Employee Privacy

Employer Disclaimer, Reservation of Right to Monitor


Expectation of Privacy, or Consent to Inspection?


US courts have generally upheld an employer's policy to read employee e-mail and search employer-issued PC, laptop & mobile phone.[1] But Quon v. Arch Wireless, makes management review of electronic records, like text messages, more dangerous.

Disclaimers

Employers are thus motivated to publish privacy disclaimers like: "This e-mail account is for official business only. No end-user expectation of privacy. End-users consent to management inspection of message contents."

Or, if space is tight: "Official business. End-users: no privacy; consent to inspection" . . . with more explanation published on the Web.

Employers have incentives to monitor computer usage, including need to deter sexual harassment/hostile work environment. As they supervise the workplace, employers don't want to be liable for invading privacy.

Officer Quon's Story

Quon was an officer with the Ontario, CA, police department. Quon knew the department's general policy prohibiting nonofficial computer communications, reserving management power to review computer activities and disclaiming employee expectation of privacy.

Click
The department issued Quon a pager enabling him to exchange text messages via a third-party service. Using the pager, he in several months exceeded his per-character quota, and he paid the extra charges. A supervisor informally told Quon the department would not review his messages so long as he paid the extra charges. Then Quon's excess usage came to the attention of the department chief. The chief asked that the service provider (equivalent to Internet Service Provider, ISP) disclose to management contents of Quon's archived messages. Viewing the police department (not Quon) as the account subscriber, the provider complied.

Quon and some of his text correspondents (plaintiffs) sued, claiming the department, a government agency, had violated their Fourth Amendment right to be free from unreasonable search.

The court ruled plaintiffs had reasonable expectations of privacy in the messages. Even though the department's formal policy disclaimed that expectation, the supervisor nullified it by saying the department would not examine the messages. [The police department appealed to the US Supreme Court.  The Supreme Court ruled found a rationale for ruling in favor of the police department.  But it did not dismiss the logic of the lower court that a supervisor could nullify formal department policy.]

What Should an Employer Do?

So, as a policy matter, what is an employer to do? It is hard to avoid informal statements (such as from Quon's supervisor) that are construed to invalidate formal privacy disclaimers.

Employers' logical response is to state disclaimers over . . . and over . . . and over. Repetition of disclaimers may not eliminate employer risk, but it may reduce it.

Information technology enables easy repetition of disclaimers, just as it enables enterprises to widely broadcast other policies and legal terms.

Privacy disclaimers might be published – and republished – any number of ways (the more the better), including on log-on banners, at the bottom of messages, in video reminders and in public notices on web sites. See my earlier articles about the general effectiveness of legal terms published to the world (e.g., external recipients of employee e-mails, text & audio messages) by way of the World Wide Web.

What do you think?

--, Senior Instructor on Computer Investigation Law at the SANS Institute.

[1] See, e.g., Muick v. Glenayre Electronics 280 F.3d 741 (7th Cir. 2002).
[Again, all my blog comments are just public discussion and not legal advice for any particular situation.]