Consider this scenario: your company purchases and distributes BlackBerries to its employees. The devices operate on the company's service plan with a third-party provider. A few months later, a female employee complains that a male employee has been sending her and other female employees harassing, offensive messages from his BlackBerry. You review the content of the male employee's BlackBerry and confirm that he has been using the device to send inappropriate material to his co-workers. Accordingly, you initiate disciplinary proceedings and inform him that his misconduct will result in a negative review in his file. A few weeks later, you are served with a complaint alleging your review of "his" BlackBerry - which is owned by your company and issued on the company's service plan - constitutes an improper invasion of his privacy.
Does this sound far-fetched? A recent Ninth Circuit decision makes clear that this is reality and far more likely to be an issue for corporate employers today given the prevalence of electronic communications in the workplace.
Recent Developments In The Law
In Quon v. Arch Wireless Operating Company, Inc. , 2008 WL 2440559 (9th Cir. June 18, 2008), an employer contracted for wireless text messaging services for two-way pagers, which the employer then distributed to its employees. One employee repeatedly exceeded the monthly text message allotment on his pager, resulting in overage charges. The employer suspected that the overages resulted from the use of the pager to send personal messages. Although the employer had suggested that its official policy banning personal use of employer-owned computers also applied to the pagers, there was no formal policy. Instead, the employer's informal policy was that employees who exceeded their monthly text message allotment could avoid an audit of their messages if they paid the employer for any overages.
Although the employee paid for the overages in accordance with the informal policy, the employer eventually obtained transcripts of the text messages from the wireless provider to determine the cause of the constant overages. A review of the content of the messages revealed that the overages were, in fact, attributable to personal messages. The employee filed a lawsuit against the employer alleging, inter alia , a violation of his Fourth Amendment right to privacy in the content of the messages.
The Ninth Circuit determined that the employee had a reasonable expectation of privacy because of the employer's informal policy of foregoing an audit if the employee paid for any overages, despite the fact that the employer owned the pager and paid for the wireless services. Additionally, the court held that the employer should not have been permitted to obtain transcripts of the messages from the service provider since the federal Stored Communications Act1 only permits the sender and addressee of the messages to view their content, regardless of who contracts for the service.
Why Is This Important To Employers?
Employers need to stay abreast of developments in employees' privacy expectations and rights in electronic communications to avoid situations like that in Quon . An employer may need to monitor or access its employees' electronic communications for many reasons, including:
• Investigating employee misconduct, including sexual harassment and racial discrimination;
• Preventing misappropriation of business and trade secrets;
• Discouraging employee use of company time and resources to conduct personal business; and
• Protecting against insider trading and other illegal activities for which an employer may have liability.
Indeed, while it is beyond the scope of this article, many of these issues will also arise in the discovery context in litigation, and employers should be aware of the scope of information that they may be required to access, review, and produce, especially under the aegis of the federal e-discovery obligations.
What Can Employers Do To Protect Themselves?
Although wireless devices and such communications technology as text messaging and instant messages are still relatively new areas for legal analysis and regulation, precedent developed in the more established areas of workplace computers and e-mail is instructive. Courts have examined the following factors when determining whether an employee has a reasonable expectation of privacy in his e-mail and other communications on employer-owned devices:
• Whether the employer maintains a policy banning personal or other objectionable use;
• Whether the employer monitors the use of the employee's computer or e-mail;
• Whether third parties have a right of access to the computer or e-mails; and
• Whether the employer notified the employee, or if the employee was otherwise aware, of the employer's computer use and monitoring policies.2
These factors can translate into everyday workplace policies and procedures in a number of ways. Employers who wish to maintain access to their employees' electronic communications should effect an explicit ban on the personal use of computers, e-mails, and other company-issued devices and specifically indicate that company-issued devices are subject to monitoring, search, and review. Ways to accomplish this include articulating company policy in employee handbooks, requiring employees to periodically sign written acknowledgements of the company's policy, and even implementing an automatic prompt at log-in on the device requiring employees to acknowledge that they have no expectation of privacy in the use of the system and that the system is subject to inspection by the employer at any time.
