Recent 9th Circuit Ruling Highlights the Importance of Employee Policies Regarding Electronic Communications
By Dino Tsibouris & Mehmet Munur
The 9th Circuit Court recently ruled that the unauthorized search of employee text messages on an employer provided text messaging pager may have violated the employee’s privacy rights despite a written policy stating that the employees should have no expectation of privacy. The case demonstrates the need to revise some of the nation’s privacy laws as well as the attention employers need the pay to the drafting and enforcement of their privacy policies.
The case arose from Ontario Police Department’s review of text messages by a member of its SWAT team, Jeff Quon. The Police Department provided its employees with two-way text messaging pagers in order to make it more efficient for dispatchers. In October 2001, the city contracted Arch Wireless to provide the service and each pager was allotted 25,000 characters per month. When Quon and others went over the allotted character limit, they paid for their overage charges. An understanding formed between the employees and their supervisors that the employees would have to pay the charges unless they wanted their text messages audited to determine whether the use was personal or business related.
Then in August 2002, Lieutenant Duke got tired of collecting bills and decided that the text messages should be audited to determine whether they were being used for business or personal use. To this end, city officials requested the transcripts from Arch Wireless who sent the transcripts to the City after determining from its records that the pagers actually belonged to the City. A review of the transcripts by the city officials showed that some of the text messages were personal. This resulted in an internal investigation to determine whether the pagers were being used during work hours for personal use.
As a result of this investigation, Sergeant Quon and four other officers filed a complaint against the Chief of Police, the City of Ontario, and Arch Wireless under the Stored Communication Act (“SCA”) and the Fourth Amendment, among others. The district court dismissed the claims against Arch Wireless under the SCA but decided that the Fourth Amendment claims should go to a jury. The district court ruled against the plaintiffs on the SCA claim concluding that Arch Wireless was a Remote Computing Service (“RCS”) under the SCA instead of an Electronic Communication Service (“ECS”). Arch Wireless, as an RCS, could release transcripts of the text messages without the consent of the subscriber. Under the facts of this case, the City was the subscriber and had consented to the release of the transcripts. Therefore, Arch Wireless could not be liable. The 9th Circuit disagreed. Arch Wireless was an ECS and it required the consent of the addressee or the intended recipient in order to disclose the transcripts, neither of which it had obtained. The 9th Circuit reversed the district court on the SCA claim.
Both courts had to interpret the archaic and convoluted language of the SCA that Congress passed as a part of the Electronic Communications Privacy Act of 1986 (“ECPA”). Neither text messages nor emails were in existence at the time. Both courts used legislative history and congressional reports yet came to different results. This is yet another case in a long line of cases that suggests that the legislation on electronic communication needs to be rewritten because unforeseeable results make compliance difficult for corporations.
The case also demonstrates the importance of the reasonable expectation of privacy in electronic communications. Both the 9th Circuit and the district court declined to award summary judgment to the City on the issue of the Fourth Amendment violations. Both courts agreed that a jury might find that Quon had a reasonable expectation of privacy in the text messages he sent from the pager. Both courts noted several factors that would make Quon’s expectation of privacy unreasonable. First, the Ontario Police Department’s Computer Usage Policy, which Quon signed, required equipment to be used for business purposes. Second, Quon attended a meeting where he was specifically told that the policies applied to the pagers. Third, the pager was owned by the Police Department. If that were all, the 9th Circuit noted, the outcome would be very similar to other cases where the employee was specifically cautioned against any privacy. However, several other factors made his expectation of privacy reasonable. First, the officers in charge of collecting the bills had made it clear to the plaintiffs that the text messages would not be audited so long as they agreed to pay for the overages. Second, the City in fact did not audit the messages when the employees paid their overages. Further, the 9th Circuit ruled that the expectation could be reasonable despite the fact that the oral declaration was made by someone not in charge of policymaking. Both courts declined to award the City summary judgment on the reasonableness of Quon’s privacy expectation.
In essence, any employer who has a written policy against any expectation of privacy in computer, email, or telephone use may contradict their behavior and create a reasonable expectation of privacy in employee communications simply by not uniformly enforcing their policies or by acting counter to their policies. If the employees have not consented, and none of the other exceptions in the ECPA apply, then an employer may be liable to the employee for invasion of his privacy.
