Tag: Computer use policy

Evolving Employee Rights in the Age of Web 2.0

Morgan Lewis presented and informative webcast on Web 2.0 from the viewpoint of the company/employee perspective. These are my notes.

Panelists:

Companies cannot limit the personal use of these sites. But the line between personal and professional can be very fuzzy. You limit access over the company’s network, but employees have easy access from mobile phones and home computers.

They cited Deloitte’s 2009 Ethics & Workplace Survey Examines the Reputational Risk Implications of Social Networks to point out the need of company’s to address social media.

One issues is the reasonable expectation of privacy. This is even more complicated given that the data is in the internet cloud and not the company’s hardware or storage. Most (if not all) of your Web 2.0 data resides in the cloud, not your hard drive or network storage that you control.

Personal Use of Mobile Devices

The first issue with privacy is the use of mobile devices. Its hard to prevent ALL personal use of a company supplied device, especially a mobile device. Even if you ban personal use of the device, it is hard to monitor and hard to enforce. Would you really discipline an employee who made a personal phone call on their blackberry? You need a clear policy that is enforceable. You also need to set reasonable expectations of privacy.

This is exactly the issue addressed in the Quon case, recently argued at the Supreme Court. The panel spent some time discussing the Quon case and some lessons that may be coming out of this case. There are some lessons to be learned from this case, even though the decision may be limited to government workplaces.

The additional complication is that the company (in this case the government) pulled the personal information from a third-party service provider. That implicated the Electronic Communications Privacy Act

Personal Email

They also took a close look at the . That was more focused on the use of personal email and attorney-client privilege. There are some interesting attacks on that company’s computer use policy.

They raised the Convertino v. U.S. Department of Justice (674 F. Supp 2d 97 (D.D.C. 2009). The DOJ found email between an Assistant Attorney General and his personal attorney. He had used a DOJ email account. He deleted the email, but didn’t realize that a deleted copy would be kept. He deleted the emails immediately after they were sent or received.  The court used a similar test as that used in Stengart court to look at the employee’s expectation of privacy. DOJ did not ban personal email on the company system.

The take away is that employees should inform employees that they have no reasonable expectation of privacy in any technology provided by the company. (It is probably too hard to monitor and enforce a complete ban on personal use.) You should also let them know that back-up copies may exist even if the employee deletes a copy.

Proposed Internet/Email Policy

Here are some items they propose :

  • Limit personal use of the company email system.
  • Inform employees they have no reasonable expectation of privacy in any technology provided by the company (e.g., email, Internet, laptop, PDA).
  • All information forwarded or received via the company email system is subject to monitoring and may be stored.
  • All information sent, received or viewed on the Internet, including personal, web-based communications, instant messages, text messages or other forms of communication, can be stored on a computer’s hard drive, the company’s servers, etc. and can be reviewed and retrieved by the company at any time.
  • Back-up copies of electronic communications may exist, even if “deleted” from the computer.
  • Issue periodic reminders to employees that the computers they are working on do not belong to them, and that information accessed on the computers may be subject to inspection and collection.
  • Describe prohibited activities:
    • Disseminating confidential information;
    • Any actions that could be seen as harassing;
    • “Hacking” and related activities;
    • Tampering with or disabling security mechanisms on company computers;
    • Unauthorized downloads; and
    • Violations of copyright laws.
  • Enforce the policy and punish violators.
  • Obtain signed acknowledgements and post the policy.

HR using Web 2.0

There are special limitations for HR and hiring managers. You need to be careful when using social networking sites to find information about potential hires. Do not try to gain a view of someone’s online account through deception.

You should consider whether employees can give recommendations on sites like LinkedIn.

You can’t prohibit employees from discussing terms and conditions of employment. Such a ban would be a violation under the National Labor Relations Act.

FTC Guidelines and the Workplace

The FTC guidelines are also something to keep in mind. Your employees may be the biggest fans of your products. If an employee is talking about your company’s product, the employee needs to disclose they are an employee. Otherwise it could be consider a deceptive testimonial, creating potential liability for the employee and the company.

The FTC guidelines requires disclosure of a material connection between the blogger (commenter, Twitter-er, etc.) and the company. Employment is clearly a material connection. That means it needs to be clearly and conspicuously disclosed. (16 C.F.R. §255.5 ) The existence of a policy will consider the existence of a policy in deciding in whether to bring an enforcement action.

A company should make it clear that the policy is applicable across all communication platforms.

Should you search the internet for information on job applicants?

There are issues. Many people may argue that it is an invasion of privacy. Beyond the practical issues, there are legal issues such as discrimination and unlawful background checks.

