Employee Monitoring, BYOD, and Workplace Privacy Issues

Employee Monitoring, BYOD, and Workplace Privacy Issues

Cybersecurity & Privacy By Valley Legal

General Information Only. This article is for general informational purposes and does not constitute legal advice. Laws may have changed since publication. Your situation may differ; consult a licensed Virginia attorney about your specific matter.

The information in this article is for general informational purposes only and does not constitute legal advice. Laws change and individual circumstances vary. Consult a licensed Virginia attorney about your specific situation. Reading this article does not create an attorney-client relationship nor does merely contacting our office through this website or any other means.

Employers have legitimate interests in monitoring how company resources are used, protecting confidential business information, and ensuring that employees are working productively. Employees, in turn, retain some privacy expectations even in a workplace context. Virginia law and federal statutes draw specific lines around what employers may do and what notice they must provide.

For businesses in Christiansburg, Blacksburg, and the New River Valley, the shift toward remote and hybrid work, the prevalence of bring-your-own-device arrangements, and the availability of sophisticated monitoring software have made workplace privacy questions more complicated than they were a decade ago. This article outlines the legal framework and practical considerations that Virginia employers should understand.

Virginia’s Electronic Surveillance Law

Virginia Code § 19.2-62 is Virginia’s electronic surveillance statute. It prohibits intentional interception of wire, electronic, or oral communications using any electronic, mechanical, or other device, with limited exceptions.

One of the most important exceptions for employers is the consent exception: interception is permitted when one party to the communication has consented. In the employment context, this typically means that an employer can monitor electronic communications on its own systems if employees have been notified and have consented to that monitoring, usually through an employment agreement, acceptable use policy, or system banner.

However, the scope of consent matters. Blanket consent to monitoring in an employment agreement may not cover every form of monitoring an employer later implements, particularly if monitoring methods change substantially. Courts have looked at whether employees understood the nature and extent of the monitoring they consented to.

Virginia employers should not assume that ownership of a device or system automatically authorizes unlimited surveillance of all communications conducted on it, particularly where employees have personal communications intermingled with business communications.

Email and Computer Monitoring on Employer Systems

Monitoring of email and computer activity on employer-owned systems is generally permissible under both Virginia law and federal law when employees have received clear notice that such monitoring may occur. The Electronic Communications Privacy Act (ECPA), the primary federal statute governing electronic surveillance, includes an exception for monitoring of communications on systems provided by an electronic communications service for business purposes.

In practice, this means that monitoring of work email accounts, web browsing on company computers, and use of company-provided software is lawful provided employees are notified. The notice must be meaningful. A one-line reference to monitoring buried in a lengthy employee handbook that employees sign without reading may provide some legal protection, but employers who want clear protection should use explicit acknowledgment mechanisms, such as login banners that require affirmative acknowledgment before access is granted.

Employers should also be careful about monitoring personal webmail or personal accounts accessed on work computers. Even on a company-owned device, accessing an employee’s personal Gmail or personal social media accounts without authorization raises significant legal risk under the Computer Fraud and Abuse Act (CFAA) and potentially the ECPA.

Remote Work Monitoring Tools

The expansion of remote work has been accompanied by a proliferation of monitoring software designed to track employees working from home. These tools vary widely in their intrusiveness and in what they capture.

Common remote monitoring approaches include:

  • Activity tracking: Recording when employees are logged in, when they are active on their keyboards or mouse, and which applications they use
  • Screenshot capture: Taking periodic or continuous screenshots of an employee’s screen
  • Video monitoring: Using webcam software to verify that employees are at their workstations
  • Communications monitoring: Logging instant messages, emails, and sometimes call content
  • Time tracking: Recording the duration of specific tasks or applications

Virginia law does not prohibit these tools when properly disclosed, but the level of intrusiveness raises proportionality questions. Courts, regulators, and employees have increasingly questioned whether the most intrusive monitoring practices, particularly continuous video capture of employees in their homes, can be justified by legitimate business interests.

From a practical standpoint, overly intrusive monitoring can damage employee morale, create recruitment and retention challenges, and generate legal exposure if employees challenge monitoring practices as unlawful. Employers should consider whether the monitoring is proportionate to the business interest being served and whether less intrusive methods would achieve the same goal.

