Privacy in the Workplace

April 29th, 2009

<!–[if gte mso 9]> Normal.dotm 0 0 1 701 3931 University of California, Berkeley 80 17 4913 12.0 <![endif]–><!–[if gte mso 9]> 0 false 18 pt 18 pt 0 0 false false false <![endif]–><!–[if gte mso 9]> <![endif]–>

Jane Doe v XYC Corp (2005)

Overview of the Facts

An Employee of XYC Corporation repeatedly accessed ‘pornographic websites’, including child pornography using his work computer, and some of these incidents were reported to the management. Several of the reports were initially ignored, before the Employee was instructed to stop his misconduct and ‘non-business’ use of company computing and network infrastructure. However this did not result in the Employee permanently refraining from accessing pornographic material at the work site.

The Employee uploaded three nude and semi-nude images of his 10-year-old step daughter (Jill Doe) to gain access to a pornographic website. He had been secretly videotaping and photographing Jill at their home. Photographs of Jill found in a dumpster outside XYC corporation led to the Employees arrest. It was found that he had downloaded several pornographic photos on the work computer, had email correspondences and interactions with various websites regarding child pornography.

Major Issues Discussed

Plaintiff Jane Doe on behalf of her daughter Jill Doe appealed the decision to dismiss the XYC Corporation of its responsibility to monitor and report activities of the Employee, which would have helped to contain the harm to Jill Doe.

The initial summary judgment had dismissed XYC corporation on the grounds that it “had acted as a reasonably prudent corporation” by instructing the Employee to stop the misconduct. The corporation did not have a duty to invade the privacy of the Employee and also because the harm to the plaintiff (Jill Doe) was not inflicted on XYC Corporations property.

These dismissals are reversed by the appellate court, after an extended discussion of issues concerning

<!–[if !supportLists]–>a. <!–[endif]–>ability of XYC corporation to monitor the Employees activities

<!–[if !supportLists]–>b. <!–[endif]–>right of the corporation to monitor the said communications of the Employee

<!–[if !supportLists]–>c. <!–[endif]–>duty of the corporation to know about the activities regarding child pornography

<!–[if !supportLists]–>d. <!–[endif]–>duty to take action to prevent the continuation of the Employee’s activities. and

<!–[if !supportLists]–>e. <!–[endif]–>the harm to Jill, as a failure for the XYC corporation to act appropriately.

The court established the XYC Corporation did have the ability, and did monitor its Employee’s Internet activities, and on several occasions was aware of him surfing pornographic web sites, including those that concerned child pornography. XYC had clearly mentioned that communications and computer use was monitored and cannot be considered to be ‘private communications’, and that the Employee and no reasonable expectation of privacy.

In relation to the duty of XYC to take action to prevent the Employee’s actions, the court highlighted issues relating to a) Employee’s use of equipment owned by XYC for transmitting the images, b) the clear direction to report suspected ‘activities relating to material involving the sexual exploitation of minors’ as part of the Protection of Children from Sexual Predators Act of 1998. The court discussed the applicability of Restatement (Second) of Torts § 317 to computer equipment and Internet use, that have implications for how much Employers are responsible for their Employee’s activities, which bring harm to third parties.

The court found that § 317 was applicable because of the special relationship between the XYC Corporation and the Employee (employer-employee). XYC had ignored the information it had about the actions of the Employee. By investigating the employee, the employer would have discovered that the employee was involved with child pornography that posed threat to others, including (but not necessarily) Jill. This was only a possible action, and the court mentions that the establishment of a proximate cause presents a contested issue for a jury. However the court also stated that the assessment of ‘harm to plaintiff’ is outside of the scope of the current record, and remanded the case.

Some Implications for Employers

Employers need to monitor and assess Internet and computer usage, and take affirmative action and investigate to prevent harm to a third party. There should be clear policies that specify what communications can and which are not monitored, to shield against liabilities involving employee actions. In view of the Doe vs. XYC monitoring and privacy policies of corporations determine which communications are seen as private communications in court, and may affect the liability of an organization. “This case might (even) suggest that an employer’s strict orders regarding Internet policies provide little protection against liability if the employer knows of its employee’s illegal behavior.” (Johnson, Jamila. 2007). A widespread citing of the ruling could possibility have the effect of limiting monitoring and create greater privacy of employees at work.

Related Sources

Tort Law Overview [link]

§ 2252. Certain activities relating to material involving the sexual exploitation of minors [link]

Employee Internet Misuse: How Failing to Investigate Pornography May Lead to Tort Liability [link]

Quon vs. Arch Wireless

Overview

Quon, a member of the Ontario, CA police department, used a city issued two-way pager to send and receive text messages. The City had a computer and Internet policy that did not explicitly cover text messages, but suggested it reserved the right to audit messages. Quon repeatedly exceeded a known monthly character limit and, after a fourth violation, transcripts of his messages were given, without warning or his consent, to the city of Ontario by Arch Wireless. Quon, along with three other Appellants with whom Quon exchanged messages, argued that the SCA and their fourth amendment rights were violated in the process. Determining whether or not Arch was, under the SCA, an electronic communications service (ECS) or a remote computing service (RCS), whether or not the Appellants had a reasonable expectation of privacy in their text messages, and whether or not the search by the Department was reasonable were key to the decisions made by both the District Court and the Court of Appeals.

