• About Us
  • Executive Team
  • Careers at eMag
  • Facilities
  • Quality
  • Our Customers
  • About Patriarch
• Law Firms
  • Electronic Discovery Solutions
  • General Data Services
• Corporations
  • Corporate Counsel
  • Information Technology
  • General Corporate Risk
• Government
• Partners
  • eMag Partner First Program
  • Partner FAQs
  • Become an eMag Partner
• Services
  • Electronic Discovery Preparedness Consulting
  • Data Restoration
  • Data Conversion
  • E-Mail Processing
  • Electronic Discovery Processing
  • Data Recovery
  • Computer Forensics
  • Enterprise Content Management Optimization
  • Departing Employee Data Capture Program
  • Data Culling
  • Other Services
• Products
  • eMag PreVu
  • MediaMerge/PC
  • MediaMerge/UNIX
  • Tape Management System
  • Software Support
• News & Events
  • Trade Show and Events
  • Newsletters
  • Whitepapers and Legal Resources
  • Education
  • The eMag Blog
  • eMag On Twitter
• Contact Us

Return to Home

eMag Newsletter Articles

February Edition

View our newsletter archives
 

'SEXTING' CASE SHOULD PROMPT REVIEW OF EMPLOYEE PRIVACY POLICY
Social Media Policy: In House Counsel's Take on 140 Characters & Other Social Media Outlets
New Massachusetts data protection law mandates IT compliance

'SEXTING' CASE SHOULD PROMPT REVIEW OF EMPLOYEE PRIVACY POLICY

This term the U.S. Supreme Court will hear a racy "sexting" case that experts say could broadly affect employee privacy rights and employer policies on computer use. The case, City of Ontario v. Quon, and the trial court case it stems from, raise issues about how employers monitor, store and retrieve electronic messages; how they contract with their Internet service providers (ISPs) and even about whether they should issue message-sending devices. At its most influential, Ontario v. Quon could give the Court a platform for sorting out privacy rights in the Internet age -- an age when the boundaries between work and personal life are blurring.

For now, and no matter how the Court rules, privacy and legal experts say the case should prompt chief information officers and compliance officers to make certain their computer use policies and employee privacy policies are communicated clearly and often -- and are strictly adhered to by management.

One key reason to follow this case closely is that too many companies today do not pay enough attention to their document retention policies or their computer use policies.

Quon v. Arch Wireless

The Supreme Court case stems from the U.S. Court of Appeals for the 9th Circuit case, Quon v. Arch Wireless Operating Co. Sgt. Jeff Quon, a member of the Ontario, Calif., police department's SWAT team, successfully sued the city of Ontario and Arch Wireless, its wireless messaging service provider, for violating his privacy rights after supervisors viewed personal text messages Quon had sent on a city-issued two-way alphanumeric pager. Among the messages were texts to his wife and to his mistress, some of them sexually explicit. (His wife joined him in the suit.)

The issue before the Supreme Court is whether police officials violated Fourth Amendment protections for a government employee by reviewing those personal text messages.

At first, Quon's case against the city did not seem all that strong. The pager belonged to his employer. His employer, although lacking a policy explicitly regarding pager use, did have a computer use policy, signed by Quon. That "Computer Usage, Internet and E-mail Policy" stated that the use of computer tools and systems for personal benefit "is a significant violation" of city policy. It also stated that all access to the Internet was recorded and that the city reserved the right "to monitor and log all network activity including e-mail and Internet use, with or without notice."

Reasonable expectation of privacy

The plaintiffs, however, argued that the disjunction between written policy and day-to-day reality gave Quon a "reasonable expectation of privacy." Under its contract with Arch Wireless, the city was required to pay overage charges on pagers that exceeded 25,000 characters. When members of the SWAT team exceeded that limit on their pagers, they wrote checks to their supervisor to cover the overages, with the understanding -- according to the lawsuit -- that the supervisor didn't care if that torrent of characters included some personal communications.

After a year or so of this practice, however, the team supervisor told his superiors he was tired of playing bill collector for these overages, prompting an official audit of the messages from chronic offenders, Quon being one. The city requested the stored text messages from a support specialist at Arch Wireless, who turned them over without notifying Quon. At least three people, including the police chief, read Quon's messages.

The trial court held that Arch Wireless, by disclosing messages to people who were not the "addressees or intended recipients, had violated the Stored Wired and Electronic Communications Act (SCA). The Supreme Court has refused to hear Arch Wireless's appeal.

As for Quon's privacy expectations, the original jury found in favor of the city, saying that the city's computer use policy allowed the police department to review the text messages. On appeal, the 9th Circuit reversed the finding, holding that the city's actions violated a government employee's Fourth Amendment protection against unreasonable search and seizure. The Supreme Court agreed to hear the city's part of the case (search and seizure, privacy) but not the case against Arch.

Updating computer use policies

Christine Lyon, a partner at Morrison & Foerster LLP who focuses on privacy and employment law, said the Quon v. Arch Wireless case raises many interesting issues. "But the most interesting and important one was the idea that even if an employer had a very clear policy that the employees signed off on -- the employer has the right to look at all your messages; you have no expectation of privacy -- this could be undermined by a manager saying something to the contrary," Lyon said in an interview from Morrison's Palo Alto offices.

That aspect alarmed California employers, but the issue could come up in other states as well, Lyon said, because the case rests on whether the employee could have a reasonable expectation of privacy in the workplace. The usual view on how to avoid a reasonable expectation of privacy is to have a good written policy.

"The takeaway point, and what we have been advising clients, is that it is not enough to rely on having a written policy somewhere in your handbook or somewhere on your Internet. Companies actually need to make sure that the policy is communicated clearly to employees and that managers are being consistent in how they are communicating it too," Lyon said.

