Employee expectations of privacy in the workplace only improving in very specific contexts

With the current interest focused on revisiting the Electronic Communications Privacy Act (ECPA), including plans announced by members of both the House and Senate to initiate formal reviews of the 1986 law and the extent to which its provisions should be updated to reflect the modern state of communications technology, it seems like a good time to check on the state of privacy in the workplace. The baseline position is that companies have broad latitude when it comes to capturing and monitoring communication occurring in the workplace, especially when the communication uses company-owned or provided equipment and services. Assuming they follow the stipulations about electronic communications monitoring in ECPA, such as describing planned, potential, or actual monitoring activities and providing notification of them to employees, customers, partners, or others who will be subject to the monitoring, companies have the right to watch what’s happening within their own environments. Many states require companies to obtain consent of one or both (or all) parties to an electronic conversation before it can be monitored or recorded, but when it comes to employees, as long as the monitoring activity is provided to employees as a standard operating practice, employees are assumed to have given consent by virtue of agreeing to work for the company. The standard by which non-employees can be considered to have given consent varies somewhat by jurisdiction and type of communication, but in general, if the intent to monitor is disclosed up front, the continued participation by a party to the conversation is tantamount to consent. This is the primary driver between the familiar recorded declaration, “This call may be monitored or recorded for quality assurance purposes.” If you don’t want your interaction with a company recorded, presumably you hang up and send an email or write a letter instead.

So the starting assumption for employees would seem to be, you have no reasonable expectation of privacy in the workplace. Some recent well-publicized court cases have suggested that this statement is too absolute, and in fact employees may have some expectation of privacy for their personal communications, even when those communications take place using employer resources. While there is no intention to trivialize these victories for personal privacy, the rulings address very specific sets of facts, so may not be indicative of any significant retrenchment of employer’s rights to monitor employee communications. The cases are also instructive to both companies and their employees in terms of what expectations of privacy are likely to be considered “reasonable,” and clearly spell out the need for companies to be very explicit in writing policies governing employee behavior, communications, use of company systems and services, and their plans to monitor such behavior and enforce its policies. Perhaps the most remarkable implication of the cases recent argued and others cited as precedents within those decisions is that the Courts do not appear to hold individual employees accountable for having any knowledge of the functional or technical aspects of the electronic communication systems they use, whether that functionality is specific to their employer or a standard feature of widely used communications applications like email and text messaging.

In a case argued before the New Jersey Supreme Court in December and decided last week, employee Marina Stengart sued her former employer, Loving Care, for violating her right to privacy under attorney-client privilege when the company, using computer forensic analysis, recovered cached copied of emails between Stengart and her lawyer, who was helping Stengart in a lawsuit filed against Loving Care. The email communications used Stengart’s personal, password-protected Yahoo! email account, which she accessed using her employer-issued laptop from within Loving Care’s network environment. Stengart made no active attempt to store local copies of the emails; her intention seems to have been the opposite, and her low level of technical knowledge made her ignorant of the fact that web browsers routinely store copies of viewed web pages in a temporary cache on the computer running the browser. Because she didn’t know about the temporary file cache, she made no effort to clear the cache before returning the laptop to her employer upon leaving the company. The company searched the computer it had issued her looking specifically for information that could assist Loving Care in defending against Stengart’s lawsuit. The core question in the case that made it to the NJ Supreme Court is, by using a company-issued computer to access her web-based personal email account, did Stengart waive her attorney-client privilege? The court said she did not, and remanded the case back to the trial court to determine an appropriate remedy, finding that the company, when it realized the emails were communications between Stengart and her lawyer, should have immediately notified her attorney and either returned or destroyed the emails, rather than examining their content. Essentially, the case only addresses employee expectations of privacy for personal emails exchanged with an attorney; it says little about the privacy of personal communications in general.

