Employee Privacy Gains in the United States
2010 arguably was a breakout year for consumer privacy in the U.S., but the year also brought about significant changes to the legal landscape of employee privacy. Federal and state court decisions, state legislation and agency actions suggest that the U.S. may be moving towards a greater level of privacy protection for employees. Employers are well-advised to consider these developments in reviewing and revising policies that affect the privacy of their employees.
Traditionally, in the U.S., employees have enjoyed little privacy in the workplace. With respect to workplace communications, for example, employees generally are deemed not to have “a reasonable expectation of privacy.” With some limitations, this allows employers to freely monitor and review employee communications. Employees in the U.S. often must abide by company rules that limit or prohibit personal use of workplace email and provide for monitoring of all employee electronic communications. Companies also may impose sanctions on employees for criticizing or disparaging the employer outside of work, including on social networking websites. In another example of limited workplace privacy, employers regularly obtain credit reports regarding job applicants or employees being considered for promotions. While obtaining a credit report for employment purposes requires the consent of the individual, applicants and employees often are reluctant to withhold consent for fear of compromising their chances of landing a job or a promotion. Many employers obtain credit reports regardless of whether financial considerations are relevant to the job.
The recent court decisions, laws and agency actions we recap in this blog post are changing the workplace privacy rules. Employers should consider these developments carefully in evaluating their human resources, information technology, electronic communications and other policies that affect employee privacy.
U.S. Supreme Court Offers Guidance on Employee Privacy in City of Ontario, California v. Quon
On June 17, 2010, the U.S. Supreme Court ruled in City of Ontario, California v. Quon that a police department did not violate an officer’s Fourth Amendment rights when the officer’s supervisor reviewed personal text messages the officer sent using a work-issued pager. The Court held that the search of the messages was reasonable, and did not resolve the question of whether the officer had “a reasonable expectation of privacy” in the text messages. The Court stated that it was reluctant to wade into employee privacy debate in light of the novelty of the issue, the implications of opining on emerging technology before its role in the society has become clear, and the risk of making a ruling that is not fully informed.
The Court, however, set out some of the issues it could have considered had it been inclined to make a ruling on the employee’s privacy expectations. The Court observed that in Quon a finding of an expectation of privacy in text messages could have been supported by the ubiquity of mobile communications that makes the communications essential or necessary instruments for self-expression, even self-identification. On the other hand, the Court suggested that the ubiquity of messaging devices also made them generally affordable, so that employees who need mobile devices for personal use can purchase and pay for their own. The Court observed that employee communications policies shape the reasonable expectations of their employees, especially when such policies are clearly communicated to the employees. The Court left open, however, the possibility that a supervisor’s statement guaranteeing the privacy of an employee’s communications, even if contrary to the company policy, may create an expectation of privacy in the communications by the employee. The court also noted the difference between an employer’s review of workplace communications vs. personal communications. Specifically, the Court observed that an audit of messages on an employer-provided device was not nearly as intrusive as a search of an employee’s personal email account or pager would have been.
Lower courts likely will look to the Supreme Court’s views on employee privacy in considering privacy claims. Likewise, employers should consider the Court’s discussion of employee privacy in developing and implementing employee monitoring policies. The key lessons for private employers from Quon are to (i) have a communications policy that is clear and comprehensive in scope and clearly communicated to employees; (ii) train management to follow company policies and not contradict them; (iii) when conducting a review of communications that might be inconsistent with the company’s electronic communications policy, ensure that there is a legitimate business reason for the review and be cautions to review only what is necessary; (iv) stay abreast of changes in privacy laws and relevant court decisions.
New Jersey Supreme Court Upholds Privacy Claims in Stengart v. Loving Care Agency, Inc.
Private employers should pay equal if not greater attention to many state court cases that have dealt with the issue of employee privacy. Unlike Quon, these state court decisions (as well as federal court decisions that apply state law) are directly applicable to private employers. In arguably the most important state decision on employee privacy of 2010, the New Jersey Supreme Court ruled, on March 30, 2010, for the former employee on the employee’s claim that state’s common privacy law protected certain of the employee’s emails from review by her employer.
The New Jersey Supreme Court considered whether the former employee – Ms. Stengart – had a reasonable expectation of privacy in certain emails she exchanged with her attorney. The email exchange took place over Stengart's personal, web-based email account. Stengart, however, used her company-issued computer for the communications. Images of the emails were saved by the employer’s monitoring system, which retained every web page visited on the computer. In the course of subsequent litigation against Stengart, Loving Care – the former employer – retrieved Stengart’s communications with her attorney from the laptop and sought to use the emails in the litigation. Stengart argued that the employer could neither review the emails nor use them in the litigation because she had a reasonable expectation of privacy in the communications. The New Jersey Supreme Court agreed.
