Workplace Privacy Counsel : San Francisco Employment Privacy Law Lawyer & Attorney : Littler Mendelson Law Firm : Employment Related Privacy Issues

According to a report issued last week by the School District’s attorney and recent news reports, the School District installed a program called Theft Tracker on more than 2,000 laptops issued to students. When activated, the program records the laptop’s Internet address, captures an image of anything on the computer’s screen, and takes a Webcam photo every fifteen minutes until the program is deactivated. Theft Tracker downloaded all captured information and images to the School District’s server and erased them from the laptop’s memory. The program reportedly was responsible for taking 56,000 photographs. Approximately two-thirds were related to six laptops that actually had been stolen. The local police relied on at least some of those photos to recover the stolen laptops. Many of the remaining pictures, however, were taken because School District employees forgot to deactivate Theft Tracker after students reported that they found laptops that had been reported stolen.

Since the story broke, the School District has found itself at the center of a maelstrom. At least one student has sued the School District, alleging invasion of privacy. The FBI is investigating for potential criminal conduct. Congress held hearings on surreptitious surveillance, and Senator Arlen Specter proposed the "Surreptitious Video Surveillance Act," to extend the Federal Wiretap Act to video surveillance without prior notice. Editorialists and the media have hammered the School District. What went wrong?

According to one news report and the School District’s attorney, the School District made several mistakes:

• The School District did not have written policies and procedures regulating the use of Theft Tracker.
• Parents and students were not provided with an explanation of the program and not required to consent to its use.
• Students were asked to sign a policy that related only to use of the School District’s own network and did not mention school-issued laptops.
• There was no written policy concerning disclosure to law enforcement authorities of information obtained through Theft Tracker

In addition, the School District apparently conducted no legal analysis before implementing Theft Tracker to identify and assess the potential legal risks.

Employers who consider implementing a program like Theft Tracker or otherwise want to activate Webcams on company-issued laptops should learn the lessons of Lower Merion School District’s disastrous foray into webcam use. The employer must first have a detailed understanding of the technology’s capabilities and subject the technology to a rigorous legal review. If, for example, the technology is capable of recording audio, its use could constitute unlawful wiretapping, especially in states where consent is not a defense unless all parties to the communication have consented. Running afoul of the two-party consent laws is easy especially when family members, house guests, and others who have not consented to the use of the technology could be recorded. Similarly, non-employees could easily be photographed without their knowledge or consent, potentially giving rise to a claim for invasion of privacy.

If an employer determines that the benefits of the technology outweigh the risks, it still should implement detailed, written policies and procedures concerning the technology’s use to mitigate those risks. The guidelines should address at least the following: (1) identification of the employees authorized to activate the program; (2) identification of the management-level employees that must approve activation of the program; (3) circumstances in which the program may be activated; (4) the duration of the monitoring; (5) security for the fruits of the monitoring; (6) identification of the employees permitted to access the fruits of the monitoring; (7) how the fruits of the monitoring may be used; (8) when the fruits of the monitoring may be disclosed to law enforcement; and (9) how long the fruits of the monitoring will be retained.

The employer also should provide employees with full and fair notice of how the technology will be used and obtain the employee’s affirmative consent to its use. The notice should include, at a minimum, an explanation of the technology, the circumstances in which it will be activated, how the fruits of the monitoring may be used, and to whom they may be disclosed. Employers should beware that even after taking all of these precautions, use of webcams might be illegal in certain non-U.S. countries, such as the member states of the European Union.
 

This entry was written by Philip L. Gordon.

In Convertino v. United States DOJ, 2009 U.S. Dist. LEXIS 115050 (D.C. Dec. 10, 2009), a case decided last week, a former federal prosecutor suing the Justice Department for an allegedly improper leak concerning an investigation into charges that he engaged in prosecutorial misconduct, sought to compel production of e-mails exchanged through the Justice Department’s e-mail system between Jonathan Tukel, a federal prosecutor involved in the investigation, and Tukel’s personal attorney. The federal District Court for the District of Columbia held that Tukel had not waived the privilege. The court determined that Tukel reasonably could expect privacy in the communications with his attorney because the Justice Department’s e-mail policy permitted personal use of its e-mail system, and Tukel stated in an affidavit that he was unaware that the Department regularly monitored his e-mail.

In contrast to this result, a federal district court in Idaho, in Alamar Ranch, LLC v. County of Boise, 2009 U.S. Dist. LEXIS 101866 (D. Idaho Nov. 2, 2009), held just six weeks earlier that an employee had waived the attorney-client privilege by exchanging e-mail with her attorney using her employer’s e-mail system. The court relied on the employer’s e-mail usage policy, which notified the employee that: (1) all e-mail was the employer’s property; (2) the employer reserved the right to monitor e-mail; and (3) employees should not assume that e-mail would be confidential. The court gave no weight to the employee’s testimony, almost identical to Tukel’s in the D.C. case, that she was unaware of the monitoring. The court found her subjective belief “unreasonable . . . in this technological age.”

Although not mentioned in the D.C. court’s opinion, the Justice Department’s e-mail usage policy most likely contains the same language that the Idaho court relied upon to find a waiver. Thus, the principal difference between the two cases appears to be the Justice Department’s express permission of some non-business use of its e-mail system. That said, employers would be short-sighted to think that prohibiting all non-business use in an e-mail policy would ensure a finding of waiver. Courts are likely to look to the employer’s de facto policy regarding non-business use, which, for virtually all employers, will be tacit permission of non-business e-mail despite an express ban on non-business use in the employer’s e-mail policy.

Given the above, employers can strengthen their position in the waiver battler by expressly stating the following in an e-mail policy with respect to non-business use of the employer’s e-mail system:

• Non-business e-mails are not private and are subject to the employer’s electronic resources policy in its entirety, including the employer’s policy on monitoring;
• Employees are prohibited from using the employer’s electronic resources to communicate with a personal attorney;
• Employees who use the employer’s electronic resources to engage in non-business e-mail communications through a personal web-based e-mail account should be aware that duplicates of such e-mail may be stored on the employer’s electronic resources and will be subject to review by the employer in accordance with its electronic resources policy.

This entry was written by Philip L. Gordon.