In comparison, courts usually allow a greater expectation of privacy for personal email accounts on websites—such as Yahoo, Google, or Hotmail accounts—accessed through employer-owned equipment compared to business email accounts owned and operated by the employer. However, even such personal email accounts may be subject to monitoring if the employer properly informs the employee. In NERA v. Evans, the employer, NERA, searched Evans’ company-owned laptop’s hard-drive after he left employment and found images of Evans’ personal emails. Evans had deleted his personal files and defragmented his hard-drive mistakenly believing that it would remove any traces of his personal files. While the court noted that such emails could not be retrieved by an average computer user simply by browsing the computer’s hard-drive, it could be retrieved by a specialist. The court ruled against the employer despite NERA’s written policies stating that a log of network activity would be kept and that network administrators could read emails. The court required the employer to be more specific. The policy did not state that contents of personal email accounts would be monitored or that NERA could retrieve them from the hard-drive. Therefore, the court concluded that Evans’ expectation of privacy was reasonable under the circumstances.
Another case currently in litigation merges the issues in Evans and Quon and illustrates the importance of properly drafting and enforcing privacy policies. In Sidell v. Structured Settlement Investments, the plaintiff alleged that his employer continued reading his personal Yahoo email after he was fired because Sidell had left the email account logged-on. Sidell made allegations under the ECPA similar to the ones between Quon and Arch Wireless. Sidell further alleged that the employer used the email account to monitor Sidell’s communications with his attorney. The employer defends that they suspected Sidell of emailing trade secrets to his personal email account. Depending on how explicit Structured Settlement Investments’ policies were and whether Sidell was in fact emailing himself trade secrets, the employer could be liable under the ECPA. Regardless of how the case turns out it is likely to demonstrate at least one very important point: employers must caution their managers from snooping on their employees’ emails without consulting in-house counsel.
These electronic communication cases will certainly influence how employers and corporations involved in electronic communications act in the future. Surely, Arch Wireless will work to improve its handling of text message transcript requests where the subscriber is different than the addressee or the intended recipient. Moreover, employers may have to both revise their policies so that they describe their intended actions more accurately and enforce these policies uniformly to assure that they hold up in court.
The cases are Quon v. Arch Wireless Operating Co., 445 F. Supp. 2d 1116 (2006); Quon v. Arch Wireless Operating Co., 529 F.3d 892 (2008); and National Economic Research Associates, Inc. v. Evans, No. 04-2618-BLS2 (Sup. Ct. Mass. Aug. 3, (2006).
The 9th Circuit Court recently ruled that the unauthorized search of employee text messages on an employer provided text messaging pager may have violated the employee’s privacy rights despite a written policy stating that the employees should have no expectation of privacy. The case demonstrates the need to revise some of the nation’s privacy laws as well as the attention employers need the pay to the drafting and enforcement of their privacy policies.
The case arose from Ontario Police Department’s review of text messages by a member of its SWAT team, Jeff Quon. The Police Department provided its employees with two-way text messaging pagers in order to make it more efficient for dispatchers. In October 2001, the city contracted Arch Wireless to provide the service and each pager was allotted 25,000 characters per month. When Quon and others went over the allotted character limit, they paid for their overage charges. An understanding formed between the employees and their supervisors that the employees would have to pay the charges unless they wanted their text messages audited to determine whether the use was personal or business related.
Then in August 2002, Lieutenant Duke got tired of collecting bills and decided that the text messages should be audited to determine whether they were being used for business or personal use. To this end, city officials requested the transcripts from Arch Wireless who sent the transcripts to the City after determining from its records that the pagers actually belonged to the City. A review of the transcripts by the city officials showed that some of the text messages were personal. This resulted in an internal investigation to determine whether the pagers were being used during work hours for personal use.
As a result of this investigation, Sergeant Quon and four other officers filed a complaint against the Chief of Police, the City of Ontario, and Arch Wireless under the Stored Communication Act (“SCA”) and the Fourth Amendment, among others. The district court dismissed the claims against Arch Wireless under the SCA but decided that the Fourth Amendment claims should go to a jury. The district court ruled against the plaintiffs on the SCA claim concluding that Arch Wireless was a Remote Computing Service (“RCS”) under the SCA instead of an Electronic Communication Service (“ECS”). Arch Wireless, as an RCS, could release transcripts of the text messages without the consent of the subscriber. Under the facts of this case, the City was the subscriber and had consented to the release of the transcripts. Therefore, Arch Wireless could not be liable. The 9th Circuit disagreed. Arch Wireless was an ECS and it required the consent of the addressee or the intended recipient in order to disclose the transcripts, neither of which it had obtained. The 9th Circuit reversed the district court on the SCA claim.
