Federal Courts' Disagreement Over E-Mail Privacy Highlights Employers' Need to Revisit E-Mail Policies

Posted on December 21, 2009 by Privacy and Data Protection Practice Group

As the Supreme Court prepares to address the question whether public employees can expect privacy in text messages sent by government-issued phones through a service provider under contract with the government, federal district courts continue to reach conflicting results when addressing whether private employees waive the attorney-client privilege by communicating with a personal attorney using their employer’s electronic resources. With yet another federal court recently finding no waiver, employers should revisit and revise their electronic resources policies to increase their chances of winning the waiver battle.

In Convertino v. United States DOJ, 2009 U.S. Dist. LEXIS 115050 (D.C. Dec. 10, 2009), a case decided last week, a former federal prosecutor suing the Justice Department for an allegedly improper leak concerning an investigation into charges that he engaged in prosecutorial misconduct, sought to compel production of e-mails exchanged through the Justice Department’s e-mail system between Jonathan Tukel, a federal prosecutor involved in the investigation, and Tukel’s personal attorney. The federal District Court for the District of Columbia held that Tukel had not waived the privilege. The court determined that Tukel reasonably could expect privacy in the communications with his attorney because the Justice Department’s e-mail policy permitted personal use of its e-mail system, and Tukel stated in an affidavit that he was unaware that the Department regularly monitored his e-mail.

In contrast to this result, a federal district court in Idaho, in Alamar Ranch, LLC v. County of Boise, 2009 U.S. Dist. LEXIS 101866 (D. Idaho Nov. 2, 2009), held just six weeks earlier that an employee had waived the attorney-client privilege by exchanging e-mail with her attorney using her employer’s e-mail system. The court relied on the employer’s e-mail usage policy, which notified the employee that: (1) all e-mail was the employer’s property; (2) the employer reserved the right to monitor e-mail; and (3) employees should not assume that e-mail would be confidential. The court gave no weight to the employee’s testimony, almost identical to Tukel’s in the D.C. case, that she was unaware of the monitoring. The court found her subjective belief “unreasonable . . . in this technological age.”

Although not mentioned in the D.C. court’s opinion, the Justice Department’s e-mail usage policy most likely contains the same language that the Idaho court relied upon to find a waiver. Thus, the principal difference between the two cases appears to be the Justice Department’s express permission of some non-business use of its e-mail system. That said, employers would be short-sighted to think that prohibiting all non-business use in an e-mail policy would ensure a finding of waiver. Courts are likely to look to the employer’s de facto policy regarding non-business use, which, for virtually all employers, will be tacit permission of non-business e-mail despite an express ban on non-business use in the employer’s e-mail policy.

Given the above, employers can strengthen their position in the waiver battler by expressly stating the following in an e-mail policy with respect to non-business use of the employer’s e-mail system:

  • Non-business e-mails are not private and are subject to the employer’s electronic resources policy in its entirety, including the employer’s policy on monitoring;
  • Employees are prohibited from using the employer’s electronic resources to communicate with a personal attorney;
  • Employees who use the employer’s electronic resources to engage in non-business e-mail communications through a personal web-based e-mail account should be aware that duplicates of such e-mail may be stored on the employer’s electronic resources and will be subject to review by the employer in accordance with its electronic resources policy.

This entry was written by Philip L. Gordon.
Tags: , , , , , , , ,

Supreme Court Review of Quon May Provide Important Guidance for Private Employers

Posted on December 14, 2009 by Privacy and Data Protection Practice Group

The U.S. Supreme Court agreed, today, to review the Ninth Circuit Court of Appeal’s decision in Quon v. Arch Wireless, a case with potentially important implications for private employers. As explained in prior posts, the appellate court held that the City of Ontario Police Department violated a SWAT officer’s reasonable expectation of privacy by reviewing the content of his sexually explicit text messages, even though: (1) the messages had been sent with a Department-issued pager through a service provider under contract with the Department, and (2) the Department’s formal policy informed all SWAT officers that the Department might review their text messages. In reaching that conclusion, the Ninth Circuit relied principally on a statement by the officer in charge of the text messaging program to the SWAT officer that the Department would not review his text messages if he voluntarily paid any overage charges resulting from excessive personal use.