You also need to be concerned that the information you find is applicable to that person. There are lots of people out there with similar names. (Even I am not unique: Another Doug Cornelius)

Are you liable for false statements made by your employees?

If the company sponsors the content, then yes the company can be held responsible. Even on a non-sponsored site, if the company does nothing then that could be viewed as assent and be held responsible.

Can you discipline an employee for using these site?

Not if they are complaining about their working environment to other employees. That is protected under the National Labor Relations Act.

If the activity is akin to whistle-blowing, then the activity could be protected under Sarbanes-Oxley or state statute.

A few states specifically protect off-duty, off-site conduct.

Can you prevent employees from saying bad things about the company?

An injunction acts as a prior restraint on speech. [See: Bynorg v. SL Green Realty Corp., 2005 WL 3497821 (S.D.N.Y. 2005)]

It  is easier to get damages for defamation and invasion of privacy. [See: Varian Medical Systems, Inc. v. Delfino]

If the blogger is anonymous, it’s harder to do. Particularly in California, you need to prove defamation before a court will grant a subpoena.

Protect your IP

You want to be careful about how employees are using your logo or other intellectual property on their own sites.

Materials

They posted a copy of the slidedeck from the presentation on their website if you want more detail: Presentation Slidedeck

Supreme Court to Hear Case on Employer Access to Worker Messages

supreme court

How much privacy do workers have when they send text messages from company accounts?

Users of text-messaging services “have a reasonable expectation of privacy” regarding messages stored on the service provider’s network, 9th Circuit Judge Kim Wardlaw said in Quon v. Arch Wireless Operating Company, Inc., 529 F.3d 892 (9th Cir. 2008).

In that case the court found that a police department had violated the Fourth Amendment and state constitutional rights of employees and the people they exchanged text messages with, when they reviewed “personal” text messages created on devices owned and issued by the police department. It also found that the text messaging provider, Arch Wireless, violated the Stored Communications Act (SCA), 18 U.S.C. §§2701-2711, by providing transcripts of these messages to the employer.

Supreme Court

The U.S. Supreme Court agreed to hear an appeal of the case: City of Ontario, California, et al., Petitioners v. Jeff Quon, et al. (08-1332). The Justices could add some new law to the ability of companies to monitor and access their employees’ use of a company’s computer system.

Limitations

Although it sounds interesting, the case has some limitations that will likely make the decision underwhelming. The employees at issue are government employees, so the Constitution is implicated. You don’t have this issue with private employees. Second, the governmental employer accessed the information from the third party provider of the text-messaging system. The information was not on the government’s computer system itself. Third, the governmental employer did not have a clear policy on the use of the equipment and whether the messages were private or accessible by the government employer.

Background

The case originated when police officers claimed thier rights were violated when messages on department devices were read by their chief. Quon and the other officers had signed a statement declaring “users should have no expectation of privacy or confidentiality” when using devices furnished by the city. But shortly after text pagers were distributed, the officers were told by a supervisor they could use them to send messages, as long as they paid for messages that exceeded the monthly limit. It was understood that some of these messages would be personal and unrelated to police work. When the police chief learned that some officers were regularly exceeding the monthly limit, he asked for an audit and read the messages.

After Quon and the other officers learned their messages had been read, they sued. They lost in the Los Angeles Federal District Court, but won in front of the 9th Circuit.

References:

Policies for Private Use of Company Computer Systems and Mobile Devices

edward_angell_logoMark E. Schreiber and Barbara A. Lee published an article on the New Liabilities and Policies for Incidental Private Use of Company Electronic Systems and PDAs.

The discussion in the article comes from the decision in Quon v. Arch Wireless Operating Company, Inc., 529 F.3d 892 (9th Cir. 2008). In that case the court found that a police department had violated the Fourth Amendment and state constitutional rights of employees and the people they exchanged text messages with, when they reviewed “personal” text messages created on devices owned and issued by the police department. It also found that the text messaging provider, Arch Wireless, violated the Stored Communications Act (SCA), 18 U.S.C. §§2701-2711, by providing transcripts of these messages to the employer.

The authors point out that the decision in Quon deals with constitutional questions involving government employees.  The same positions may not be true for non-government employees.  But there are still lessons to be learned:

  • Policies regarding employee use of email, internet access, and mobile devices should be clear that employees have no expectation of privacy
  • Policies should make it clear that employees can expect their use of computer systems and devices, including personal use and messages, to be subject to monitoring and access by the employer with or without notice.
  • Carefully draft service agreements to comply in advance with the SCA and other wiretap type statutes with “consent” language.
  • Update subpoena and document response policies and protocols to comply with the SCA and,  if the company operates internationally, foreign laws.