News Stay informed about the latest enterprise technology news and product updates.

'Sexting' case should prompt review of employee privacy policy

A sexting case before the Supreme Court could have a broad impact on employee privacy rights. In the meantime, companies would be wise to update and review their privacy and computer use policies with workers.

This term the U.S. Supreme Court will hear a racy "sexting" case that experts say could broadly affect employee privacy rights and employer policies on computer use.

The case, City of Ontario v. Quon, and the trial court case it stems from, raise issues about how employers monitor, store and retrieve electronic messages; how they contract with their Internet service providers (ISPs) and even about whether they should issue message-sending devices. At its most influential, Ontario v. Quon could give the Court a platform for sorting out privacy rights in the Internet age -- an age when the boundaries between work and personal life are blurring.

More on privacy law

Avoiding gotchas of security tools and global data privacy laws

U.S., EU personal data protection laws make e-discovery risky

For now, and no matter how the Court rules, privacy and legal experts say the case should prompt chief information officers and compliance officers to make certain their computer use policies and employee privacy policies are communicated clearly and often -- and are strictly adhered to by management.

"Part of the reason for this case is that there was a substantial gap between the stated policy and the operational reality," said analyst John Bace, a compliance and risk analyst at Gartner Inc. "The reason why I am following this case really closely is that too many companies today do not pay enough attention to their document retention policies or their computer use policies."

Quon v. Arch Wireless

The Supreme Court case stems from the U.S. Court of Appeals for the 9th Circuit case, Quon v. Arch Wireless Operating Co. Sgt. Jeff Quon, a member of the Ontario, Calif., police department's SWAT team, successfully sued the city of Ontario and Arch Wireless, its wireless messaging service provider, for violating his privacy rights after supervisors viewed personal text messages Quon had sent on a city-issued two-way alphanumeric pager. Among the messages were texts to his wife and to his mistress, some of them sexually explicit. (His wife joined him in the suit.)

The issue before the Supreme Court is whether police officials violated Fourth Amendment protections for a government employee by reviewing those personal text messages.

At first, Quon's case against the city did not seem all that strong. The pager belonged to his employer. His employer, although lacking a policy explicitly regarding pager use, did have a computer use policy, signed by Quon. That "Computer Usage, Internet and E-mail Policy" stated that the use of computer tools and systems for personal benefit "is a significant violation" of city policy. It also stated that all access to the Internet was recorded and that the city reserved the right "to monitor and log all network activity including e-mail and Internet use, with or without notice."

Reasonable expectation of privacy

The plaintiffs, however, argued that the disjunction between written policy and day-to-day reality gave Quon a "reasonable expectation of privacy."

Under its contract with Arch Wireless, the city was required to pay overage charges on pagers that exceeded 25,000 characters. When members of the SWAT team exceeded that limit on their pagers, they wrote checks to their supervisor to cover the overages, with the understanding -- according to the lawsuit -- that the supervisor didn't care if that torrent of characters included some personal communications.

After a year or so of this practice, however, the team supervisor told his superiors he was tired of playing bill collector for these overages, prompting an official audit of the messages from chronic offenders, Quon being one. The city requested the stored text messages from a support specialist at Arch Wireless, who turned them over without notifying Quon. At least three people, including the police chief, read Quon's messages.

The trial court held that Arch Wireless, by disclosing messages to people who were not the "addressees or intended recipients, had violated the Stored Wired and Electronic Communications Act (SCA). The Supreme Court has refused to hear Arch Wireless's appeal.

As for Quon's privacy expectations, the original jury found in favor of the city, saying that the city's computer use policy allowed the police department to review the text messages. On appeal, the 9th Circuit reversed the finding, holding that the city's actions violated a government employee's Fourth Amendment protection against unreasonable search and seizure. The Supreme Court agreed to hear the city's part of the case (search and seizure, privacy) but not the case against Arch.

The takeaway point, and what we have been advising clients, is that it is not enough to rely on having a written policy somewhere in your handbook or somewhere on your Internet.

Christine Lyon,
partner, Morrison & Foerster LLP

Updating computer use policies

Christine Lyon, a partner at Morrison & Foerster LLP who focuses on privacy and employment law, said the Quon v. Arch Wireless case raises many interesting issues. "But the most interesting and important one was the idea that even if an employer had a very clear policy that the employees signed off on -- the employer has the right to look at all your messages; you have no expectation of privacy -- this could be undermined by a manager saying something to the contrary," Lyon said in an interview from Morrison's Palo Alto offices.

That aspect alarmed California employers, but the issue could come up in other states as well, Lyon said, because the case rests on whether the employee could have a reasonable expectation of privacy in the workplace. The usual view on how to avoid a reasonable expectation of privacy is to have a good written policy.

"The takeaway point, and what we have been advising clients, is that it is not enough to rely on having a written policy somewhere in your handbook or somewhere on your Internet. Companies actually need to make sure that the policy is communicated clearly to employees and that managers are being consistent in how they are communicating it too," Lyon said.

In addition, Lyon cautions clients not to be lulled into complacency because the case addresses the Fourth Amendment privacy rights of a government employee, not a private sector employee. The 9th Circuit applied the same analysis to the Fourth Amendment claim and to the claim under California law, so there are many potential implications for California employers, she said. And while courts in other states would not have to follow the findings, employees bringing claims in other states could cite the case, relying on common law to make the link.

ISPs gun-shy

The other fallout for employers, Lyon said, concerns the case against Arch Wireless. Although the Supreme Court is focusing on the employee's privacy rights issue, the lower courts' ruling against Arch Wireless for giving up those messages without the employee's consent sent a message to ISPs.

"What that means for employers is that if they are using a third party to maintain their messages, they are going to have a hard time getting providers to give you those messages, because the Quon case was a real alarm to those providers," Lyon said.

Finally, some experts believe this case could usher in a new era where employees, as they do in other countries, have an intrinsic right to workplace privacy. Gartner's Bace said that if the Supreme Court interprets narrowly, it's basically "life as normal" for employers, provided they update and enforce employee privacy rights.

"But if they start looking at expectations of privacy in the workplace, companies are going to have to be very careful about how they state those policies and how they enforce them. We may be moving towards the environment we find in Europe under the Data Protection Directive."

Let us know what you think about the story; email Linda Tucci, Senior News Writer. Follow @ITCompliance for compliance news throughout the week.

Dig Deeper on Risk management and compliance

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.