National Law Review reported yesterday that the National Labor Relations Board (NLRB) ruled in a 3-1 majority decision that employers are legally allowed to restrict the use of company email accounts to business-only communications. This marks a reversal of the stance that the NLRB has held since 2014, when it ruled in Purple Communications Inc. that employees should be able to use their company email accounts for activities like union organizing, and other communications that aren’t specifically work-related. NLRB Case No. 28-CA-060841, Caesars Entertainment Corp d/b/a Rio All-Suites Hotel and Casino, turns that ruling on its head.
Where Purple Communications granted employees the freedom to use their company emails for purposes beyond just union organizing, Caesars Entertainment narrows the scope. Employers may once again restrict the use of company-owned hardware, software, and equipment, so long as such restrictions do not discriminate against communications protected by Section 7 of the National Labor Relations Act, which grants employees the right to self-organization, including the right to organize unions and the right to collective bargaining.
This isn’t the first NLRB reversal of its kind. In fact, Purple Communications effectively overturned a 2007 ruling, Register Guard, in which the NLRB ruled that employees did not have the right to use their company emails for Section 7-protected activities, or any other non-business related activities. (The NLRB members are appointed by the President of the United States, and often shift stances depending upon which party occupies the White House.)
The back and forth can be a little confusing, so to be clear, yesterday’s ruling does not mean that employees are allowed to use company email accounts for unionizing, it simply means that employers aren’t allowed to pick and choose between which types of non-work-related communications are banned. In other words, an employer can’t punish an employee for union-related emails sent from a work account, while simultaneously ignoring other types of personal emails sent by that employee, or other employees. This distinction is important, (and potentially difficult to enforce) in part due to the ubiquity of employees using company email accounts for personal reasons, and also because of the modern workforce’s shift toward remote work, which has blurred the lines between “company time” and “personal time.
Many employees and employee-rights groups argue that company-issued email systems are the only way to effectively communicate with colleagues about union organizing, and the NLRB’s decision does create an allowance for situations where there are no other effective means of communicating with coworkers about unionizing.
Regardless of how labor conditions are affected by this new ruling, it could be good for cybersecurity. Verizon’s 2019 Data Breach Investigations Report lists phishing as the top cause of breaches in 2018 (2019’s figures are still being calculated), accounting for 32 percent of all confirmed data breaches. While banning personal use of company email accounts won’t necessarily stop employees from clicking on malicious links, it could deter them from using their company credentials on sites with questionable security, where those login credentials could be stolen and used in a credential stuffing attack. This tactic involves hackers stealing credentials from one site and trying them across multiple other sites, in order to take advantage of the average user’s tendency to reuse passwords and login credentials. It’s a commonly successful tactic: 29 percent of 2018’s breaches were caused by stolen credentials.
Of course, many experts are more inclined to point out the risks of using personal email accounts for business use. One could argue that, with business emails off-limits, employees will take to personal email and social media to unionize and discuss matters like corporate management structures and internal operations. It’s a bit of a catch-22. Do companies want their dirty laundry aired on an unsecure platform? Or should they just let employees express dissatisfaction within the comfort and security of their own corporate network. A history of reversals on this matter would suggest that the NLRB’s most recent decision won’t necessarily be the final word.