On December 11, 2018, the New York Court of Appeals issued a decision (over two dissenting opinions) addressing public access to police personnel and disciplinary records. The Court held that certain personnel records sought by the New York City Civil Liberties Union (“NYCLU”) pursuant to the Freedom of Information Law (“FOIL”) are exempt from disclosure under New York Civil Rights Law § 50-a and New York Public Officers Law § 87(2)(a). In doing so, the Court affirmed the decision of the Appellate Division, First Department, and the broad applicability of Civil Rights Law § 50-a to requests for police personnel/disciplinary records.
It seems that reports of hackers breaching a business’s security measures to obtain customer information appear on an almost weekly basis. Unfortunately, businesses need to worry not only about the unauthorized access of customer data by hackers, but also the unauthorized access of sensitive employee information as well.
Inherent in all employment relationships is the fact that employers are privy to all sorts of confidential information about their employees. For example, in order to do something as simple as paying an employee’s wages, an employer will generally need to know the employee’s social security number, and, in cases of direct wage deposit, will also need to know the employee’s bank account information. Employers also often come into possession of confidential medical information in connection with employees’ requests for medical leaves of absence under the Family and Medical Leave Act, or when engaging in the “interactive process” with disabled employees who have requested accommodation for their disabilities.
Because employers are necessarily privy to confidential employee information, they are also inherently at risk for unauthorized disclosure of such information to others. Especially with all of the news in recent months about consumer and employee data breaches, employers should question whether the security measures they have in place to protect private employee information are actually sufficient.
But even those employers who have generally taken appropriate security measures are not necessarily immune from potential liability and are still at risk for potential disclosure of confidential information. Take, for example, the situation where an employer, who has otherwise implemented appropriate controls to protect confidential information, is undergoing maintenance of its IT system, and during the maintenance process certain file access restrictions are temporarily disabled. That is precisely the situation that occurred in Tank Connection, LLC v. Haight, a case that was decided by the U.S. District Court for the District of Kansas on February 5, 2016.
The employer in Tank Connection, a manufacturer of above-ground storage tanks with approximately 300 employees, was like many other employers with regard to how it limited employee access to its IT systems: “Each employee's computer was password protected. Access to data on the server was controlled by user-account privileges (Microsoft Active Directory). The user accounts were set up with standard authentication practices including user name and password.” The company also had certain IT directories and files that were only accessible to Tank Connection’s president and network administrator because they contained confidential and proprietary information. So far, so good. But here comes the problem. When the company changed its IT servers, certain security settings were not correctly transferred from the old server to the new, and a file whose access was previously restricted to the president and network administrator was now accessible to employees. Unfortunately, this mistake was not discovered by the company until after a particular employee, who was leaving the company to work for a competitor, accessed and copied confidential information from the file just prior to leaving Tank Connection.
When the mistake was ultimately discovered, Tank Connection took legal action to recover the information from the now former employee. The company claimed that notwithstanding the mistake with the IT server, the employee accessed the information without authorization and essentially “stole” it from the company. But the court ultimately rejected this claim, reasoning: “The problem with Tank Connection's argument that [the employee] exceeded his authorized access is that it is premised upon a restriction that was supposed to be incorporated into its network settings, but which in fact was not. . . . The fact that Tank Connection inadvertently provided [this employee] with access to the folder did not restrict or limit his authority. Nor does the fact that [the employee] apparently accessed these folders for purposes contrary to Tank Connection’s interests amount to evidence that he exceeded ‘authorized access.’”
In other words, despite Tank Connection’s intent to maintain confidentiality of the file, the inadvertent mistake that occurred with the IT server resulted in the company failing to properly protect the confidential information and exposing it to potential disclosure and misuse.
An important lesson should be learned from the Tank Connection, LLC case -- actions speak louder than intentions with regard to maintaining confidentiality. Even an employer’s best intentions to protect the confidentiality of employee information can go awry and will be rendered meaningless if the employer’s actions do not actually safeguard the information at issue. To ensure that intentions match actions, employers should regularly audit their information security protocols, including all security measures in effect on their IT systems to protect confidential employee information kept in electronic form, to ensure the continued functionality of such measures and make sure that what they think is in place actually is.
