Workplace Privacy Counsel : San Francisco Employment Privacy Law Lawyer & Attorney : Littler Mendelson Law Firm : Employment Related Privacy Issues

Although not deciding the issue of Quon’s privacy rights, the Court did give some weight in passing to Quon’s contention that a management-level police official had created an expectation of privacy for Quon by telling him that the official would not audit Quon’s text messages if Quon paid any required overage charges. Private employers should take care through policy language and training to avoid a situation where an employee could allege that a management-level employee countermanded corporate policy aimed at defeating employees’ privacy expectations in their electronic communications.

The Court’s holding — that Quon’s claim failed because the department’s search was legitimate and reasonable — demonstrates that private employers can substantially reduce their potential exposure on privacy-based claims by acting reasonably when searching and reviewing employees’ electronic communications. In Quon, for example, the department initiated its investigation for the legitimate purpose of determining whether the department’s character restrictions on text messages were too low and, therefore, forced SWAT team members to pay overage charges for work-related texts. In addition, the department reviewed only a relevant sampling of Quon’s texts, and the internal investigator who conducted the review redacted all messages sent or received by Quon during non-working hours. The department’s precautions demonstrate that, by conducting an investigation to accomplish a legitimate business purpose and in a manner that is not excessive, private employers can defeat claims based upon a review of an employee’s electronic communications, even if a court were to find that the employee had a reasonable expectation of privacy in those communications.

While private employers can take heart from Quon, they also should take heed of the following statement by the Court:

[The department’s] audit of messages on Quon’s employer-provided pager was not nearly as intrusive as a search of his personal e-mail account or pager, or a wiretap on his home phone line, would have been.”

As employees increasingly access personal e-mail accounts using employer-issued equipment and rely more heavily on personal smart phones to conduct company business, the privacy issues confronted by private employers (and the courts) will become only more complex. Here again, a well crafted and broadly distributed policy that puts employees on notice of how and when the employer will access these communications can go a long way towards strengthening the employer’s hand in litigation. At the same time, employers should beware that, as reflected by a recent decision of the New Jersey Supreme Court, even the most comprehensive electronic resources policy may not always win the day.

This entry was written by Philip L. Gordon.

Photo credit: DNY59
 

While public discussion of the case has revolved principally around the first element of Quon’s claim, i.e., whether Quon reasonably could expect privacy in his text messages, the Supreme Court seemed to focus more heavily on the second element, i.e., whether the City’s review of Quon’s text messages was excessive or unreasonable. During the trial in the case, the jury found that the City’s purpose in searching Quon’s text messages was to determine whether those messages were sent for business or personal reasons. Under persistent questioning from Justices Breyer and Sottomayor, Quon’s counsel struggled to identify a less intrusive means for the City to achieve this indisputably, legitimate purpose than the City’s reading all of Quon’s text messages. The Supreme Court could resolve the case on this initial element of Quon’s claim and not even address whether Quon’s privacy expectation was reasonable.

The Court also appeared skeptical of the Ninth Circuit’s conclusion that Quon reasonably could have expected privacy in his text messages. To reach that conclusion, the Ninth Circuit had relied upon a statement by Lieutenant Duke, the police official responsible for the text messaging program. Duke told Quon that he would not read Quon’s text messages to determine whether they were business-related or personal so long as Quon paid the service provider’s overage charges when Quon exceeded the contractual limit on the number of characters per month. Justices Alito’s and Ginsburg’s questions suggested that they viewed Duke’s statement to be limited to his own actions as opposed to a guarantee of Quon’s privacy against any search by the City. Justices Stevens’ and Kennedy’s questions honed in on the nature of Quon’s SWAT duties, suggesting that Quon could not reasonably expect privacy given that he was on call 24/7 and knew, or should have known, that his text messages might be evidence in criminal proceedings.

Interestingly, Chief Justice Roberts’ questioning suggested that he was somewhat sympathetic to Quon’s contention that he reasonably could expect privacy in his text messages. The Chief Justice noted in his questions that Quon paid the City for his personal text messages, sent at least some of the texts while off-duty, and was told by Duke that he (Duke) would not audit them. The Chief Justice also noted that the Internal Affairs investigators who reviewed the transcripts of Quon’s text messages had redacted the personal ones, suggesting that these investigators considered the personal messages to be private.

In another noteworthy twist, the United States Government, arguing alongside the City, asked the Court to adopt a bright-line rule that employers can defeat the reasonableness of any employee’s expectation of privacy by issuing a policy informing employees that they have no privacy in their communications over employer-provided equipment. The Court did not seem receptive to this position. Justice Sottomayor noted the Court’s well established precedent — O’Connor v. Ortega — holding that “operational realities” of an office are a factor in determining whether an employee had a reasonable expectation of privacy in the workplace and that the employer’s policy is just one factor to consider.