The District Court determined that Arch was an RCS and not liable for revealing the text messages. A jury trial concluded that search was reasonable because the intent was to determine the efficacy of the character limitation and not to discover misconduct. The District Court also determined that there was a reasonable expectation of privacy due to the casual policy and practice for dealing with text messages and overages. Appellants filed a motion to amend or alter the judgment and motion for a new trial, which was denied by the district court.

The U.S. Court of Appeals, 9th circuit disagreed with the District Court and categorized Arch as an ECS. An ECS is “any service which provides to users thereof the ability to send or receive wire or electronic communication”, which describes the text messaging service. Additionally, the messages were held in “electronic storage” by Arch, but not at the request of the subscriber emphasizing that Arch was not providing an RCS storage service to Arch, but that the messages were stored as a result of the communication service.

An ECS cannot release stored content without the lawful consent of an addressee or intended recipient. The City is only a subscriber. Arch knowingly turned message transcripts over to the City. As an ECS, knowingly revealing message content violates the SCA 18 U.S.C. 2702(a)(1). The Court of Appeals judged in Appellants favor of their claims against Arch. The Court of Appeals also held that the Appellants had a reasonable expectation of privacy for the contents of their text messages because, for Quon, of the casual “operational reality” (if you paid your overages, your messages would not be viewed) and for the other Appellants because the contents of “messages” derive fourth amendment protection the same way the contents of a letter do.

The U.S. Court of Appeals, 9th circuit disagreed with the district court’s decision that the search was reasonable. While the intent was to evaluate the character limit and potentially help the employee, the search was “excessively intrusive”. There were other alternative approaches that the Department could have used to evaluate whether Quon’s overages were work related.

Issues

Quon v. Arch Wireless highlights problems that arise with new communication technologies and privacy. As evidenced by the Court of Appeals comparison of text message content to the content in letters, separation of delivery and content information can continue to be applied to new communication mechanisms providing protection for message content under the Fourth Amendment. The ruling also indicates that messages stored after retrieval as a result of an electronic communication are protected under the SCA requiring that law enforcement have a warrant and provide notice in order to gain access to stored electronic messages. This is a deviation from previous opinions that once a message is accessed it is no longer in electronic storage and it loses protection.

The case also draws attention to the problems that can arise when an employer distributes and makes use of a communication technology without a clear and explicit policy and practice around use and privacy.

Supplemental Resources

EFF [link] and Gigaom [link] analyze and comment on the opinion

Employee Monitoring: Is there Privacy in the Workplace?

The single word answer (based on the article) is NO. The article elucidates the kind and level of employee monitoring practices in the industry.

Two points are important to understand the domain of workplace monitoring.

1. New technologies make it possible for employers to monitor various aspects of the employee’s jobs. Most of the employers use these technologies to monitor employees in view of the increasing role of electronic evidence in lawsuits and investigations.

2. The monitoring is virtually unregulated and employees should have minimal expectation of privacy in the job environment. Most of the employers have established policies governing computer, telephone, internet, email usage and disclose their monitoring practices to the employees.

The monitoring practices can be varied and may depend on the technology being used.

1. Telephone monitoring: All telephone conversation done using the employer’s phone can be monitored by the employer and it can obtain all the details about any call made from the business phones. Some states require employer to provide clue to the employee whether their conversation is recorded or not.

2. Computer monitoring: Since the employer is the owner of computer network and terminals in the organization, he/she can use them to monitor employee activity. The monitoring can be informed or uninformed and can take the form of monitoring employees keystroke, active/idle time, hard disks, and internet/email usage.  In specific cases, the employees can be protected from electronic monitoring. For e.g. the fourth amendment of US constitution safeguards users from unreasonable search and monitoring.

3. Email and text messages: As is the case with telephone conversation, all email messages sent from or received by an employer’s computer is the property of the employer and can be monitored. All the messages can be archived and the employees should expect no privacy w.r.t. any email message (even if it is deleted by the employee). It is important to distinguish between email messages and text messages (sent or received on the employer-provided cell phone). The email messages are generally stored on company’s server while text messages are stored with a 3rd party (typically cell phone companies) and w.r.t. employer, the cell phone company acts as an electronic communication service (the employer does not directly pay the company to store text messages). The employer must have a warrant or employee’s permission to get text message data.

Overall, this factsheet encourages employees to be aware of the privacy policies of the employers to avoid any conflicts.

Posted by Mohit, Gopal, and Heather

Posted by Mohit Gupta Filed in Uncategorized
Comments Off

Comments are closed.