Many employers now track employee attendance by using biometric scanners that require an employee to clock in and out by scanning a fingerprint or a palmprint. Such scanners have largely replaced paper timesheets and have made managing employee attendance more accurate and efficient. However, employees sometimes express privacy concerns when asked to provide such data. Many employees are concerned about what an employer may do with the gathered information or whether the information could be hacked by an outside individual.
Recently, an employee was awarded a judgment of $586,860 (including back pay, front pay, and compensatory damages) after his employer forced him to retire due to his refusal to use the biometric hand scanner that the company installed to track attendance. The employee, who was an Evangelical Christian, had informed his employer that using the hand scanner violated his sincerely held religious beliefs because it could potentially be used to create an identifier for followers of the antichrist known as “The Mark of the Beast.” While this is an extreme example, many employees have expressed fears that their biometric data may be improperly used in the future.
New York employers should be aware that New York State has one of the few statutes that limits the collection of biometric data. New York Labor Law Section 201-a prohibits employers from requiring the fingerprinting of employees as a condition of obtaining or continuing employment. There are limited exceptions to this restriction. For example, the New York State Department of Labor has taken the position that voluntary fingerprinting is permissible. Additionally, Section 201-a does not apply to state or municipal employees, workers at medical institutions, many school employees, or to other employees who are subject to fingerprinting by law or regulation. Aside from these exceptions, however, many New York employers may be limited to the use of hand scanners or the more expensive iris scanning equipment, rather than a device that requires an employee’s fingerprint.
As an alternative to biometric scanners that require an employee’s fingerprint, some employers have installed devices that use a finger geometry “scan” rather than an actual “fingerprint.” This technology scans a user’s finger and identifies an individual’s finger “geometry” by measuring its length, width, thickness, and surface area, and disregards surface details, such as fingerprints, lines, and scars. Those measurements are often converted into a mathematical algorithm that are then stored in the attendance scanners. Because a fingerprint is not taken, Section 201-a is not implicated. Once employees understand that their actual fingerprints are not being taken or kept by their employers, their privacy concerns generally dissipate.
In addition to potential Section 201-a issues, employers should also be aware that they may have a duty to bargain with a union before requiring the use of such biometric devices pursuant to the National Labor Relations Act or the Taylor Law.
Employers who are considering implementing a biometric scanner system to track attendance should: (1) communicate with employees prior to introducing the biometric system, so that all employees will understand exactly how the technology is used; and (2) distribute a clear employer policy. Often, employee privacy concerns are based on misinformation that can be alleviated by taking these two simple steps.
As the social media phenomenon continues to dominate our culture and its use has become second-nature, it is worthwhile to revisit some of the issues presented by an employer's use of social media, particularly in the context of hiring.
Social media presents a unique workplace conundrum. On one hand, employees generally believe that their use of social media outside of work is none of their employer’s business. However, employers need to make employment decisions based on the best available information, which sometimes includes information an employee or potential employee shares on social media. In the context of hiring, a candidate’s social media page can provide invaluable insight into the candidate’s character. Generally, people tend to be much more candid on social media than they would be during a job interview, and, as the saying goes, “a picture is worth a thousand words.”
While there are currently no laws prohibiting New York employers from accessing an applicant’s social media information during the hiring process, there are potential legal pitfalls depending on how a candidate’s social media information is accessed, what information is obtained, and what information is considered when making a hiring decision. Social media sites contain a lot of information that employers are legally prohibited from considering during the hiring process (e.g., age, sexual orientation, race, religion, ethnicity, etc.). Simply possessing this type of knowledge about a candidate could ruin an otherwise well-based decision not to hire an individual, because it could create an inference that this information was part of the basis for the decision. Thus, employers that use social media as a hiring tool must exercise caution and take the appropriate steps to address these concerns.
At the outset, an employer should determine whether a social media search will be conducted as part of the hiring process, and if so, develop a policy regarding the use of social media in hiring. The policy should address what positions the search will be used for, the scope of the search, and when the search will occur, which is ideally later in the process to limit the number of candidates who are affected. The policy should also clearly identify what information will not be looked at or considered (i.e., protected characteristics), and what will be reported to those involved in hiring. Employers must ensure that this policy is distributed and communicated to hiring managers, and that they understand the purpose of the policy. As with any other policy, it is important that it is followed and applied consistently.