Notice remains essential. Regardless of which monitoring tools an employer uses, employees must be clearly informed of what is being monitored, how that information is used, and how long it is retained.

BYOD Policy Considerations

Bring-your-own-device (BYOD) policies allow employees to use personal smartphones, tablets, and computers for work purposes. They create significant privacy and security challenges because work data and personal data coexist on a device that the employee owns.

Security Risks of BYOD

Personal devices often run older software versions, lack enterprise security controls, and may be used on insecure networks. If an employee’s personal phone stores company email, customer lists, or confidential documents, a device theft or personal account breach can expose company data.

Mobile Device Management on Personal Devices

Many employers address BYOD security through mobile device management (MDM) software installed on personal devices. MDM can enforce security policies (requiring screen lock, encryption, and approved applications), allow remote wipe of company data if the device is lost, and segregate work data from personal data in a secure container.

However, MDM on a personal device also gives the employer significant visibility into the device’s usage and, in some configurations, the ability to wipe the entire device, not just the business portion. Employees who enroll their personal devices in employer MDM programs should understand what access the employer will have. Employers should clearly document in their BYOD policy exactly what the MDM software does and does not monitor.

Data Separation

The most privacy-protective BYOD architectures create a clear separation between the work environment and the personal environment on the device. Containerization technologies create an encrypted work space that the employer controls, while leaving personal applications and data entirely outside the employer’s visibility. This approach reduces the risk to both the employer (less exposure of company data) and the employee (reduced intrusion into personal life).

BYOD Exit Procedures

When an employee leaves, the employer needs to retrieve company data from personal devices. Your BYOD policy should establish a clear process for this, including what data will be removed from the device, how removal will be accomplished, and how the employee can verify that personal data has not been retained.

GPS and Location Tracking

Employers that operate vehicle fleets or employ field workers sometimes use GPS tracking to monitor vehicle locations. Virginia does not specifically prohibit employer GPS tracking of company-owned vehicles, provided employees are notified. Tracking company-owned vehicles during work hours is generally permissible.

Tracking an employee’s personal vehicle, or tracking the location of an employee outside of work hours, raises significantly more complex legal questions. Some states have enacted specific legislation restricting this practice. Virginia employers considering location monitoring should review applicable law carefully and obtain legal advice before implementation.

Tracking employees through their personal smartphones using MDM or other software also raises location tracking questions. If your MDM solution collects location data from personal devices, your BYOD policy should disclose that and provide employees with a mechanism to disable location tracking when they are off duty.

Written Policies as the Foundation

The most important thing a Virginia employer can do to reduce legal risk in the employee monitoring context is to have clear, written policies that are provided to employees and acknowledged in writing before monitoring begins.

Effective monitoring policies should:

  • Describe all forms of monitoring the employer conducts or may conduct
  • Identify the systems and devices subject to monitoring
  • Explain the business purposes served by each type of monitoring
  • State that employees have no expectation of privacy in company systems, email, or data
  • Address BYOD arrangements separately, with specific disclosure of what MDM software does
  • Specify how monitoring data is used, retained, and who has access to it
  • Describe any exceptions or limitations (for example, that personal accounts accessed on company devices are not monitored)

Policies should be reviewed by legal counsel before implementation and updated when monitoring practices change.

ADA Considerations: Monitoring and Medical Information

The Americans with Disabilities Act (ADA) restricts employers’ ability to obtain or use medical information about employees. Employers should be alert to monitoring practices that could inadvertently capture medical information.

For example, if an employer’s screen monitoring captures an employee’s telehealth appointment, health insurance portal activity, or communications with a healthcare provider, and that information is used in employment decisions, the employer may face ADA liability. Monitoring policies should address how medical or health-related information that is inadvertently captured will be handled and segregated.

Monitoring communications of remote employees working under an ADA accommodation should be approached with particular care, and legal counsel should be consulted if monitoring practices could intersect with disability-related information.

This article is general information only and is not legal advice. Do not rely on this article to make decisions about your specific situation. Contact Valley Legal or another licensed Virginia attorney to discuss your case. Attorney advertising.

Valley Legal, PLLC is located at 107 Pepper St SE, Christiansburg, Virginia 24073, and serves clients throughout the New River Valley of Virginia, including Montgomery County, Blacksburg, Radford, Pulaski, and surrounding communities.