Summary of Electronic Communications Privacy Act (ECPA)
The Electronic Communications Privacy Act (ECPA) regulates the privacy of data and communications in transit by any means of transfer (wire, radio, electromagnetic, photo optical, etc.) which it defines as:
The Act is limited in scope in that it does not cover the following:
- Oral communications (i.e. voice);
- Communications made through a tone-only paging device;
- Any communication from a court sanctioned ‘tracking device’
- Electronic funds transfers.
The ECPA is intended to protect against:
- Government surveillance conducted without a court order.
- Third parties without legitimate authorization accessing messages.
- Illegal interception from carriers (i.e. Internet service providers).
However, it is not intended to protect employees from monitoring by their employers. Here we have the issue. As a third-party consultancy engaged to test security (in whatever form) by a client, do you constitute an ‘unauthorized third party’ from the perspective of an employee or are you an extension of their employer? This is an important question because in theory you could be sued by an employee for intercepting their (private) data. The solution to this is contractual: Ensure that your client indemnifies you against any legal action that may occur as a result of any interception or analysis of data you perform.