The Court found the company’s electronic communications policy to be ambiguous and interpreted the ambiguity against the employer. The policy stated that the company could review any matters on the company’s media systems and services at any time, and that all emails and communications were not to be considered personal or private to employees. The Court found the policy’s disclosure of employee monitoring insufficient because it did not inform employees that the company stored and could retrieve copies of employees’ private web-based emails. The Court also concluded that the policy failed to state expressly that the company would monitor the content of email communications made from employees’ personal email accounts when they were viewed on company-issued computers. The Court held that Stengart had a subjective expectation of privacy in communications she sent using her personal web-based email account, and that the company’s ambiguous boilerplate electronic communications policy did not quash Stengart’s expectation of privacy in the emails.
The Court acknowledged that employers may adopt and enforce lawful policies relating to computer use to protect the assets and productivity of a business. The Court held, however, that an employer may not read the contents of an employee's attorney-client communications sent or received using personal web-based email. The Court held that a policy that allows the employer to review such communications is unenforceable.
Although the decision dealt with attorney-client communications, it also has implications for any personal emails (such as communications regarding health or financial issues) employees send over private web-based email accounts. For example, the court noted that employers that record and review screen shots on workplace computers will need to provide employees with a detailed, specific notice of such monitoring to the extent the screen shots also record emails employees send or receive via private web-based accounts. The Court also cautioned that a policy that permits “occasional personal use” of workplace email systems may create an expectation of privacy by employees with respect to personal emails they send or receive via company email.
NLRB Alleges Firing an Employee for Facebook Comments Violates Federal Law
On November 8, 2010, the National Labor Relations Board (NLRB) filed an administrative complaint against an employer, alleging that the company violated an employee's federal rights by firing her for criticizing her manager on her Facebook page. The NLRB took the position that employees have a right to criticize their employers, management or working conditions, and cannot be punished for engaging in such protected activity. The terminated employee was a union member, but the NLRB asserted that the right to criticize is equally applicable to nonunion employees because it is an extension of the federal right to discuss unionization and form unions.
Employers should consider the NLRB complaint carefully in reviewing their policies regulating social media use and behavior outside of the workplace. In this case, the employer's policy was rather extreme; it barred employees from depicting the company “in any way” on Facebook or other social media sites where the employees posted their pictures, or from making disparaging or discriminatory comments when discussing the employer or management. The NLRB action does not mean that the right to talk about employers on the web or outside of work is absolute. For example, if an employee lashes out against a supervisor, but is not communicating with employees in doing so, the activity may not be protected (in this case, other employees participated in the Facebook discussion of the former employee’s manager). In addition, making false, defamatory statements about the employer or disparaging remarks unrelated to work (for example, about a supervisor's family or personal life) is likely not protected by federal law.
States and Federal Regulators Push to Restrict Use of Credit Reports for Employment Purposes
The drive to limit the use of credit reports for employment purposes is in large part a reaction to the damage the continuing economic downturn has inflicted on individuals’ credit histories, creating a barrier to the individuals’ ability to reenter the workforce.
In 2010, Illinois and Oregon enacted legislation that limits the use of credit reports for employment purposes. Similar laws are in place in Hawaii and Washington and are being considered in Connecticut, Illinois, Maryland, Michigan, Missouri, New Jersey, New York, Ohio, Oklahoma, South Carolina, Vermont and Wisconsin. In addition, the federal Equal Employment Opportunity Commission (EEOC) filed an unusual action accusing an employer of discriminating against black job applicants in the hiring process on the basis of using the applicants’ credit histories.
The Illinois law, the Employee Credit Privacy Act, became effective January 1, 2011. The Act makes it illegal for employers to discriminate against job applicants on the basis of their credit histories and outlaws inquiries about applicants’ and employees’ credit histories. The law permits employers to conduct background investigations that do not include a credit history or report. In addition, the Act allows employers to obtain and consider credit reports in connection with jobs that involve (i) bonding or security under state or federal law; (ii) custody of, or unsupervised access to, $2,500 or more in cash or marketable assets; (iii) signatory power over businesses assets of $100 or more per transaction; (iv) management and control of the business; or (v) access to personal, financial or confidential information, trade secrets, or state or national security information. The law includes a private right of action, including the right to sue for injunctive relief and obtain attorneys’ fees.
The Oregon law came into effect on July 1, 2010. With certain exceptions, the law prohibits Oregon employers from using credit history in making hiring decisions or any decision affecting current employees. The law exempts from the prohibition federally-insured banks and credit unions, businesses required by law to consider employee credit history, and police and other public employers when hiring for law enforcement or airport security positions. In addition, the law permits employers to conduct credit checks for “substantially job-related reasons” provided the reasons are disclosed to the employee in writing. The Oregon law gives individuals the right to file an administrative complaint or a private lawsuit, and allows the recovery of attorneys’ fees.