Although there are some differences in the privacy standards applicable to public sector and private employers, the standards are sufficiently similar that the Supreme Court’s decision likely will provide important guidance for employers on at least three issues. First, the law is relatively well settled that private employers can review any communications stored on a corporate e-mail server when the employer notifies employees of the monitoring, typically through an electronic resources policy. Quon is one of the first cases to address whether the same rule applies when the employee’s communication is transmitted through a third-party service provider under contract with the employer. The issue has gained increasing importance as an increasingly large number of employees use text messaging during the work day. (A case currently under consideration by the New Jersey Supreme Court, Stengart v. Loving Care, addresses an employee’s privacy expectations in copies of e-mail stored on a company-issued laptop that were sent through the employee’s personal e-mail account to her attorney.)

Second, the Supreme Court’s decision likely will address how a formal employment policy that otherwise would defeat an employee’s privacy expectation could be countermanded by an informal representation to a specific employee. Here, private employers likely will receive guidance on the types of informal statements that could be sufficient to countermand a formal policy as well as the degree of authority of the person making the informal statement necessary to override the formal policy.

Third, the Supreme Court also granted review on the question whether the senders of text messages to the SWAT officer had a reasonable expectation that his government employer would not read them. This question raises an issue that often is overlooked in cases revolving around an employer’s review of employee e-mail, i.e., the privacy interests of the sender. Without further development, it is difficult to anticipate the extent to which the Supreme Court’s ruling on this issue might affect private employers and what that affect might be.

Notably, the Supreme Court denied the service provider’s request for review of the Ninth Circuit’s ruling that the provider violated the federal Stored Communications Act by disclosing the SWAT officer’s text messages to the Department without his consent. Under the Act, a communications service provider, such as an ISP or cell phone provider, generally cannot disclose stored communications without the sender’s or recipient’s consent. An exception permits disclosure to the subscriber — the Department in the Quon case — when the provider is a “remote computing service.” The Ninth Circuit ruled that a “remote computing service” is akin to an electronic filing cabinet. Because the provider in the Quon case was a facilitator of communications, it was not a “remote computing service” and, therefore, could not take advantage of the exception. With the growing prevalence of “cloud computing” services, the proper definition of a “remote computing service” has become increasingly important. The Supreme Court’s decision to forego review of this issue leaves the Ninth Circuit’s ruling on this issue intact.

At bottom, Quon reflects the dynamic nature of the law governing technology in the workplace as communications technology rapidly moves beyond e-mail, and societal expectations change.

This entry was written by Philip L. Gordon

Photo credit: Niklas Bildhauer
Tags: , , , , , , , , , , ,

Criminalization of Online Harassment May Help Employers in "Cyberbattles" with Disgruntled Employees

Posted on July 17, 2009 by Privacy and Data Protection Practice Group

Texas recently enacted a law, effective September 1, 2009, that criminalizes online harassment. Texas joins other states, including Nevada, New York and Tennessee, which have enacted similar legislation criminalizing the use of electronic communication devices to commit criminal stalking and harassment.

Although speaking in terms of “online harassment,” the law is aimed at outlawing online impersonation with the intent to cause harm. Thus, the law outlaws the unauthorized use of another’s name or persona to create a web page, or to post one or more messages on a commercial social networking site, with the intent to defraud, harm, intimidate or threaten another person. This offense is a third-degree felony, punishable by two to ten years imprisonment and a fine not to exceed $10,000.

The law also criminalizes the unauthorized transmission of an electronic communication (e.g., e-mail, text message, or instant message) using another person’s identifying information (e.g., name, domain address, phone number, etc.) with the intent of causing (a) the recipient to believe the send was the other person, and (b) harm to any person. This offense is a Class A misdemeanor, punishable by up to one year of imprisonment and a fine not to exceed $10,000.

