Feeds

Employee privacy versus employer policy

US court rulings cast doubt on privacy policy

Internet Security Threat Report 2014

A similar result happened in late August 2006 in a federal court in California. A SWAT officer named Jeff Quoin sued his former employer for reading the contents of his government supplied alphanumeric pager. This was the same officer who, several years before, successfully sued the same police department for placing video cameras in the showers and locker rooms as part of an investigation of a missing flashlight.

The pager was purchased and owned by the police department, which paid for usage. The policy was explicit that the pagers were to be used for official government purposes only, but it appears that this policy was loosely enforced. The Police Department paid a flat rate for a certain number of minutes, and paid overage charges for excess use. If an employee exceeded the normal usage, the police might conduct an audit to see if the use was business related, or personal, and charge the employee for the personal use. If the employee agreed to simply pay the overage cost, no audit was conducted. Thus, the question raised was whether the police department had a right to read the contents of the alphanumeric pager.

In Quoin's case, the court noted that [the police supervisor] in effect turned a blind eye to whatever purpose an employee used the pager, thereby vitiating the department's policy of any force or substance. By doing so, [the supervisor] effectively provided employees with a reasonable basis to expect privacy in the contents of the text messages they received or sent over their pagers. The only qualifier to guaranteeing that the messages remain private was that they pay for any overages.

In effect, the court held that the actual policy of not monitoring content created, in the users, an expectation of privacy, which the court found to be reasonable. In other cases, courts have held that, despite a "business use only" policy, employees might be known to keep personal files on a business computer (just as they might keep personal records in an office desk, or a personal purse on a company provided desk drawer.) Thus, people may have reasonable expectations of privacy in the contents of files on a desktop, in emails or other electronic communications.

So, what's an employer to do?

These two cases put the employer in a terrible position. Even the most broadly written policy granting full rights of monitoring and consent to monitoring may not extinguish all privacy rights. But do we want to, or need to extinguish all privacy rights? I think not.

The better approach is to give yourself the right to monitor, have employees consent to monitor, and state that your failure to monitor in particular situations is not a waiver of your right to monitor. Further, you should periodically review your policies, and rewrite them in light of changed circumstances, and continue to educate employees and users about the policies and their rights.

Something along the lines of "we don’t ordinarily monitoring what people do, and assume that they will act as responsible adults, but when we learn you are doing something bad, or if we are doing routine examination, we might find something that warrants further investigation. The fact that we didn't do it in the past means nothing. We might do it in the future, so beware".

Of course, that is far too understandable for a lawyer to do, so we might have to translate it into Latin. Until then, use corporate networks and resources with care. Someone might be watching.

This article originally appeared in Security Focus.

Copyright © 2006, SecurityFocus

SecurityFocus columnist Mark D Rasch, JD, is a former head of the Justice Department's computer crime unit and now serves as a lawyer specialising in computer crime, computer security, and privacy matters in Bethesda, Maryland.

Choosing a cloud hosting partner with confidence

More from The Register

next story
I'll be back (and forward): Hollywood's time travel tribulations
Quick, call the Time Cops to sort out this paradox!
Musicians sue UK.gov over 'zero pay' copyright fix
Everyone else in Europe compensates us - why can't you?
Megaupload overlord Kim Dotcom: The US HAS RADICALISED ME!
Now my lawyers have bailed 'cos I'm 'OFFICIALLY' BROKE
MI6 oversight report on Lee Rigby murder: US web giants offer 'safe haven for TERRORISM'
PM urged to 'prioritise issue' after Facebook hindsight find
BT said to have pulled patent-infringing boxes from DSL network
Take your license demand and stick it in your ASSIA
Right to be forgotten should apply to Google.com too: EU
And hey - no need to tell the website you've de-listed. That'll make it easier ...
prev story

Whitepapers

Driving business with continuous operational intelligence
Introducing an innovative approach offered by ExtraHop for producing continuous operational intelligence.
Why CIOs should rethink endpoint data protection in the age of mobility
Assessing trends in data protection, specifically with respect to mobile devices, BYOD, and remote employees.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Protecting against web application threats using SSL
SSL encryption can protect server‐to‐server communications, client devices, cloud resources, and other endpoints in order to help prevent the risk of data loss and losing customer trust.