Perhaps most telling of the Court’s likely hesitance to adopt a bright-line rule in either direction were comments by Justice Alito and the Chief Justice. Justice Alito emphasized the newness of the communications technology in the following statement:

[E]lectronic communications are stored all over the place in – and there isn't a history — these are — these are relatively new. There isn't a well-established understanding about what is private and what isn't private. It's a little different from putting garbage out in front of your house, which has happened for along time.

The Chief Justice emphasized the evolving nature of communications technology in response to the federal government’s advocacy of a bright-line rule, stating, “We are dealing with [the Fourth] [A]mendment that looks to whether something is reasonable. And I think it might be the better course to say that the Constitution applies, but we are going to be more flexible in determining what is reasonable because we are dealing with evolving technology.” (emphasis supplied).

A ruling will be issued by the end of the Court's term in June 2010.

This entry was written by Philip L. Gordon.

In Convertino v. United States DOJ, 2009 U.S. Dist. LEXIS 115050 (D.C. Dec. 10, 2009), a case decided last week, a former federal prosecutor suing the Justice Department for an allegedly improper leak concerning an investigation into charges that he engaged in prosecutorial misconduct, sought to compel production of e-mails exchanged through the Justice Department’s e-mail system between Jonathan Tukel, a federal prosecutor involved in the investigation, and Tukel’s personal attorney. The federal District Court for the District of Columbia held that Tukel had not waived the privilege. The court determined that Tukel reasonably could expect privacy in the communications with his attorney because the Justice Department’s e-mail policy permitted personal use of its e-mail system, and Tukel stated in an affidavit that he was unaware that the Department regularly monitored his e-mail.

In contrast to this result, a federal district court in Idaho, in Alamar Ranch, LLC v. County of Boise, 2009 U.S. Dist. LEXIS 101866 (D. Idaho Nov. 2, 2009), held just six weeks earlier that an employee had waived the attorney-client privilege by exchanging e-mail with her attorney using her employer’s e-mail system. The court relied on the employer’s e-mail usage policy, which notified the employee that: (1) all e-mail was the employer’s property; (2) the employer reserved the right to monitor e-mail; and (3) employees should not assume that e-mail would be confidential. The court gave no weight to the employee’s testimony, almost identical to Tukel’s in the D.C. case, that she was unaware of the monitoring. The court found her subjective belief “unreasonable . . . in this technological age.”

Although not mentioned in the D.C. court’s opinion, the Justice Department’s e-mail usage policy most likely contains the same language that the Idaho court relied upon to find a waiver. Thus, the principal difference between the two cases appears to be the Justice Department’s express permission of some non-business use of its e-mail system. That said, employers would be short-sighted to think that prohibiting all non-business use in an e-mail policy would ensure a finding of waiver. Courts are likely to look to the employer’s de facto policy regarding non-business use, which, for virtually all employers, will be tacit permission of non-business e-mail despite an express ban on non-business use in the employer’s e-mail policy.

Given the above, employers can strengthen their position in the waiver battler by expressly stating the following in an e-mail policy with respect to non-business use of the employer’s e-mail system:

• Non-business e-mails are not private and are subject to the employer’s electronic resources policy in its entirety, including the employer’s policy on monitoring;
• Employees are prohibited from using the employer’s electronic resources to communicate with a personal attorney;
• Employees who use the employer’s electronic resources to engage in non-business e-mail communications through a personal web-based e-mail account should be aware that duplicates of such e-mail may be stored on the employer’s electronic resources and will be subject to review by the employer in accordance with its electronic resources policy.

This entry was written by Philip L. Gordon.

Although there are some differences in the privacy standards applicable to public sector and private employers, the standards are sufficiently similar that the Supreme Court’s decision likely will provide important guidance for employers on at least three issues. First, the law is relatively well settled that private employers can review any communications stored on a corporate e-mail server when the employer notifies employees of the monitoring, typically through an electronic resources policy. Quon is one of the first cases to address whether the same rule applies when the employee’s communication is transmitted through a third-party service provider under contract with the employer. The issue has gained increasing importance as an increasingly large number of employees use text messaging during the work day. (A case currently under consideration by the New Jersey Supreme Court, Stengart v. Loving Care, addresses an employee’s privacy expectations in copies of e-mail stored on a company-issued laptop that were sent through the employee’s personal e-mail account to her attorney.)

Second, the Supreme Court’s decision likely will address how a formal employment policy that otherwise would defeat an employee’s privacy expectation could be countermanded by an informal representation to a specific employee. Here, private employers likely will receive guidance on the types of informal statements that could be sufficient to countermand a formal policy as well as the degree of authority of the person making the informal statement necessary to override the formal policy.