While the Texas law, and laws like it, may not seem particularly helpful to employers at first blush, they actually may give the employer the upper hand in one of the most vicious forms of attacks by tech-savvy, disgruntled, former employees. In these attacks, the former employee “spoofs” a hated supervisor or executive in a phony social networking profile or e-mail communication to other employees. These spoofs often are defamatory and designed to humiliate the target. Because the creator or sender is hiding behind a false persona, it can be expensive and difficult to obtain any relief through civil litigation. Prosecutors, on the other hand, most likely will have a much easier time uncovering and stopping the perpetrator without any cost to the employer.

This entry was co-authored by Philip L. Gordon and Jeffrey U. Javinar.
Tags: , , , , ,

Philip Gordon Answers Questions About Human Resources' Top Privacy Concerns

Posted on June 5, 2009 by Privacy and Data Protection Practice Group

On June 18, Philip Gordon will present at the International Association of Privacy Professionals (IAPP) Practical Privacy Series on the topic "On the Cutting Edge: The Top Five Developments for 2009" (You may register for the event here). Below, Mr. Gordon answers questions about some of the top HR privacy concerns that every organization is confronting.

IAPP: With so much focus on safeguarding customer information, why is HR privacy even an issue?

Gordon: HR privacy should be a major concern of every organization for several reasons. Virtually all class-action litigation involving the compromise of customers’ personal data has been unsuccessful because of the absence of any actual damages. By contrast, privacy violations involving employee personal data often do result in cognizable injuries, including loss of employment and emotional distress. The risk of significant damages is particularly high in the employment context because employers maintain not only the full range of personal identifiers but also financial information and very sensitive health information. In addition, security breaches involving employee personal data can have a negative impact on employee morale, and employees, unlike consumers, can easily express their disgruntlement to senior management. While the potential exposure is high, developments in technology and recently enacted legislation have complicated employer’s compliance obligations, further increasing their exposure to liability.

IAPP: Could you provide some examples of recent developments that have a significant impact on HR privacy compliance and employers’ exposure to liability for privacy violations?

Gordon: Employers are struggling to find the right approach for addressing text messaging in the workplace and the variety of Web 2.0 communications platforms. Unlike e-mail, text messaging almost always is transmitted through, and stored at, a third-party service provider. The laws governing access to electronic communications stored at a service provider impose substantial restrictions on employers. These restrictions do not apply when accessing communications stored on the corporate network. Social networking is particularly challenging for employers, especially as employees form their own networks, because personal profiles often blur the line between “private” and work life while, at the same time, permitting employees to communicate messages that senior management views as contrary to the organization’s interests.

On the legal side, we have the passage in February 2009 of significant amendments to HIPAA, which will have an impact on every employer that sponsors a HIPAA-covered benefit plan. In November, the Genetic Information Non-Discrimination Act of 2009 (GINA) will become effective. GINA will raise significant compliance challenges because the Act defines “genetic information” to include several categories of information that most privacy and HR professionals might not think of as “genetic” in nature, such as certain FMLA certifications. I will cover these technological and legal developments at the Practical Privacy Series in a presentation entitled, “On the Cutting Edge: The Top Five Developments For 2009.”

IAPP: You mentioned employee health information in your initial response. How are the issues involving such information any different today than they were in the recent past?

Gordon: Russell Chapman’s presentation at the Practical Privacy Series, “Privacy Issues in Employer Wellness Initiatives,” will highlight the new challenges. The soaring cost of employee health benefits has put significant pressure on employers to encourage a healthier workforce. One look at the complex regulations in this area makes it clear that this laudable goal is much more easily enunciated than achieved. Government regulators have, to some extent, handcuffed employers in these offerings to protect employee privacy and to prevent discrimination against employees who can not, or do not want to, become exercise junkies. Russ is an expert in employee benefits law, and he will walk attendees through the legal complexities that employers are confronting as they implement wellness initiatives to trim health care costs.