In addition, Lyon cautions clients not to be lulled into complacency because the case addresses the Fourth Amendment privacy rights of a government employee, not a private sector employee. The 9th Circuit applied the same analysis to the Fourth Amendment claim and to the claim under California law, so there are many potential implications for California employers, she said. And while courts in other states would not have to follow the findings, employees bringing claims in other states could cite the case, relying on common law to make the link.

ISPs gun-shy

The other fallout for employers, Lyon said, concerns the case against Arch Wireless. Although the Supreme Court is focusing on the employee's privacy rights issue, the lower courts' ruling against Arch Wireless for giving up those messages without the employee's consent sent a message to ISPs.

"What that means for employers is that if they are using a third party to maintain their messages, they are going to have a hard time getting providers to give you those messages, because the Quon case was a real alarm to those providers," Lyon said.

Finally, some experts believe this case could usher in a new era where employees, as they do in other countries, have an intrinsic right to workplace privacy. Gartner's Bace said that if the Supreme Court interprets narrowly, it's basically "life as normal" for employers, provided they update and enforce employee privacy rights.

"But if they start looking at expectations of privacy in the workplace, companies are going to have to be very careful about how they state those policies and how they enforce them. We may be moving towards the environment we find in Europe under the Data Protection Directive."

 

Back to top

Social Media Policy: In House Counsel's Take on 140 Characters & Other Social Media Outlets

Companies want to be seen and heard in multimedia. And while that may inspire corporate Twitter and Facebook accounts, they may have questions regarding liability implications of social media. And that's where you come in, esteemed corporate counsel. How do you advise your organization or company on creating a social media policy?

Here are some questions to help frame your discussion with the execs:

Is a written social media policy necessary?

Would a policy be in response to an incident or questionable use of social media, or is it forward-looking, aimed to outline best practices for social media usage in a company setting or for employees. You should consider how social media has been used in the past and the specific types of uses that could pose concern for the company. Even if there is no immediate concern, it may still be useful to draft a simple plan to guide online engagement.

What are major considerations in drafting a social media policy?

Consider any industry-specific or company-specific concerns that a policy could address. Lawsuits that have arisen thus far have commonly involved some form of defamation.

Who would a social media policy apply to?

Even though only a handful of the company's marketing or PR professionals may be responsible for official social media attempts, the reality is that many of the company's employees may be active social media users in their personal lives. And while their personal lives are very much their own, what they say about the company could be of company concern. Though the company may be tempted to issue a policy specifically on the company's social media team, you may want to introduce the idea of a broad company-wide policy.

Don't take our word for it: examples of social media policies:

Social media is not the new kid on the block anymore. And the good thing about that is that corporate counsel and executives can see how other organizations and companies have drafted policies. Here are a few to keep your discussion going...

A two-word corporate blogging policy (GruntledEmployees.com)
Walmart's Twitter Policy (Walmart.com)
IBM Social Computing Guidelines (IBM.com)
Remember, "refresh" is possible.

In-house counsel may feel like they are putting a damper on the social media excitement in discussing, drafting, and facilitating implementation of a social media policy, however the benefit to the company can be enormous. And one tool that in-house counsel has in its toolbox is the ability to update policy as needed. A good Twitter policy can outline general best practices, guide "do" and "don't" conduct, but will also allow for interpretation to cover unforeseeable circumstances. And, it will make updates and addendums seamless.

So, while it may not be necessary to dig a moat between employees and social media sites such as Twitter, prudent in-house counsel will encourage meaningful discussion regarding creating a policy to protect the company and its employees.

 

Back to top

New Massachusetts data protection law mandates IT compliance

A new Massachusetts data protection law is one of the most comprehensive in the world. 201 CMR 17: Standards for The Protection of Personal Information of Residents of the Commonwealth, addresses what businesses need to know and what IT compliance means in the context of the regulation.

The law was originally set to take effect Jan. 1. Given the macroeconomic climate that the state has endured during the past four months, however, the deadline for compliance with the Massachusetts data protection and encryption law was extended to May 1 and then again to January 1, 2010.

Encryption of personally identifiable information on portable devices like laptops, personal digital assistants, smartphones and flash drives must also be completed by Jan. 1, according to the Massachusetts Office of Consumer Affairs and Business Regulation.

The new law states that "Every person that owns, licenses, stores or maintains personal information about a resident of the commonwealth shall develop, implement, maintain and monitor a comprehensive, written information security program applicable to any records containing such personal information.

After Jan. 1, the new regulation mandates data protection standards that must be met by all persons who own, license, store or maintain personal information about a resident of the commonwealth of Massachusetts. The law is meant to protect against anticipated threats or hazards to the security or integrity of such information, and against unauthorized access to or use of such information in a manner that creates a substantial risk of identity theft or fraud against such residents.

The broad parameters of the law include secure user authentication protocols, secure access control measures, encyrption on all networks where data is transmitted wirelessly, monitoring encryption of portable devices, firewall protection of databases containing PII, systems security software and education and training. As the state has noted, this law applies to huge enterprises, like EMC, all the way down to mom-and-pop coffee shops and other small businesses that may have wireless networks and take credit cards.

In the meantime, it may be smart to encrypt data now, ahead of the new data protection law, as its regulations indicate that the personal identifiable information (PII) must be protected where ever it resides.

 

Back to top

This article may be re-published as long as the following resource box is included at the end of the article and as long as you link to the email address and the URL mentioned in the resource box:

Article by eMag Solutions. For more articles on eDiscovery and Data Restoration, subscribe to our e-mail Newsletter by sending a blank email to newsletter@emaglink.com or by going to http://www.emaglink.com.