With respect to implementation of the policy, it is imperative that direct hiring managers do not access social media as part of the hiring process. A non-decision-maker should conduct the search and report only relevant, non-protected information to the decision-maker. To ensure this process is effective, the non-decision-maker conducting the search must understand what information the employer is legally prohibited from using when making a hiring decision.
An employer should never access any site that they have not been authorized to access, nor should employers require a candidate to provide them with access to their personal social media accounts. As reported in our April 28, 2012 blog post, legislation was introduced in the New York State Senate that was intended to prohibit employers from failing to hire an applicant based on his/her refusal to provide login information to the employer. Although this bill has not been passed, it is still the best practice to refrain from requiring candidates to provide access to their social media accounts as part of the application process, or as a condition of an offer of employment. In fact, multistate employers should be aware that at least 18 states, including Arkansas, California, Colorado, Delaware, Illinois, Louisiana, Maryland, Michigan, New Hampshire, New Jersey, New Mexico, Oklahoma, Oregon, Rhode Island, Tennessee, Utah, Vermont, and Washington, have enacted legislation regulating an employer’s social media activity, most of which contain prohibitions against requiring applicants or employees to provide the employer with his/her personal login information. Further, employers should not falsify information or impersonate an individual to gain access to the page. In other words, an employer must not ask an employee who is “friends” with a candidate to access his/her page. As a rule of thumb, only view information that is open to the public.
Employers should attempt to verify information before relying on it. Employers should also document and retain the information obtained in the search, including the search criteria and the information considered as a basis for their hiring decisions.
As we noted in our June 17, 2010 blog post, social networking sites have become a popular tool for employers seeking information about job applicants during the hiring process. However, employers' efforts to obtain information that enables them to access their employees' and applicants' private social media web sites have recently been subject to increased scrutiny by New York State and Federal legislators.
On April 13, 2012, New York State Senator Liz Krueger sponsored and introduced a bill that would prohibit employers, as well as their agents or representatives, from requiring employees or job applicants to disclose log-in names, passwords, or other means for accessing a personal account or service through an electronic communications device. This includes information such as private social media account log-in names and personal e-mail account passwords. This proposed legislation would also prohibit employers from discharging, disciplining, or otherwise penalizing an employee, or failing to hire an applicant, based on the refusal to provide information that would enable the employer to access personal accounts or services through an electronic communications device. The New York Attorney General would have the authority under the proposed legislation to enjoin employers from committing such unlawful practices, and employers could be subject to a $300.00 fine for a first offense and a $500.00 fine for each subsequent offense.
This proposed legislation comes just weeks after U.S. Senators Charles Schumer (D-NY) and Richard Blumenthal (D-CT) sent open letters to the Equal Employment Opportunity Commission and the U.S. Department of Justice urging the agencies to investigate employers' practice of requiring applicants to provide Facebook and e-mail passwords as a condition for job interviews.
Efforts to enact legislation similar to the New York bill are currently underway in several states. In fact, Maryland recently became the first state to enact legislation that prohibits employers from requiring that employees or applicants disclose user names, passwords, or other means for accessing a personal account or service through an electronic communications device.
As we indicated in our June 17, 2010 blog post, employers should be careful even when viewing publicly available information regarding applicants on social media web sites. Because Facebook and other similar web sites potentially contain a plethora of information about job applicants that employers cannot consider during the hiring process (e.g., race, national origin, religion, marital status, sexual orientation, etc.), employers should exercise caution in using social media web sites to screen applicants. Employers who choose to use social media in the hiring process should promulgate a clear policy and procedure for utilizing this tool, and should closely follow the developments in this area of the law.
In an earlier post, we reported that the National Labor Relations Board issued a complaint in a case involving the discharge of several employees for posting Facebook messages related to a co-worker’s criticism of their work performance. The case subsequently went to trial before an Administrative Law Judge. On September 2, the ALJ issued an opinion finding that the firings violated the NLRA by interfering with the employees’ right to engage in “concerted activity for the purpose of … mutual aid or protection.”