IAPP: Over the past few years, “electronic discovery” has become a privacy issue. Could you explain how electronic discovery and privacy intersect in the employment context?

Gordon: Getting access to a former employee’s personal electronic information—their home computer, personal e-mail account, text messages, or social networking profile—often can be the difference between an employer’s success and defeat in employment litigation. Plaintiffs’ lawyers also have become increasingly aggressive in pursuing the electronic information of co-workers and supervisors who are not directly involved in the events that triggered the lawsuit, but whose statements and actions might provide useful evidence in support of the plaintiff’s claims. In many situations, the employer or the employee tries to limit the scope of electronic discovery by invoking the privacy interests of the employee to whom the information relates. The HR Practical Privacy Series will include a panel of three widely recognized experts in the area of electronic discovery—Becky Burr, a partner at WilmerHale; Laura Kibbee, formerly in-house counsel at Pfizer and now a senior vice president at the e-discovery consulting firm, EPIQ Systems; and Paul Weiner, national director of e-discovery at Littler Mendelson. The panel will delve into not just the domestic privacy issues raised by electronic discovery, but also the difficulties that multinational employers are confronting. In one recent case, for example, a French lawyer was subjected to criminal sanctions in France for conducting discovery ordered by a U.S. court. Multi-national employers are caught between a rock and a hard place in this area. This panel discussion, “e-Discovery and Privacy: How Domestic and Global Employers Can Manage the Ultimate ‘Catch-22’” will provide practical solutions to these difficult issues.

IAPP: As you noted above, security breaches involving employee data can have significant ramifications for the organization, what steps can employers take to reduce the risk of these breaches and how best can employers respond when a breach occurs?

Gordon: Organizations often can leverage the policies, procedures, and practices implemented to safeguard consumer privacy to prevent a compromise of HR data. The problem, for many organizations, is that employee data is not viewed as falling within the chief privacy officer’s jurisdiction and human resources professionals generally do not have the same level of expertise in privacy and information security issues as the CPO. Ken DeJarnette, a leading privacy consultant with Deloitte, will address how to eliminate this silo effect at the Practical Privacy Series in the presentation “Leveraging Your Existing Customer Privacy Program for HR Data and Processes.”

As many studies and anecdotal evidence suggest, even the best information security programs fail from time to time. My experience handling dozens of employee breaches has highlighted several important distinctions from consumer breaches. Frequently, my client contacts are themselves put at risk by the compromise, often raising the level of engagement and concern. Employee breaches typically implicate Social Security numbers, a fact which is particularly concerning because SSNs can be used for different types of identity theft so the cancellation of credit accounts is not enough to protect affected employees. As a result, employees tend to take advantage of services offered by the employer at a higher rate than consumers in breaches involving credit card numbers. Employers also may have a longer-term communications issue. While a consumer may sever a customer relationship, I have yet heard of an employee quitting over a security breach. That does not mean that employees are not disgruntled over the breach, with potential ramifications for the workplace. Peter McCorkell, senior counsel at Wells Fargo, and Rick Dakin, founder and president of the security consulting firm Coalfire Systems, will address the unique challenges of responding to an employee breach in their presentation at the Practical Privacy Series, “Investigating and Responding to an HR Data Breach.”
Tags: , , , , , , , , , ,

Quon Ruling Not Significant Obstacle to Employers' Accessing Text Messages

Posted on June 20, 2008 by Philip Gordon

The Los Angeles Times reported on June 19, 2008, that the Ninth Circuit’s decision in Quon v. Arch Wireless Operating Co., “sharply limited the ability of employers to obtain e-mails and text messages sent by employees on company-financed accounts.” And many major news outlets echoed this sentiment: "Court Rules Employee Text Messages Are Private," "SF Court Protects Privacy of Work Communications," "Stop Snooping on Email, Court Tells Some Nosy Bosses." However, the assertion of the LA Times reporter, while literally true, is pure hyperbole when viewed in the context of a real-world workplace.