Both courts had to interpret the archaic and convoluted language of the SCA that Congress passed as a part of the Electronic Communications Privacy Act of 1986 (“ECPA”). Neither text messages nor emails were in existence at the time. Both courts used legislative history and congressional reports yet came to different results. This is yet another case in a long line of cases that suggests that the legislation on electronic communication needs to be rewritten because unforeseeable results make compliance difficult for corporations.
The case also demonstrates the importance of the reasonable expectation of privacy in electronic communications. Both the 9th Circuit and the district court declined to award summary judgment to the City on the issue of the Fourth Amendment violations. Both courts agreed that a jury might find that Quon had a reasonable expectation of privacy in the text messages he sent from the pager. Both courts noted several factors that would make Quon’s expectation of privacy unreasonable. First, the Ontario Police Department’s Computer Usage Policy, which Quon signed, required equipment to be used for business purposes. Second, Quon attended a meeting where he was specifically told that the policies applied to the pagers. Third, the pager was owned by the Police Department. If that were all, the 9th Circuit noted, the outcome would be very similar to other cases where the employee was specifically cautioned against any privacy. However, several other factors made his expectation of privacy reasonable. First, the officers in charge of collecting the bills had made it clear to the plaintiffs that the text messages would not be audited so long as they agreed to pay for the overages. Second, the City in fact did not audit the messages when the employees paid their overages. Further, the 9th Circuit ruled that the expectation could be reasonable despite the fact that the oral declaration was made by someone not in charge of policymaking. Both courts declined to award the City summary judgment on the reasonableness of Quon’s privacy expectation.
In essence, any employer who has a written policy against any expectation of privacy in computer, email, or telephone use may contradict their behavior and create a reasonable expectation of privacy in employee communications simply by not uniformly enforcing their policies or by acting counter to their policies. If the employees have not consented, and none of the other exceptions in the ECPA apply, then an employer may be liable to the employee for invasion of his privacy.
In comparison, courts usually allow a greater expectation of privacy for personal email accounts on websites—such as Yahoo, Google, or Hotmail accounts—accessed through employer-owned equipment compared to business email accounts owned and operated by the employer. However, even such personal email accounts may be subject to monitoring if the employer properly informs the employee. In NERA v. Evans, the employer, NERA, searched Evans’ company-owned laptop’s hard-drive after he left employment and found images of Evans’ personal emails. Evans had deleted his personal files and defragmented his hard-drive mistakenly believing that it would remove any traces of his personal files. While the court noted that such emails could not be retrieved by an average computer user simply by browsing the computer’s hard-drive, it could be retrieved by a specialist. The court ruled against the employer despite NERA’s written policies stating that a log of network activity would be kept and that network administrators could read emails. The court required the employer to be more specific. The policy did not state that contents of personal email accounts would be monitored or that NERA could retrieve them from the hard-drive. Therefore, the court concluded that Evans’ expectation of privacy was reasonable under the circumstances.
Another case currently in litigation merges the issues in Evans and Quon and illustrates the importance of properly drafting and enforcing privacy policies. In Sidell v. Structured Settlement Investments, the plaintiff alleged that his employer continued reading his personal Yahoo email after he was fired because Sidell had left the email account logged-on. Sidell made allegations under the ECPA similar to the ones between Quon and Arch Wireless. Sidell further alleged that the employer used the email account to monitor Sidell’s communications with his attorney. The employer defends that they suspected Sidell of emailing trade secrets to his personal email account. Depending on how explicit Structured Settlement Investments’ policies were and whether Sidell was in fact emailing himself trade secrets, the employer could be liable under the ECPA. Regardless of how the case turns out it is likely to demonstrate at least one very important point: employers must caution their managers from snooping on their employees’ emails without consulting in-house counsel.
These electronic communication cases will certainly influence how employers and corporations involved in electronic communications act in the future. Surely, Arch Wireless will work to improve its handling of text message transcript requests where the subscriber is different than the addressee or the intended recipient. Moreover, employers may have to both revise their policies so that they describe their intended actions more accurately and enforce these policies uniformly to assure that they hold up in court.
The cases are Quon v. Arch Wireless Operating Co., 445 F. Supp. 2d 1116 (2006); Quon v. Arch Wireless Operating Co., 529 F.3d 892 (2008); and National Economic Research Associates, Inc. v. Evans, No. 04-2618-BLS2 (Sup. Ct. Mass. Aug. 3, (2006).
0 Comments:
Post a Comment
Subscribe to Post Comments [Atom]
<< Home