The Facebook postings occurred after one of the discharged employees learned that a co-worker had complained about the job performance of several employees and had expressed her intent to take the complaints to management. The employee who learned of the criticism posted a message on her Facebook page soliciting comments from other employees about the complaining co-worker’s criticism, and used the co-worker’s name. Predictably, several employees responded expressing various negative opinions about the criticism, the complaining co-worker, and the difficulty of various aspects of their jobs. None of the employees made the posts during work time, and none of them used a work computer. The employer’s Executive Director subsequently met with the five employees and fired all of them for harassment and bullying in violation of the employer’s anti-harassment policy.
The main issue in the case was whether the conduct in which the employees had engaged was protected concerted activity within the meaning of the NLRA. Relying on analogous NLRB precedent, the ALJ noted that expressions related to defense of job performance are protected activity. In response to the employer’s argument that the activity was not “concerted” because it was individualized, the ALJ concluded that the activity was concerted because the employees’ Facebook messages were the first step toward group action to defend themselves against accusations they could reasonably believe would be brought to management. The opinion states that: “Employees have a protected right to discuss matters affecting their employment amongst themselves. Explicit or implicit criticism by a co-worker of the manner in which they are performing their jobs is a subject about which employee discussion is protected by Section 7. That is particularly true in this case, where at least some of the discriminatees had an expectation that [the complaining co-worker] might take her criticisms to management.”
Finally, the ALJ rejected the employer’s argument that it was merely enforcing its anti-harassment policy. The Judge concluded that the policy, which prohibited harassment based on protected characteristics, was not violated because there was no evidence the complaining co-worker was harassed, and no evidence she was harassed based on one of the protected characteristics listed in the policy.
An appellate court in California recently held that an employee’s email exchanges with an attorney via the employee’s work email account were not protected by the attorney-client privilege, Holmes v. Petrovich Development Co. According to the Court’s opinion, when Gina Holmes began working for Petrovich Development Co., she read and signed the company’s employee handbook, which contained a policy regarding use of the company’s technology resources. The policy advised employees that: (1) the company’s technology resources, such as computers and email accounts, were for business purposes only; (2) employees had no expectation of privacy in the information or messages “created or maintained” on the company’s technology resources, including any emails sent or received on a company email account; and (3) the company could “inspect all files or messages … at any time for any reason at its discretion” and would periodically monitor files and messages. When Holmes got into an argument with the CEO about becoming pregnant a month after being hired, she exchanged two emails with an attorney via her company email account in which she explained her situation and asked about her rights. The next day, and after meeting with the attorney, Holmes quit her job claiming a hostile work environment and constructive discharge.
Holmes subsequently brought suit against the company. The trial court granted summary judgment dismissing some of her claims, and a jury found for Petrovich on the remaining claims, including invasion of privacy. On appeal, Holmes argued, among other things, that the trial court erred in permitting the e-mails to her attorney to be entered in evidence, contending they were protected by the attorney-client privilege. Such communications between an attorney and client can be privileged. For example, in Stengart v. Loving Care Agency, Inc., emails sent by an employee at work via her personal email account were held to be privileged where the employer’s policy permitted employees to use company computers for “occasional personal use.” In Holmes, however, the Court held that because Holmes had been advised of the company’s technology resources policy before the emails were exchanged, but nonetheless chose to engage in an email exchange via her company email account, Holmes’ emails with the attorney were not privileged. As the Court held: “… the e-mails sent via company computer under the circumstances of this case were akin to consulting her lawyer in her employer’s conference room, in a loud voice, with the door open, so that any reasonable person would expect that their discussion of her complaints about her employer would be overheard by [her employer]. By using the company’s computer to communicate with her lawyer, knowing the communications violated company computer policy and could be discovered by her employer due to company monitoring of e-mail usage,” the emails lost any protection they otherwise would have had.
While the question of whether attorney-client communications over an employer’s computer network are protected is not a settled issue, and turns on the facts of the case, the lesson to employers from the Holmes case is clear. Employers should institute and disseminate to employees an appropriate technology resources policy that makes clear employees have no right to privacy in the emails they send or receive via an employer email account and that such emails can be monitored by the employer at any time.
