The Web of social media and compliance: The ECPA and online privacy

By Alexander B. Howard, Associate Editor 17 Aug 2009 | SearchCompliance.com

Enterprise IT news roundup Digg This!     StumbleUpon     Del.icio.us

The Web of social media and compliance: A series Online privacy regulations Online privacy policy

A recent court decision on an employee's right to online privacy using a company computer, Stengart v. Loving Care, cast some doubt on the legality of monitoring when it comes to privileged or personal communications. Specifically, "an employer may monitor whether an employee is distracted from the employer's business and may take disciplinary action if an employee engages in personal matters during work hours; that right to discipline or terminate, however, does not extend to the confiscation of the employee's personal communications."

Some state constitutions, most notably California's, provide some online privacy rights in the private sector, but generally in the U.S., statutes and principles of the "common law" serve to protect privacy in the commercial context.

Prohibitions against monitoring employee email or other communications have historically focused on interception of messages, not retrieval from electronic storage. As Yaron Dori, an attorney who specializes in telecommunications and privacy law at Covington & Burling LLP, said, when it comes to an employee's expectation of privacy, there's "very little, especially if the employer has notified the employee they will be monitoring him or her. Even less if the employee has acknowledged or consented to such monitoring."

Another statute has relevance to online privacy. The Electronic Communications Privacy Act (ECPA), passed in 1986 as an amendment to the Wiretap Act of 1968, applies to both government employees and private citizens. The ECPA protects communications in storage as well as in transit. It specifically prohibits a third party from intercepting or disclosing communications without authorization.

The ECPA or its subsequent amendments does not specifically limit any monitoring of social media messaging. As Aaron Massey wrote at The Privacy Place last December in a post on the ECPA and personal health records systems, there are "two main exceptions of the original Wiretap Act, both of which were retained by the ECPA.

"The first exception allows interception when one of the parties has given prior consent. … The second exception allows interceptions if they are done in the ordinary course of business. This could mean that your data would be accessible by third parties such as an information technology vendor that maintains the software."

More from Evan Brown Listen to Brown discuss social media and the law on Chicago Public Radio.

Any compliance officer working through interpreting the ECPA as it applies to online privacy and social media compliance will encounter a reality best expressed by Paul Ohm, a former attorney for the Department of Justice. Ohm, now an associate professor of law at the University of Colorado Law School, wrote that the ECPA is more complicated than the U.S. tax code.

As attorney Evan Brown pointed out on his blog, Internet Cases, recent court rulings suggest that the scope of the Electronic Communications Privacy Act may not be so narrow. The ECPA only prohibits monitoring of electronic communications if it is done "without authorization" or in a manner that exceeds the authorization given.

"The case instructs us that this court is not willing to read the definition of electronic communication as narrowly as the court did in Ropp," Brown writes. "No doubt there will be some interesting evidence produced in discovery that shows how the keystrokes were allegedly intercepted. But at least we know at this early stage in the litigation that the court will consider whether the transmission of electronic data within a system -- and not crossing state lines -- may still affect interstate commerce."

Part 3 of this series addresses what an online privacy policy could include and how it should be shared.

Tags: Risk management and compliance,  E-discovery and compliance,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Risk management and compliance Facing uncertainty, IT turns to governance, risk and compliance, ERM FTC compliance mandates new rules for social media marketing How to design an FTC compliance program for social media marketing GPS devices, geolocation data create privacy, security risks Threat management for information systems relies on categorization Mass. data protection regulation passes big test in public hearing Does using ISO 27000 to comply with PCI DSS make for better security? FTC pursuing HIPAA violations as a matter of consumer protection Are mandatory business continuity management standards good business? PCI DSS compliance requires better management of vendor risk E-discovery and compliance IT compliance: FAQs about IT operations, regulations and standards Effective compliance document management in five days Data loss prevention technology matures but is still no cure-all Discovery of data breach under HITECH raises big compliance questions Be ready for electronic discovery with a records retention policy The Web of social media and compliance: Online privacy regulations The Web of social media and compliance: Online privacy policy U.S., EU personal data protection laws make e-discovery risky Data security: The missing piece of e-discovery (but not for long) E-discover the gaps in your information management process

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Electronic Communications Privacy Act (ECPA)  (SearchCompliance.com) enterprise document management  (SearchCompliance.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary