Supreme Court Review of Quon May Provide Important Guidance for Private Employers

Posted on December 14, 2009 by Privacy and Data Protection Practice Group

The U.S. Supreme Court agreed, today, to review the Ninth Circuit Court of Appeal’s decision in Quon v. Arch Wireless, a case with potentially important implications for private employers. As explained in prior posts, the appellate court held that the City of Ontario Police Department violated a SWAT officer’s reasonable expectation of privacy by reviewing the content of his sexually explicit text messages, even though: (1) the messages had been sent with a Department-issued pager through a service provider under contract with the Department, and (2) the Department’s formal policy informed all SWAT officers that the Department might review their text messages. In reaching that conclusion, the Ninth Circuit relied principally on a statement by the officer in charge of the text messaging program to the SWAT officer that the Department would not review his text messages if he voluntarily paid any overage charges resulting from excessive personal use.

Although there are some differences in the privacy standards applicable to public sector and private employers, the standards are sufficiently similar that the Supreme Court’s decision likely will provide important guidance for employers on at least three issues. First, the law is relatively well settled that private employers can review any communications stored on a corporate e-mail server when the employer notifies employees of the monitoring, typically through an electronic resources policy. Quon is one of the first cases to address whether the same rule applies when the employee’s communication is transmitted through a third-party service provider under contract with the employer. The issue has gained increasing importance as an increasingly large number of employees use text messaging during the work day. (A case currently under consideration by the New Jersey Supreme Court, Stengart v. Loving Care, addresses an employee’s privacy expectations in copies of e-mail stored on a company-issued laptop that were sent through the employee’s personal e-mail account to her attorney.)

Second, the Supreme Court’s decision likely will address how a formal employment policy that otherwise would defeat an employee’s privacy expectation could be countermanded by an informal representation to a specific employee. Here, private employers likely will receive guidance on the types of informal statements that could be sufficient to countermand a formal policy as well as the degree of authority of the person making the informal statement necessary to override the formal policy.

Third, the Supreme Court also granted review on the question whether the senders of text messages to the SWAT officer had a reasonable expectation that his government employer would not read them. This question raises an issue that often is overlooked in cases revolving around an employer’s review of employee e-mail, i.e., the privacy interests of the sender. Without further development, it is difficult to anticipate the extent to which the Supreme Court’s ruling on this issue might affect private employers and what that affect might be.

Notably, the Supreme Court denied the service provider’s request for review of the Ninth Circuit’s ruling that the provider violated the federal Stored Communications Act by disclosing the SWAT officer’s text messages to the Department without his consent. Under the Act, a communications service provider, such as an ISP or cell phone provider, generally cannot disclose stored communications without the sender’s or recipient’s consent. An exception permits disclosure to the subscriber — the Department in the Quon case — when the provider is a “remote computing service.” The Ninth Circuit ruled that a “remote computing service” is akin to an electronic filing cabinet. Because the provider in the Quon case was a facilitator of communications, it was not a “remote computing service” and, therefore, could not take advantage of the exception. With the growing prevalence of “cloud computing” services, the proper definition of a “remote computing service” has become increasingly important. The Supreme Court’s decision to forego review of this issue leaves the Ninth Circuit’s ruling on this issue intact.

At bottom, Quon reflects the dynamic nature of the law governing technology in the workplace as communications technology rapidly moves beyond e-mail, and societal expectations change.

This entry was written by Philip L. Gordon

Photo credit: Niklas Bildhauer
Tags: , , , , , , , , , , ,

N.J. Supreme Court Seals the Door to Internet Service Providers' Voluntary Disclosure of Information About "Cybersmearing" Employees

Posted on April 22, 2008 by Philip Gordon

Even though people surfing the Internet often leave a trail of data on the web sites they visit, the New Jersey Supreme Court has found a constitutionally protected privacy interest in their anonymity. Rejecting uniform federal court precedent holding that Internet users do not have a reasonable expectation of privacy under the U.S. Constitution in subscriber information stored by their Internet Service Provider (ISP), the state Supreme Court held on April 21 that New Jersey’s Constitution does protect this information against unreasonable searches by law enforcement authorities. While focused on criminal enforcement, the decision most likely will make it even more difficult for employers to identify employees and former employees who anonymously use the Internet to damage companies.

The case arises out of a run-of-the-mill employee vendetta. After defendant Shirley Reid had an argument with the owner of Jersey Diesel, where she was employed, Reid allegedly tried to sabotage the company’s operations. Using her home computer and the unique user ID and password that she had established as part of her job, Reid accessed the web sites of Jersey Diesel’s suppliers and changed the company’s shipping address to a non-existent address. One of Jersey Diesel’s suppliers reported the change to Jersey Diesel and gave the company’s owner the Internet Protocol (IP) address assigned to the computer used to access the supplier’s web site. Jersey Diesel, apparently using an IP Address Locator web site (which is similar to a reverse telephone directory), determined that the IP address was registered to Comcast. Comcast, however, refused to disclose the identity of the subscriber to Jersey Diesel’s owner. The owner then reported the activity to local police. In response to a municipal subpoena served by the local police, Comcast disclosed that Reid was the subscriber associated with the IP address. The local prosecutor indicted Reid on charges of criminal theft.
 

The New Jersey Supreme Court ruled that Reid had a reasonable expectation of privacy in the subscriber information that Comcast turned over to the local police. The Court reasoned that Internet use is integral to daily life and reveals substantial information about an individual’s private life, making ISP subscriber information similar to telephone billing records and bank records. Because New Jersey’s Constitution recognizes a reasonable expectation of privacy in both of those categories of records, ISP subscriber information also should be constitutionally protected. Given this constitutional protection, ISP subscriber information may be produced to law enforcement only in response to a grand jury subpoena. The Court, therefore, affirmed the suppression of Reid’s ISP subscriber information because Comcast had produced it in response to a municipal subpoena.

Jersey Diesel’s situation has become all too common for employers. Employees and former employees, hiding behind the anonymity offered by the Internet, are damaging their employers by posting defamatory or confidential information on the Internet or by engaging in more injurious conduct, such as that alleged against Reid. Like Jersey Diesel, employers typically receive a frosty reception when trying to obtain subscriber information from ISPs. After the Reid decision, ISPs almost surely will refuse to voluntarily disclose any information about New Jersey subscribers out of fear of being sued for invasion of privacy. Although the New Jersey Supreme Court’s decision applies only in New Jersey, employers can expect the decision to have a broader impact.

Notably, the New Jersey Supreme Court expressly refused to address the standard for issuing a civil subpoena that requires an ISP to disclose subscriber information. However, both New Jersey’s intermediate appellate court and California’s Court of Appeal have ruled that an employer has to satisfy a heightened burden before such a subpoena can be issued. The Reid decision most likely will be used in other jurisdictions to lend further support for this heightened standard.
 
Tags: , , , , , , , , , ,