The National Labor Relations Board (“NLRB”) recently filed a complaint against American Medical Response of Connecticut, Inc. (“AMR”), alleging that AMR violated the National Labor Relations Act (“NLRA”) by discharging an employee for posting comments on her Facebook page that were critical of her supervisor. In addition, the NLRB’s complaint alleges that AMR’s social networking policy constituted an unlawful restriction on employees’ rights to communicate with one another about their terms and conditions of employment and otherwise engage in protected concerted activity under the NLRA. A hearing before an Administrative Law Judge is scheduled with respect to the NLRB’s allegations on January 25, 2011.
AMR’s Employee Handbook included a Blogging and Internet Posting Policy that prohibited employees from: (1) posting pictures of themselves which depict AMR in any way unless written approval from the Vice President of Corporate Communications is granted; and (2) making “disparaging, discriminatory, or defamatory comments when discussing the Company or the employee’s superiors, co-workers and/or competitors.” According to the NLRB complaint, an AMR employee named Dawnmarie Souza (“Ms. Souza”) “engaged in concerted activities with other employees” on November 8, 2009, by criticizing her supervisor on her Facebook page. According to a press release issued by the NLRB that accompanied its filing of the complaint, Ms. Souza’s criticism of her supervisor drew supportive responses from her co-workers, which resulted in Ms. Souza making additional negative comments about her supervisor on her Facebook page. Ms. Souza was discharged from her employment with AMR on or about December 1, 2009.
In the complaint, the NLRB alleges that AMR interfered with, restrained, and coerced its employees in the exercise of their right to engage in protected concerted activities, by promulgating its Blogging and Internet Posting Policy and by discharging Ms. Souza. The NLRB also alleges that AMR discriminated against Ms. Souza for her protected concerted activity by discharging her. According to the NLRB’s press release, the NLRB is taking the position that AMR’s Blogging and Internet Posting Policy contains unlawful provisions, including: (1) the provision that prohibits employees from making disparaging remarks about AMR or supervisors of AMR; and (2) the provision that prohibits employees from depicting AMR in any way without permission.
The NLRB’s position regarding the unlawfulness of AMR’s social networking policy appears to signify a departure from a recent opinion issued by the NLRB General Counsel’s Division of Advice on December 4, 2009. In that opinion, the Division of Advice considered an employer’s social networking policy that prohibited, among other things, “disparagement of company’s or competitors’ products, services, executive leadership, employees, strategy, and business prospects.” The Division of Advice concluded that the policy, as written, was lawful because employees could not reasonably construe the policy as prohibiting the types of concerted activities protected by the NLRA. The Division of Advice also found no evidence that the policy was promulgated in response to union organizing activity or was applied for the purpose of discouraging union organizing activity.
Although a hearing has not yet been held in the AMR case and a decision has not yet been rendered, the issuance of a complaint in that case indicates that the NLRB will closely scrutinize employer policies that potentially restrict an employee’s right to discuss terms and conditions of employment through social networking sites. Accordingly, all employers (regardless of whether their employees are unionized or not) should take this opportunity to review their social networking policies, and amend those policies to ensure that there is no language that could reasonably be construed by employees as prohibiting concerted activities relating to terms and conditions of employment. Employers who are contemplating the promulgation of a social networking policy should make sure to craft the language of the policy carefully to reduce the risk that the NLRB will find the policy to be an unlawful restriction on employee rights.
The courts have begun to address the question of whether an employee’s social network profile and postings, including sections only accessible to “friends,” are “private.” Most recently, the New York State Supreme Court for Suffolk County decided that the non-public portions of a plaintiff’s social networking sites are discoverable in litigation when they may contain information relevant to the plaintiff’s claims for damages for loss of enjoyment of life, Romano v. Steelcase Inc.
Ms. Romano sued her employer for, among other things, injuries she sustained that she alleged rendered her permanently disabled. According to the Court’s opinion, the publicly accessible parts of Ms. Romano’s Facebook and MySpace pages contained information which her employer “believed to be inconsistent with her claims” of permanent disability, “especially her claims for loss of enjoyment of life.” For example, publicly accessible photographs showed that Ms. Romano had an “active lifestyle” and traveled from New York to Florida and Pennsylvania during the time she was allegedly home and bed bound due to her injuries. The defendant employer made a discovery demand for access to all of her “current and historical Facebook and MySpace pages and accounts, including all deleted pages and related information”—both the publicly accessible parts of such pages and those parts which Ms. Romano had marked as “private” and made accessible to only her social networking “friends.”
