Feeds

Employee privacy versus employer policy

US court rulings cast doubt on privacy policy

Internet Security Threat Report 2014

A similar result happened in late August 2006 in a federal court in California. A SWAT officer named Jeff Quoin sued his former employer for reading the contents of his government supplied alphanumeric pager. This was the same officer who, several years before, successfully sued the same police department for placing video cameras in the showers and locker rooms as part of an investigation of a missing flashlight.

The pager was purchased and owned by the police department, which paid for usage. The policy was explicit that the pagers were to be used for official government purposes only, but it appears that this policy was loosely enforced. The Police Department paid a flat rate for a certain number of minutes, and paid overage charges for excess use. If an employee exceeded the normal usage, the police might conduct an audit to see if the use was business related, or personal, and charge the employee for the personal use. If the employee agreed to simply pay the overage cost, no audit was conducted. Thus, the question raised was whether the police department had a right to read the contents of the alphanumeric pager.

In Quoin's case, the court noted that [the police supervisor] in effect turned a blind eye to whatever purpose an employee used the pager, thereby vitiating the department's policy of any force or substance. By doing so, [the supervisor] effectively provided employees with a reasonable basis to expect privacy in the contents of the text messages they received or sent over their pagers. The only qualifier to guaranteeing that the messages remain private was that they pay for any overages.

In effect, the court held that the actual policy of not monitoring content created, in the users, an expectation of privacy, which the court found to be reasonable. In other cases, courts have held that, despite a "business use only" policy, employees might be known to keep personal files on a business computer (just as they might keep personal records in an office desk, or a personal purse on a company provided desk drawer.) Thus, people may have reasonable expectations of privacy in the contents of files on a desktop, in emails or other electronic communications.

So, what's an employer to do?

These two cases put the employer in a terrible position. Even the most broadly written policy granting full rights of monitoring and consent to monitoring may not extinguish all privacy rights. But do we want to, or need to extinguish all privacy rights? I think not.

The better approach is to give yourself the right to monitor, have employees consent to monitor, and state that your failure to monitor in particular situations is not a waiver of your right to monitor. Further, you should periodically review your policies, and rewrite them in light of changed circumstances, and continue to educate employees and users about the policies and their rights.

Something along the lines of "we don’t ordinarily monitoring what people do, and assume that they will act as responsible adults, but when we learn you are doing something bad, or if we are doing routine examination, we might find something that warrants further investigation. The fact that we didn't do it in the past means nothing. We might do it in the future, so beware".

Of course, that is far too understandable for a lawyer to do, so we might have to translate it into Latin. Until then, use corporate networks and resources with care. Someone might be watching.

This article originally appeared in Security Focus.

Copyright © 2006, SecurityFocus

SecurityFocus columnist Mark D Rasch, JD, is a former head of the Justice Department's computer crime unit and now serves as a lawyer specialising in computer crime, computer security, and privacy matters in Bethesda, Maryland.

Providing a secure and efficient Helpdesk

More from The Register

next story
Doctor Who's Flatline: Cool monsters, yes, but utterly limp subplots
We know what the Doctor does, stop going on about it already
Facebook, Apple: LADIES! Why not FREEZE your EGGS? It's on the company!
No biological clockwatching when you work in Silicon Valley
'Cowardly, venomous trolls' threatened with TWO-YEAR sentences for menacing posts
UK government: 'Taking a stand against a baying cyber-mob'
Happiness economics is bollocks. Oh, UK.gov just adopted it? Er ...
Opportunity doesn't knock; it costs us instead
The 'fun-nification' of computer education – good idea?
Compulsory code schools, luvvies love it, but what about Maths and Physics?
Ex-US Navy fighter pilot MIT prof: Drones beat humans - I should know
'Missy' Cummings on UAVs, smartcars and dying from boredom
Sysadmin with EBOLA? Gartner's issued advice to debug your biz
Start hoarding cleaning supplies, analyst firm says, and assume your team will scatter
Don't bother telling people if you lose their data, say Euro bods
You read that right – with the proviso that it's encrypted
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.