Third, the Supreme Court also granted review on the question whether the senders of text messages to the SWAT officer had a reasonable expectation that his government employer would not read them. This question raises an issue that often is overlooked in cases revolving around an employer’s review of employee e-mail, i.e., the privacy interests of the sender. Without further development, it is difficult to anticipate the extent to which the Supreme Court’s ruling on this issue might affect private employers and what that affect might be.

Notably, the Supreme Court denied the service provider’s request for review of the Ninth Circuit’s ruling that the provider violated the federal Stored Communications Act by disclosing the SWAT officer’s text messages to the Department without his consent. Under the Act, a communications service provider, such as an ISP or cell phone provider, generally cannot disclose stored communications without the sender’s or recipient’s consent. An exception permits disclosure to the subscriber — the Department in the Quon case — when the provider is a “remote computing service.” The Ninth Circuit ruled that a “remote computing service” is akin to an electronic filing cabinet. Because the provider in the Quon case was a facilitator of communications, it was not a “remote computing service” and, therefore, could not take advantage of the exception. With the growing prevalence of “cloud computing” services, the proper definition of a “remote computing service” has become increasingly important. The Supreme Court’s decision to forego review of this issue leaves the Ninth Circuit’s ruling on this issue intact.

At bottom, Quon reflects the dynamic nature of the law governing technology in the workplace as communications technology rapidly moves beyond e-mail, and societal expectations change.

This entry was written by Philip L. Gordon

Photo credit: Niklas Bildhauer

The law also criminalizes the unauthorized transmission of an electronic communication (e.g., e-mail, text message, or instant message) using another person’s identifying information (e.g., name, domain address, phone number, etc.) with the intent of causing (a) the recipient to believe the send was the other person, and (b) harm to any person. This offense is a Class A misdemeanor, punishable by up to one year of imprisonment and a fine not to exceed $10,000.

While the Texas law, and laws like it, may not seem particularly helpful to employers at first blush, they actually may give the employer the upper hand in one of the most vicious forms of attacks by tech-savvy, disgruntled, former employees. In these attacks, the former employee “spoofs” a hated supervisor or executive in a phony social networking profile or e-mail communication to other employees. These spoofs often are defamatory and designed to humiliate the target. Because the creator or sender is hiding behind a false persona, it can be expensive and difficult to obtain any relief through civil litigation. Prosecutors, on the other hand, most likely will have a much easier time uncovering and stopping the perpetrator without any cost to the employer.

This entry was co-authored by Philip L. Gordon and Jeffrey U. Javinar.

IAPP: You mentioned employee health information in your initial response. How are the issues involving such information any different today than they were in the recent past?

Gordon: Russell Chapman’s presentation at the Practical Privacy Series, “Privacy Issues in Employer Wellness Initiatives,” will highlight the new challenges. The soaring cost of employee health benefits has put significant pressure on employers to encourage a healthier workforce. One look at the complex regulations in this area makes it clear that this laudable goal is much more easily enunciated than achieved. Government regulators have, to some extent, handcuffed employers in these offerings to protect employee privacy and to prevent discrimination against employees who can not, or do not want to, become exercise junkies. Russ is an expert in employee benefits law, and he will walk attendees through the legal complexities that employers are confronting as they implement wellness initiatives to trim health care costs.

IAPP: Over the past few years, “electronic discovery” has become a privacy issue. Could you explain how electronic discovery and privacy intersect in the employment context?

Gordon: Getting access to a former employee’s personal electronic information—their home computer, personal e-mail account, text messages, or social networking profile—often can be the difference between an employer’s success and defeat in employment litigation. Plaintiffs’ lawyers also have become increasingly aggressive in pursuing the electronic information of co-workers and supervisors who are not directly involved in the events that triggered the lawsuit, but whose statements and actions might provide useful evidence in support of the plaintiff’s claims. In many situations, the employer or the employee tries to limit the scope of electronic discovery by invoking the privacy interests of the employee to whom the information relates. The HR Practical Privacy Series will include a panel of three widely recognized experts in the area of electronic discovery—Becky Burr, a partner at WilmerHale; Laura Kibbee, formerly in-house counsel at Pfizer and now a senior vice president at the e-discovery consulting firm, EPIQ Systems; and Paul Weiner, national director of e-discovery at Littler Mendelson. The panel will delve into not just the domestic privacy issues raised by electronic discovery, but also the difficulties that multinational employers are confronting. In one recent case, for example, a French lawyer was subjected to criminal sanctions in France for conducting discovery ordered by a U.S. court. Multi-national employers are caught between a rock and a hard place in this area. This panel discussion, “e-Discovery and Privacy: How Domestic and Global Employers Can Manage the Ultimate ‘Catch-22’” will provide practical solutions to these difficult issues.