Equally important, as seen in Quon , is ensuring that the company and its management act consistently with the articulated ban on personal use and policy of regular monitoring, search, and review, including prohibiting any conflicting informal policies. This can be accomplished by implementing a regular back-up of electronic files, including e-mails, to a back-up drive accessible by supervisors, and informing employees of this. Companies that regularly deal with highly sensitive information, such as the development of advanced technology, may even want to consider implementing routine searches of office computers and electronic files to further diminish employees' expectation of privacy.
Employers who adhere toclear policies regarding their employees' lack of expectation of privacy in electronic communications can further protect their ability to access such communications by keeping any review as narrowly tailored and as minimally invasive as possible. Courts have found that employers who properly informed their employees of company policies regarding electronic communications did not invade their employees' privacy when reviewing electronic materials under the following scenarios:
• Where the employer demonstrated that it had a legitimate business interest in reviewing the electronic communications, such as a desire to protect its confidential information or to ensure that the employee in question was not engaging in unauthorized activity that would harm the employer.3
• Where a review of the electronic communications and computer files was done remotely and was limited to materials accessible from and available on the employer's server, even in instances where the items on the server included e-mails saved from the employee's personal e-mail account, were saved in folders that the employee had designated "private," or were password-protected by the employee.4
• Where a review of computer files was conducted on a former employee's company-issued laptop that the employee believed he/she had the option to purchase upon termination, and the review was conducted by a single person and did not include a search for or audit of the employee's personal e-mail account, information, or pictures.5
The Stored Communications Act
As use of wireless devices, text messaging, and other forms of electronic communication becomes more widespread in the workplace, it is important for employers to keep themselves apprised of their rights in monitoring such communications. The Stored Communications Act ("SCA") prevents a provider of communications services from disclosing the content of correspondence sent and received through its servers to anyone except the sender and the addressee. As a result, employers who contract and pay for BlackBerry or cell phone service for their employees may not be entitled to request transcripts of their employees' communications over those devices from the service providers.6
Although the SCA provides that employers are not entitled to review the content of text messages, they nevertheless can discourage personal use of these services by implementing a clear, consistent company policy prohibiting using the devices for personal, offensive, or other inappropriate purposes. A possible additional safeguard might be to require employees to sign a written waiver of any expectation of privacy in their electronic communications on such devices and even sign agreements permitting employers access to the provider's records for those accounts.
Conclusion
As more and more companies rely on mobile e-mail and text messaging in their daily business, employers must remain current on the law and educate themselves about how to preserve their ability to monitor electronic communications. Although such safeguards may at first glance seem unnecessary or excessive, the reality is that employers have a compelling interest in preventing employee misconduct, misappropriation of proprietary information, and misuse of company time and resources. Taking a few simple steps to help your employees understand that their communications on company-provided equipment are not private and are subject to your review will ensure that the electronic services you provide to your employees will help your company, not harm it.
1 18 U.S.C. § 2701 et seq .
2See In re Asia Global Crossing, Ltd., 322 B.R. 247 (S.D.N.Y. 2005); Curto v. Medical World Communications, Inc . , 2006 WL 1318387 (E.D.N.Y. May 15, 2006); Sprenger v. Rector and Bd. of Visitors of Virginia Tech , 2008 WL 2465236 (W.D.Va. June 17, 2008).
3See Hilderman v. Enea TekSci, Inc., 551 F.Supp.2d 1183 (S.D.Cal. 2008).
4See Thygeson v. U.S. Bancorp . , 2004 WL 2066746 (D.Or. Sept. 15, 2004); McClaren v. Microsoft Corp . , 1999 WL 339015 (Tex. Ct. App. May 28, 1999).
5Hilderman, supra .
6 This prohibition depends on the exact technology being used (e.g., does the company use a BlackBerry Enterprise Server?) and whether the communications at issue run through the company's servers in any way.
Published September 1, 2008.