Employee Privacy

Employer Disclaimer, Reservation of Right to Monitor


Expectation of Privacy, or Consent to Inspection?


US courts have generally upheld an employer's policy to read employee e-mail and search employer-issued PC, laptop & mobile phone.[1] But Quon v. Arch Wireless, makes management review of electronic records, like text messages, more dangerous.

Disclaimers

Employers are thus motivated to publish privacy disclaimers like: "This e-mail account is for official business only. No end-user expectation of privacy. End-users consent to management inspection of message contents."

Or, if space is tight: "Official business. End-users: no privacy; consent to inspection" . . . with more explanation published on the Web.

Employers have incentives to monitor computer usage, including need to deter sexual harassment/hostile work environment. As they supervise the workplace, employers don't want to be liable for invading privacy.

Officer Quon's Story

Quon was an officer with the Ontario, CA, police department. Quon knew the department's general policy prohibiting nonofficial computer communications, reserving management power to review computer activities and disclaiming employee expectation of privacy.

Click
The department issued Quon a pager enabling him to exchange text messages via a third-party service. Using the pager, he in several months exceeded his per-character quota, and he paid the extra charges. A supervisor informally told Quon the department would not review his messages so long as he paid the extra charges. Then Quon's excess usage came to the attention of the department chief. The chief asked that the service provider (equivalent to Internet Service Provider, ISP) disclose to management contents of Quon's archived messages. Viewing the police department (not Quon) as the account subscriber, the provider complied.

Quon and some of his text correspondents (plaintiffs) sued, claiming the department, a government agency, had violated their Fourth Amendment right to be free from unreasonable search.

The court ruled plaintiffs had reasonable expectations of privacy in the messages. Even though the department's formal policy disclaimed that expectation, the supervisor nullified it by saying the department would not examine the messages. [The police department appealed to the US Supreme Court.  The Supreme Court ruled found a rationale for ruling in favor of the police department.  But it did not dismiss the logic of the lower court that a supervisor could nullify formal department policy.]

What Should an Employer Do?

So, as a policy matter, what is an employer to do? It is hard to avoid informal statements (such as from Quon's supervisor) that are construed to invalidate formal privacy disclaimers.

Employers' logical response is to state disclaimers over . . . and over . . . and over. Repetition of disclaimers may not eliminate employer risk, but it may reduce it.

Information technology enables easy repetition of disclaimers, just as it enables enterprises to widely broadcast other policies and legal terms.

Privacy disclaimers might be published – and republished – any number of ways (the more the better), including on log-on banners, at the bottom of messages, in video reminders and in public notices on web sites. See my earlier articles about the general effectiveness of legal terms published to the world (e.g., external recipients of employee e-mails, text & audio messages) by way of the World Wide Web.

What do you think?

--, Senior Instructor on Computer Investigation Law at the SANS Institute.

[1] See, e.g., Muick v. Glenayre Electronics 280 F.3d 741 (7th Cir. 2002).
[Again, all my blog comments are just public discussion and not legal advice for any particular situation.]

3 comments:

  1. You would think that the account holder with the wireless carrier would be able to make any inquiry on the account usage. While that argument would seem to be supportable, our company does back it up with policy. We have a monitoring policy that's signed off annually by employees and at hire date by new hires. We specifically included devices or services "owned and operated by a third party on the Company's behalf" in the scope alone with the company's normal equipment/services.

    ReplyDelete
  2. As the case shows, a formal policy alone is not sufficient, and I suspect that even your suggestion of repetitious reinforcement via footers or whatever may not do the trick. One other avenue that may mitigate the risk to the company is evidence of a formal training program, in which employees (including supervisors) are required to review and demonstrate understanding of corporate policies at specific intervals. If this had been in place at the Ontario Police Department, perhaps the supervisor wouldn't have informally waived the policy in the first place.

    ReplyDelete
  3. I would agree that this will cause companies to be more apt to broadcast multiple, repetitive privacy disclaimers. I also believe that this will cause companies to try to keep more control over where this information is stored to avoid such issues.

    ReplyDelete