The Ninth Circuit ruled in Quon that a text-message provider, Arch Wireless, violated the federal Stored Communications Act (the “Act”) by disclosing to the City of Ontario Police Department sexually explicit text messages sent by Sgt. Quon using a City-issued text-message pager, even though the City was the subscriber on the service contract. The court explained that the Act prohibits providers of an “electronic communication service” — Internet Service Providers (ISPs) and text messages services, for example — from disclosing stored e-mail or text messages without the consent of the sender or recipient. At first blush, this ruling appears to present a dramatic shift in the balance of power between employers and employees in the spy vs. spy world of workplace monitoring.

Not so fastEmployers can easily and lawfully circumvent the court’s ruling. Employers, for example, can prohibit employees from conducting any company business other than over the corporate network, and they can limit company-issued electronic devices to those, such as a Blackberry, that can be configured to route all communications through the corporate network. Notably, the Ninth Circuit’s decision expressly reaffirmed the well established rule that employers can defeat an employee’s expectation of privacy by distributing a policy unambiguously stating that employees communications using corporate resources will be monitored and are not private.

Of course, many employers in today’s world do provide cell phones with text-message capability. That does not mean that employees now can text with impunity. The Ninth Circuit’s decision addresses only access to the content of text messages stored at the provider. The decision imposes no limit on an employer’s obtaining transactional data, such as number of characters used, number of messages sent, or cost of service.

In any event, employers who think they may want to review their employees’ text messages need only condition payment for the cell phone, or for the service, on the employee’s giving written consent to the provider to disclose text messages to the employer; employees who don’t give consent and wish to keep their text messages private would have to pay for the service out of their own pocket. How many employees will be willing to pay $100 or more monthly to be able to send dirty text messages (especially with gas at $4 per gallon)?

There is yet another solution for employers. The Ninth Circuit’s ruling imposes no restriction on an employer’s review of text messages stored on company-issued cell phones. As long as the employer’s electronic resources policy notifies employees that text messages will be searched, the Ninth Circuit’s ruling actually can be used to defeat any privacy-based claim by an employee based upon such a review. In addition, as computer forensic capabilities improve and cell phone memory chips expand, these types of cell phone examinations could easily become routine.

The case is a cautionary tale on another point. The Ninth Circuit also addressed the question whether the City violated Sgt. Quon’s privacy expectations by reviewing his text messages after receiving them from Arch Wireless. On this point, the court noted (as I mentioned above) that in the normal course, the City’s “Computer Use, Internet and E-Mail Policy” would have defeated Sgt. Quon’s privacy-based claim. However, the police lieutenant responsible for overseeing the City’s text-message program had established an informal policy, communicated orally to Sgt. Quon, that the City would not read an officer’s text messages to determine whether they were personal or business-related so long as the officer paid for any over charges. The Ninth Circuit ruled that Sgt. Quon reasonably relied on this informal policy when he sent personal text messages using his City-issued pager, believing that the messages would remain private. Even though the City is a public employer, this holding is most likely is transferable to the private workplace.

Bottom line #1: Employers first need to evaluate whether reviewing messages stored with a service provider is in the employer’s interest. Corporate culture or potential employee rebellion potentially are significant countervailing factors. If the interest is strong enough, then the employer can execute any of the strategies described above to meet those objectives.

Bottom line #2: Instruct your IT personnel and others responsible for workplace monitoring not to make representations to employees that your business’ electronic resources policy will not be followed. Consider modifying your electronic resources policy to state that it can not be modified except by a written communication by a senior executive.

For further analysis of the Quon case, please see Littler ASAP: Employee Text Messages Are Not Inviolate: Understanding and Navigating the Ninth Circuit's Decision in Quon v. Arch Wireless Operating Company by Philip L. Gordon and Justin A. Morello.
Tags: , , , , , , , ,