In determining that the defendant employer was entitled to the information, the Court concluded that Ms. Romano had no reasonable expectation of privacy in the material. The Court reasoned that because the whole purpose of social networking sites is to share information with others, by creating her Facebook and MySpace pages and posting information and photographs on them, “she consented to the fact that her personal information would be shared with others, notwithstanding her privacy settings.” The Court also concluded that any minimal privacy interest was outweighed by New York’s “strong public policy in favor of open disclosure” in litigation. Because the federal Stored Communications Act prohibits a social networking site like Facebook or MySpace from disclosing the information sought without the consent of the owner of the account, the Court ordered Ms. Romano to provide the necessary consent.
The Romano decision was issued in the context of a litigation discovery dispute between an employer and employee, but the case’s impact is potentially broader because of the general principle it enunciates: individuals do not have a reasonable expectation of privacy in Facebook postings, regardless of the privacy settings they choose. As a result, when a co-worker who is “friends” with an employee presents an employer with photographs that the employee posted on Facebook, and those photos clearly demonstrate the employee was on vacation when he had called in sick, the employer may consider that material in its investigation. The employer may do so even if the employee’s privacy settings would have prevented the employer from accessing the photos directly. Of course, when obtaining investigative material from a co-worker, the employer/investigator must still proceed with caution given Stored Communications Act concerns
The United States Court of Appeals for the Seventh Circuit’s recent decision in United States v. Szymuszkiewiczis yet another reminder that the law governing monitoring of electronic communications in the workplace is a rapidly evolving, and requires employers to regularly revisit their technology use policies. Szymuszkiewicz was an IRS agent in Wisconsin who was convicted under the federal Wiretap Act for intentionally intercepting an electronic communication. A jury found that he secretly activated the auto-forward “rule” on his supervisor’s Microsoft Outlook e-mail account. As a result, a copy of every e-mail the supervisor received was also sent to the agent. The Wiretap Act makes it unlawful for any person to intercept an oral, wire or electronic communication without authority or the consent of at least one party to the communication.
In challenging the conviction, the agent argued that a communication is only “intercepted” under the Act if it is caught “in flight” (before it reaches its destination). Because he merely forwarded e-mails that had already arrived at his supervisor’s computer, he argued, no “interception” occurred. The only crime he could have been charged with, he contended, was a violation of the Stored Communications Act. Noting the risk in “defend[ing] against one crime by admitting another,” the Seventh Circuit rejected the agent’s argument.
First, the Court found that the Wiretap Act does not require contemporaneous or “in flight” interception at all. Any acquisition of information using a device, including conduct which would violate the Stored Communications Act, can violate the Wiretap Act. The Court noted that the “in flight” analogy really does not work for e-mail messages, which are broken up into packets (segments of message) when sent, transmitted over different routes, at different times, and reassembled at the server. So there is no way to intercept the entire message “in flight.” In rejecting the requirement of contemporaneous interception, the Court declined to follow several other Circuit Courts which have held that the interception had to be “contemporaneous” with the communication.
Finally, the Court concluded that even if the statute imposed a contemporaneous interception requirement, it was met in the case before it because Microsoft Outlook’s default provides for automatic forwarding to occur at the server, not at the recipient’s computer. Because each e-mail to the supervisor was received in packets at, reassembled and sent from the IRS’s regional server in Kansas City almost simultaneously to both the supervisor and agent, the agent’s ‘copying at the server was the unlawful interception, catching the message “in flight”… .
Although Szymuszkiewicz involved the clandestine actions of an employee, its holding has applicability to employer monitoring of employee e-mails. Employers that routinely make copies of employee e-mails as part of their regular business activities (for example, by copying e-mails for archival purposes or auto-forwarding the e-mails of a departed employee so others may respond) can no longer assume that because they are acting on an already-received message they are not “intercepting” it. As noted above, as long as one party to the communication consents to the “interception,” the statute is not violated. For that reason, potential violations of the Wiretap Act can most easily be avoided by taking steps to obtain implied or actual consent. Technology use policies should, at a minimum, put employees on explicit notice that electronic communications created, sent or received using company equipment or via its network are company property and subject to monitoring, access, duplication, review and disclosure by the employer at any time. Employers should also obtain implied consent from employees to take such actions through a statement in the policy and/or log in screen that use of the technology constitutes consent to monitor. A signed acknowledgment from the employee is even better.