IAPP: As you noted above, security breaches involving employee data can have significant ramifications for the organization, what steps can employers take to reduce the risk of these breaches and how best can employers respond when a breach occurs?

Gordon: Organizations often can leverage the policies, procedures, and practices implemented to safeguard consumer privacy to prevent a compromise of HR data. The problem, for many organizations, is that employee data is not viewed as falling within the chief privacy officer’s jurisdiction and human resources professionals generally do not have the same level of expertise in privacy and information security issues as the CPO. Ken DeJarnette, a leading privacy consultant with Deloitte, will address how to eliminate this silo effect at the Practical Privacy Series in the presentation “Leveraging Your Existing Customer Privacy Program for HR Data and Processes.”

As many studies and anecdotal evidence suggest, even the best information security programs fail from time to time. My experience handling dozens of employee breaches has highlighted several important distinctions from consumer breaches. Frequently, my client contacts are themselves put at risk by the compromise, often raising the level of engagement and concern. Employee breaches typically implicate Social Security numbers, a fact which is particularly concerning because SSNs can be used for different types of identity theft so the cancellation of credit accounts is not enough to protect affected employees. As a result, employees tend to take advantage of services offered by the employer at a higher rate than consumers in breaches involving credit card numbers. Employers also may have a longer-term communications issue. While a consumer may sever a customer relationship, I have yet heard of an employee quitting over a security breach. That does not mean that employees are not disgruntled over the breach, with potential ramifications for the workplace. Peter McCorkell, senior counsel at Wells Fargo, and Rick Dakin, founder and president of the security consulting firm Coalfire Systems, will address the unique challenges of responding to an employee breach in their presentation at the Practical Privacy Series, “Investigating and Responding to an HR Data Breach.”

Of course, many employers in today’s world do provide cell phones with text-message capability. That does not mean that employees now can text with impunity. The Ninth Circuit’s decision addresses only access to the content of text messages stored at the provider. The decision imposes no limit on an employer’s obtaining transactional data, such as number of characters used, number of messages sent, or cost of service.

In any event, employers who think they may want to review their employees’ text messages need only condition payment for the cell phone, or for the service, on the employee’s giving written consent to the provider to disclose text messages to the employer; employees who don’t give consent and wish to keep their text messages private would have to pay for the service out of their own pocket. How many employees will be willing to pay $100 or more monthly to be able to send dirty text messages (especially with gas at $4 per gallon)?

There is yet another solution for employers. The Ninth Circuit’s ruling imposes no restriction on an employer’s review of text messages stored on company-issued cell phones. As long as the employer’s electronic resources policy notifies employees that text messages will be searched, the Ninth Circuit’s ruling actually can be used to defeat any privacy-based claim by an employee based upon such a review. In addition, as computer forensic capabilities improve and cell phone memory chips expand, these types of cell phone examinations could easily become routine.

The case is a cautionary tale on another point. The Ninth Circuit also addressed the question whether the City violated Sgt. Quon’s privacy expectations by reviewing his text messages after receiving them from Arch Wireless. On this point, the court noted (as I mentioned above) that in the normal course, the City’s “Computer Use, Internet and E-Mail Policy” would have defeated Sgt. Quon’s privacy-based claim. However, the police lieutenant responsible for overseeing the City’s text-message program had established an informal policy, communicated orally to Sgt. Quon, that the City would not read an officer’s text messages to determine whether they were personal or business-related so long as the officer paid for any over charges. The Ninth Circuit ruled that Sgt. Quon reasonably relied on this informal policy when he sent personal text messages using his City-issued pager, believing that the messages would remain private. Even though the City is a public employer, this holding is most likely is transferable to the private workplace.

Bottom line #1: Employers first need to evaluate whether reviewing messages stored with a service provider is in the employer’s interest. Corporate culture or potential employee rebellion potentially are significant countervailing factors. If the interest is strong enough, then the employer can execute any of the strategies described above to meet those objectives.

Bottom line #2: Instruct your IT personnel and others responsible for workplace monitoring not to make representations to employees that your business’ electronic resources policy will not be followed. Consider modifying your electronic resources policy to state that it can not be modified except by a written communication by a senior executive.

For further analysis of the Quon case, please see Littler ASAP: Employee Text Messages Are Not Inviolate: Understanding and Navigating the Ninth Circuit's Decision in Quon v. Arch Wireless Operating Company by Philip L. Gordon and Justin A. Morello.