Another closely watched case is Quon v. Arch Wireless, the appeal of which the U.S. Supreme Court is scheduled to hear as City of Ontario v. Quon on April 19. In Quon, the key issue again is what right an employer has to monitor the content of personal communications (in this case, text messages sent with a pager rather than emails) made by employees using company-issued equipment. The 9th Circuit Court ruled in favor of the employee (Quon) in this case, and found that the city had violated Quon’s 4th Amendment rights when it examined the content of his personal text messages. It also found the pager service provider (Arch Wireless) had violated the Stored Communications Act by giving the contents of the text messages to the employer. There are some specific facts in the Quon case that may limit the scope to which the ruling applies, whichever way the decision goes, including the fact that while the messaging device Quon used was issued by his employer, none of the communications traffic flowed through the communications systems or infrastructure owned by the employer, and that employees shared the usage cost for text messaging beyond a specified volume. The most directly relevant policy maintained by the employer also explicitly limits use of computers, email, and the Internet to official business, but the group with which Quon worked had a separately negotiated employee agreement under which employees could use the pagers for personal communication, although there is some contention as to whether Quon’s use went beyond the limited amount considered acceptable under the agreement. Also, given the sexual nature of some of the content and some of the cases cited as informative by the panel in Stengart, Quon may face a bigger hurdle than Stengart in arguing his messages should have remained private, since their content seems to violate the acceptable use policy of his employer. The employer in this case is a city police department, so the involvement of a government agency (even at a local level) also makes this case different than one involving a dispute between employees and a private employer. Among the issues the Court will consider is whether an employee can have a reasonable expectation of private for personal communications when no official privacy policy exists for the city-issued devices in question.

The ruling in Stengart is useful (it’s well worth reading the ruling itself; it’s only about a dozen pages) in a few areas beyond the narrow scope of the facts in this case. Chief Justice Rabner, in describing the reasoning and legal precedents for the court’s decision, provides a number of other cases that address secondary issues raised in the Stengart case, including the specificity required in company policies about personal use of company resources and monitoring of that use. Some of the cases cited involve (justifiable) company inspection of ostensibly private employee communications because of suspected criminal activity or violation of acceptable use policies, but neither of those situations apply to Stengart. Other cases also highlight the importance of addressing the extent to which the content associated with permitted Internet use will be monitored; while employees generally can claim no expectation of privacy when communicating using their employee email address and employer’s email server or system, the same does not apply for email communication conducted outside the company environment using a personal, rather than company, email address. The court suggested that individual expectations of privacy, even when communicating with an attorney, are less justified when the employee uses a company email system for the communication. A 2006 state court decision from Massachusetts was cited not only as a precedent that the default browser behavior of storing local temporary copies of web-based emails viewed using the browser is not sufficient on its own to invalidate attorney-client privilege, and also to suggest that employee expectations of privacy, even when using a company-issued computer, are somewhat greater if the communication takes place from home or another non-company location, such as a scenario when personal email is sent or received using a company laptop connected to a home network and ISP. The court also specifically noted that no matter how specific Loving Care’s policy might have been (in its actual form the court considered it ambiguous on how the company treated personal communications), no policy can override the compelling public policy interests supported by maintaining the privilege attached to attorney-client communications. This is another reason it is hard to generalize the findings in Stengart to other personal communication contexts — presumably similar findings in favor of individual privacy rights would only be made where the subject matter of the communication was explicitly a legally protected type of content.

As Stengart aptly illustrates, not all cases raise 4th Amendment issues, although there are many court cases and examples of criminal investigations that illustrate how the existence of probable cause in an investigation can and will override individual privacy protections, irrespective of company policies or legal requirements governing the treatment of certain types of personal information. There is of course a presumption in such 4th Amendment matters that the parties doing the investigation are acting appropriately in seeking to search for information and are in fact pursuing legitimate lines of investigation. A recent decision by the 11th Circuit Court illustrates one of the more egregious violations of this presumption, when an individual acting as a whistleblower on his employer was subjected to a search of his personal email by a local prosecutor who allegedly conspired with the employer and obtained a subpoena for the individual’s email records under false pretenses, and then used that information to falsify evidence in order to charge the whistleblower with burglary and assault, neither of which actually occurred. Despite the fact that the prosecutor’s actions are not in dispute, the 11th Circuit Court ruled that the individual’s 4th Amendment rights protecting against unreasonable search and seizure had not been violated. Last week the Electronic Frontier Foundation joined the counsel for the individual in asking the 11th Circuit panel to review several aspects of its ruling, which the EFF asserts did not follow the law.

