to the ECPA’s application to a public school setting. As discussed above, a showing that the plaintiff had consented to the defendant’s activities may defeat a claim of an ECPA violation. It is unclear, however, whether the student must consent to the school’s monitoring policy, whether the student’s parent or guardian may consent on behalf of the child, or whether the school itself can satisfy the consent requirement under the doctrine of in loco parentis.

     In the case of Pollack v. Pollack, the Court of Appeals for the Sixth Circuit held that under the ECPA, the “consent” requirement may be satisfied under certain circumstances if a parent consents and the parent can demonstrate a “good faith, objectively reasonable basis for believing such consent was necessary for the welfare of the child.” In Pollack, a mother had recorded a telephone conversation between her child and the child’s father without authorization. The mother and the father were ex-spouses. The court held that the mother did not violate the ECPA since one party need only consent to the recording, and because the mother’s consent would suffice as consent on behalf of the child. At the time of the recording, the mother had custody of the child and was the child’s legal guardian.

     In rendering its opinion, the Sixth Circuit relied on similar conclusions reached by the Second, Seventh, and Tenth Circuit Courts of Appeals. The Sixth Circuit also relied on a similar conclusion reached by a New Jersey court interpreting the New Jersey Wiretapping and Electronic Surveillance Act (“WESA”). While the Sixth Circuit’s holding was based on a theory of “vicarious consent,” the court noted that other jurisdictions had reached similar conclusions by holding that the ECPA “business use exception” was satisfied when a parent taped telephone conversations within the home. This is because such interceptions and tapings have been considered to fall within the scope of the exception’s language that allows interceptions that are, “within the regular course of business.”

     Although the holding of Pollack does not directly address electronic monitoring in the schools, it may be applied by analogy. First, there appears to be a basis to argue that a parent may consent in the place of the child provided that the parent satisfies the good-faith requirements of Pollack. Second, if the parent could have consented in place of the child, there may also be an argument that the school itself may satisfy the consent requirement due to the doctrine of in loco parentis. Third, a school may attempt to argue that its allegedly offensive electronic activities are “within the regular course of its business”; i.e. that the school is monitoring in order to prevent the child from incurring or causing harm to himself, other students, or the school’s computer system.

 Related Policy Concerns

     In drafting a computer and Internet policy, a school board should account for all relevant legal issues, such as: (1) electronic privacy; (2) sexual harassment; (3) objectionable Internet content and the use of filtering software (i.e. pornography); (4) copyright infringement and plagiarism; (5) trademark infringement; (6) the intentional or accidental destruction or alteration of student data (see discussion in Part I); (7) computer crimes (i.e. “hacking”); (8) student freedom of expression on the Internet and in e-mails; (9) online defamation; (10) the availability of personal student information over the Internet; (11) the use of the computer or the Internet to sell drugs or commit other non-electronic crimes; and (12) the use of the computer or the Internet to break school rules.

     For example, a school policy should account for issues of “electronic” sexual harassment. This is because school e-mail systems provide students with an opportunity to sexually harass other students for which school districts may be held liable. Recently, the U.S. Supreme Court held that school boards may be liable for acts of sexual harassment committed by a student against a classmate if the school board has acted with “deliberate indifference” and has “exercise[d] substantial control over both the harasser and the context in which the known harassment occur[ed].” Presumably, this new rule of law would apply to acts of sexual harassment committed with the aid of the school’s e-mail system. A school district may attempt to avoid liability by implementing a policy that forbids the use of the computer system for harassment purposes and which prescribes in advance the appropriate disciplinary measures for those who electronically harass other students. Schools should also implement appropriate discipline upon discovering that one student is sexually harassing a classmate.

     A computer and Internet policy should also provide notice of the basic rules and procedures for use of the computer and Internet by students. The policy may provide that the computer system be used primarily for educational or career related purposes. A school board should include additional guidelines if student organizations will be permitted to create and maintain their own Web site.

     School Web sites create additional student privacy issues. School districts must decide whether the Web site will be available to anyone or whether Web site access will be limited by password to students, faculty and parents. School boards must also take care not to publish sensitive and personal student identification information on school Web sites such as last names, addresses, phone numbers, student photographs, etc. Finally, it would be prudent for a faculty member to act as a “gate-keeper” for all content to be posted on the school’s Web site. This person can make sure that the privacy and other related policies are being followed (i.e. concerning discrimination, copyright infringement, defamation, etc.).

 Conclusion of Student Privacy

     School computers and school access to the Internet may function as a useful educational tool, as they are efficient sources of endless information and communications capabilities. Unfortunately, however, the advantages of computers and the Internet are not available risk-free. There are many dangers to be aware of when a child uses a computer, the Internet, or even an in-house e-mail system. It is well established that schools have a duty to supervise children so that students do not cause harm to themselves, to others, or to property. For this reason, and in today’s political climate, a school board may choose to implement protocol which provide for the monitoring of electronic communications and documents.In implementing such a policy, it is best advised for a school board to fully disclose to students and parents the full nature of the monitoring and for it to expressly state the complete scope of the monitoring process. After doing so, the school should acquire the consent of both the student and the student’s legal guardian(s) so that the school may intercept transitory communications and access stored electronic documents without opening itself up to an unnecessary risk of liability under the ECPA or the WESA. Furthermore, a student’s expectation of privacy in the school computer system may be diminished by notifying students that the computer system may be used primarily for educational purposes and that the school reserves the right to monitor or access all computer data at any time. By implementing a firm policy and by providing notice to all involved parties, a school board may conduct electronic monitoring with the greatest amount of certainty that the school board will be complying with applicable law