On June 17, 2010, the U.S. Supreme Court issued a decision in a closely watched case involving discipline of an employee for improper text messaging, City of Ontario v. Quon. Although the Court’s ruling is narrow in scope, finding that the public employer’s search of the text messages was a reasonable search within the meaning of the Fourth Amendment, the Court clearly implied that an employee’s reasonable expectation of privacy will be shaped by a clearly communicated employer policy governing the use of each particular type of employer-provided technology.
The case involved the Ontario Police Department’s review of text messages sent and received by one of its officers on a department-owned electronic pager. The Department had a “Computer Usage, Internet and E-mail Policy” that gave the department the right to monitor employee Internet and e-mail use and all network activity. Although the policy did not explicitly cover text messaging, the department had officially stated that text messages on department owned pagers would be treated the same as e-mails under that policy.
Every officer in the department who was assigned an electronic pager was allotted 25,000 characters of use. When there was an overage, a lieutenant audited the text messages to ensure the pager was being used only for business-related purposes. In practice, however, whenever the plaintiff in the case, Sgt. Jeffery Quon, exceeded the allotment, the lieutenant told him he would not audit the messages if he paid the department for the overage costs. After Quon exceeded his allotment several times, the police chief ordered an audit of his text messages to determine whether the allotment was still sufficient for work-related messages, or whether the pager was being used for Quon’s personal use. During the audit, sexually explicit text messages were discovered and Quon was disciplined.
Quon sued claiming, among other things, that the audit of his text messages was an unlawful search in violation of his Fourth Amendment rights. The Ninth Circuit Court of Appeals agreed, holding that Quon had a reasonable expectation of privacy in the content of the text messages because of the lieutenant’s assurances that the messages would not be read if the overage was paid. The City appealed to the United States Supreme Court.
The high court reversed, but rather than issue a broad pronouncement concerning employee privacy rights in electronic communications, decided the case on narrower grounds. As the Court explained: “A broad holding concerning employees’ privacy expectations vis-À-vis employer-provided technological equipment might have implications for future cases that cannot be predicted.”
For that reason, the Court assumed that Quon had a reasonable expectation of privacy in his text messages. The Court then went on to hold that the audit of Quon’s texts was a reasonable search both at its inception and in its scope, and therefore did not violate the Fourth Amendment. The department had a legitimate interest in auditing the text messages to “ensur[e] that employees were not being forced to pay out of their own pockets for work-related expenses, or on the other hand that the City was not paying for extensive personal communications.” In addition, “reviewing the transcripts [of Quon’s text messages] was reasonable because it was an efficient and expedient way to determine whether Quon’s overages were the result of work-related messaging or personal use.”
In what can and should be read as an important notice to employers, the Court emphasized the importance of a technology use policy noting - “[e]mployer policies concerning communications will of course shape the reasonable expectations of employees, especially to the extent that such policies are clearly communicated.” The Court also noted Quon’s assertion that a supervisory employee created an expectation of privacy by assuring him that his text messages would not be audited if he paid overage charges. To avoid such claims, employers should train employees on their technology use policy and draft such policies to ban verbal modification.
The case also highlights a potential problem with the scope of many employer policies. The Court noted a distinction between employer-provided e-mail, and text messages typically transmitted through the cell phone provider’s server. An employer cannot assume that a policy which covers communications passing through its server also covers those that do not. In Quon, the department’s policy focused on e-mail, without mentioning text messages, but when pagers were issued, the department informed employees that its policy applied to text messages as well. That may not be enough in all cases. Given the increased use of smart phones and personal e-mail accounts accessed through employer-provided equipment, employers are well-advised to draft technology use policies broadly. However, such policies must be drafted with care given the Supreme Court’s observation that the audit of messages on Quon’s employer-provided pager “was not nearly as intrusive as a search of his personal e-mail account or pager … would have been.”
The take away from the Quon decision is clear – employers should adopt a carefully crafted technology use policy, distribute it to employees and educate employees on its meaning and scope. Doing so will limit employee privacy expectations and better prepare the employer to successfully defend technology-related privacy claims.