While we can’t offer the sort of expert legal analysis on any of these cases that you might find from privacy lawyers like Hunton and Williams, there are some practical implications for both employers and employees that come out of the Stengart ruling. Following the logic the justices used in Stengart, employers should:

  • Have explicit policies in place about whether personal use of company resources is permitted at all, and if it is, what limitations (if any) there are on such use
  • Also spell out in explicit terms rights the employer asserts about use of and data stored within its computing and communications assets, network environment, and employer-provided services
  • If the employer does or intends to monitor employee communications, say so, and include in the scope of the statement all forms of media and types of communication that are subject to monitoring
  • Include statements about whether the contents of such communication will be examined and under what circumstances, recognizing that there may be certain types of content (attorney communications, including with internal counsel; health records; information about employees’ children, etc.) that may be legally protected in ways that trump the employer’s rights or desire to inspect the content
  • If, in the course of following the stated policy, content is identified that falls into one of the categories of information protected by state or federal privacy laws, stop reading and don’t proceed further until checking with legal
  • If there are valid reasons to prevent employee use of personal email from work (such as data loss prevention), implement measures to block access to web-based email
  • Understand that the assertion of ownership or rights to monitor employee information does not apply the same way to communications conducted through third-party service providers, whether or not the employer pays for those third-party services
  • Make sure that the policies and procedures put in place comply with all relevant legal requirements, with special attention on regulations covering monitoring and interception of communications and rights to access stored content such as messages, call logs, or transaction records

The list above is far from exhaustive, but assuming a company wants to proactively minimize the reasonable expectation of individual privacy in the workplace, these practices would be constructive to that end. While all employers must balance employee productivity, convenience, and trust with restrictions on employee behavior in the furtherance of their business interests, it appears that employers can establish the clearest legal standing by completely prohibiting personal communication using company systems and resources.

For their part, there are also steps individual employees can take to help ensure their personal communications remain private, and to minimize the chance of inadvertent personal information disclosure such as what happened with Stengart. These include:

  • Read, understand, and follow your employer’s policies on personal use of employer-provided communications equipment and services, including definitions of acceptable use
  • For any communications deemed sensitive by the employee, try not to use employer-provided resources to conduct those communications, even if policy says that you can
  • If you do use your employer-provided devices for personal communications, try to conduct them when offsite, such as using your home ISP to connect devices to the Internet, so your communications traffic doesn’t flow through your employer’s services and network environment
  • Don’t use employer-provided email for personal communications
  • Learn enough about the tools you use (web browsers, email clients, messaging services) to understand whether local copies are being made of your activities “out in the Internet,” and if so, learn how to prevent local storage (such as using “private browsing” features) or remove the copies afterward (understanding that merely deleting a temporary file cache may not prevent the later retrieval of the cache’s content by a forensic analyst)
  • If you leave an employer, when you return your laptop, pager, PDA, smartphone, or other device, remove all personal data from the device and “wipe clean” the storage media using a tool like Eraser on a computer or equivalent comprehensive data destruction available on many handheld devices
  • The courts seem to believe that employee ignorance is no reason to diminish expectations of privacy, but this benefit only applies reliably for specially protected types of information, so don’t rely on ignorance — instead be well informed and aware of the security and privacy implications of your environment

2 Comments on “Employee expectations of privacy in the workplace only improving in very specific contexts

  1. Excellent analysis, and I am glad you found that earlier Massachusetts case. I want to go back and re-read everything but one thing seems clear to me: the courts in the United States seem intent upon behaving like my mom – they want the “do-over button”.

    Like most people who have received the scathing email followed by the “Bob Jones would like to recall the email, ‘Nick you’re a frickin idiot'”, I find it astounding that people still have a quaint concept that Internet-borne communications and digitally stored data are somehow as “take-backable” as memos typed on paper.

    In NERA v Evans, the court seems to be saying that because Evans was too ignorant to know how his email program functioned, we should all pretend that Evans’ expectation of privacy was legitimate. The second these emails hit the hard drive, though, they’re not private – they’re backed up, indexed, perhaps sucked into some massive data warehouse, stored offsite and God only knows what else. I think it’s interesting that if Evans had said he didn’t know it was illegal to smoke crack on the bus this would not have carried any weight with any court, but saying he didn’t know that his email program saves data to his hard drive makes everything A-OK. In any event, your analysis and especially these action items at the end of the post are excellent.

  2. Thanks Nick. It looks like it may be even worse for employers than the courts giving ignorant employers a way to try to put the toothpaste back in the tube – if the content in question is something protected by privacy laws, the company could be held liable for disclosing the employee personal information that the ignorant employee put on its hard drives in the first place. This is the current state of Quon v. Arch Wireless, where the 9th Circuit said the city police department employing Quon never should have been able to see his text messages, because the pager service provider violated the Stored Communications Act by giving them the texts to look at.

    There are of course good and valid reasons for individual privacy protections, but whatever happened to personal accountability?