Feeds

Employee privacy versus employer policy

US court rulings cast doubt on privacy policy

Top 5 reasons to deploy VMware with Tegile

A similar result happened in late August 2006 in a federal court in California. A SWAT officer named Jeff Quoin sued his former employer for reading the contents of his government supplied alphanumeric pager. This was the same officer who, several years before, successfully sued the same police department for placing video cameras in the showers and locker rooms as part of an investigation of a missing flashlight.

The pager was purchased and owned by the police department, which paid for usage. The policy was explicit that the pagers were to be used for official government purposes only, but it appears that this policy was loosely enforced. The Police Department paid a flat rate for a certain number of minutes, and paid overage charges for excess use. If an employee exceeded the normal usage, the police might conduct an audit to see if the use was business related, or personal, and charge the employee for the personal use. If the employee agreed to simply pay the overage cost, no audit was conducted. Thus, the question raised was whether the police department had a right to read the contents of the alphanumeric pager.

In Quoin's case, the court noted that [the police supervisor] in effect turned a blind eye to whatever purpose an employee used the pager, thereby vitiating the department's policy of any force or substance. By doing so, [the supervisor] effectively provided employees with a reasonable basis to expect privacy in the contents of the text messages they received or sent over their pagers. The only qualifier to guaranteeing that the messages remain private was that they pay for any overages.

In effect, the court held that the actual policy of not monitoring content created, in the users, an expectation of privacy, which the court found to be reasonable. In other cases, courts have held that, despite a "business use only" policy, employees might be known to keep personal files on a business computer (just as they might keep personal records in an office desk, or a personal purse on a company provided desk drawer.) Thus, people may have reasonable expectations of privacy in the contents of files on a desktop, in emails or other electronic communications.

So, what's an employer to do?

These two cases put the employer in a terrible position. Even the most broadly written policy granting full rights of monitoring and consent to monitoring may not extinguish all privacy rights. But do we want to, or need to extinguish all privacy rights? I think not.

The better approach is to give yourself the right to monitor, have employees consent to monitor, and state that your failure to monitor in particular situations is not a waiver of your right to monitor. Further, you should periodically review your policies, and rewrite them in light of changed circumstances, and continue to educate employees and users about the policies and their rights.

Something along the lines of "we don’t ordinarily monitoring what people do, and assume that they will act as responsible adults, but when we learn you are doing something bad, or if we are doing routine examination, we might find something that warrants further investigation. The fact that we didn't do it in the past means nothing. We might do it in the future, so beware".

Of course, that is far too understandable for a lawyer to do, so we might have to translate it into Latin. Until then, use corporate networks and resources with care. Someone might be watching.

This article originally appeared in Security Focus.

Copyright © 2006, SecurityFocus

SecurityFocus columnist Mark D Rasch, JD, is a former head of the Justice Department's computer crime unit and now serves as a lawyer specialising in computer crime, computer security, and privacy matters in Bethesda, Maryland.

Choosing a cloud hosting partner with confidence

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
The Heartbleed Bug: how to protect your business with Symantec
What happens when the next Heartbleed (or worse) comes along, and what can you do to weather another chapter in an all-too-familiar string of debilitating attacks?
Top 5 reasons to deploy VMware with Tegile
Data demand and the rise of virtualization is challenging IT teams to deliver storage performance, scalability and capacity that can keep up, while maximizing efficiency.