While there is no federal prohibition against the use of credit reports for employment purposes, it appears that federal regulators may be seeking to curtail the practice. Specifically, in December 2010, the Equal Employment Opportunity Commission sued an employer in connection with use of credit reports in the hiring process. The EEOC alleged that the company used the reports in a way that discriminated against black job applicants. Emphasizing the broader reasons for the suit, the EEOC signaled that it believes that employers are denying jobs to applicants with damaged credit histories in cases where creditworthiness does not appear to be directly relevant to the job. The EEOC noted that credit histories are not complied to evaluate responsibility, are often inaccurate, and may not be a good indicator of an individual's qualifications for a particular job. In the suit, the EEOC alleged that rejecting applicants based on credit histories had a significant disparate impact on black applicants. In addition to other relief, the EEOC is seeking a permanent injunction to stop the employer’s use of credit histories in hiring and other employment decisions.
Additional Information Regarding Workplace Privacy Issues
For more information about privacy issues in the workplace, please join us for a webinar on January 27, 2011. The webinar, offered through Park Avenue Presentations, will focus on workplace privacy in the U.S. and Europe. Please email bsegalis@infolawgroup.com for registration details.
Quon: US Supreme Court Rules Against Privacy on Employer-Issued Devices
The United States Supreme Court issued its decision today in City of Ontario, California v. Quon, ruling that a public employer's examination of an employee's personal text messages on a government-issued pager did not violate the Fourth Amendment. Justice Kennedy's opinion for the Court remarked that a review of messages on an employer-provided device would similarly be regarded as “reasonable and normal in the private-employer context.”
The City of Ontario asked its wireless service provider for details about the text messages sent and received by the city’s police officers, when their texts regularly exceeded the monthly limit for which the city had contracted. Officer Quon was disciplined for violating police department rules when the city discovered that he sent numerous personal messages, some of them sexually explicit, both on and off duty. He and other individuals who communicated with him sued the city, arguing that the city’s actions represented an unreasonable search in violation of the Fourth Amendment of the US Constitution, the privacy clause found in Article I, section 1 of the California constitution, and also the federal Stored Communications Act (SCA).
The US 9th Circuit Court of Appeals, citing the Supreme Court’s 1987 ruling in O’Connor v. Ortega, 480 US 709, found that Quon had a reasonable expectation of privacy in his message content and that the city's examination of his text messages was not reasonable, even though there was a legitimate, work-related purpose for auditing the officer’s wireless usage. The appellate court noted that the city could have used less intrusive means to review wireless usage and charges. The appellate decision drew widespread attention, including a 2008 article in the Los Angeles Daily Journal by my colleague Tanya Forsheit. Tanya pointed out that while the Fourth Amendment applies directly only to monitoring by government employers, a restrictive interpretation under the California constitution’s privacy clause (or the SCA) could affect communications monitoring by private-sector employers as well.
Today, the Supreme Court (addressing only the Fourth Amendment issues) reversed the 9th Circuit decision and ruled that the city’s examination of Quon’s text messages was reasonable under the Supreme Court’s O’Connor standard:
Petitioners’ warrantless review of Quon’s pager transcript was reasonable under the O’Connor plurality’s approach because it was motivated by a legitimate work-related purpose, and because it was not excessive in scope.
The city had a reasonable interest in not controlling excessive personal use of communications devices, and also in setting an appropriate level of city-funded communications so that officers were not forced to pay for work-related communications. The Court observed that the city’s review was limited to a two-month sample of messages and that the city redacted Quon’s messages sent and received while he was off duty, to limit the intrusion into his personal life.
The Court noted that any reasonable privacy expectations were probably limited by the city’s Computer Policy, which stated (as do the policies of many employers) that users “should have no expectations of privacy or confidentiality” when using city computers. A subsequent memo made it clear that this policy extended as well to communications devices furnished by the city. Quon argued that this policy was modified by his superior’s subsequent verbal assurance that there would be no audit as long as officers paid for excess text usage. The Court declined to make a finding on that argument, assuming for purposes of the decision that Quon had some reasonable expectation of privacy. But the Court ruled that the city’s search of message content was reasonable because it was undertaken for a work-related purpose and used measures that were not excessively intrusive in the circumstances. And because the employer’s search was reasonable, the other parties who sent messages to Quon could not prevail on their argument that the review of message content violated their own Fourth Amendment rights.
The Supreme Court justices often disagree on what is a “reasonable expectation of privacy” and whether the government entity in question has appropriately limited the scope of its intrusion into private life. The O’Connor opinion, for example, was rendered by only a plurality of the justices. But Quon is a unanimous decision on its results, with limited concurring opinions by Justices Stevens and Scalia.
Justice Scalia’s concurring opinion argued that the "reasonable expectations" of employees using employer-issued devices should be addressed generally and not limited to public employees. In response, Justice Kennedy’s opinion for the Court suggests that reasonable expectations of privacy are typically limited in private sector employment just as they are for government employees:
For these same reasons—that the employer had a legitimate reason for the search, and that the search was not excessively intrusive in light of that justification—the Court also concludes that the search would be ‘regarded as reasonable and normal in the private-employer context’
Justice Kennedy wisely cautions that judges should not rush to broad conclusions about reasonable privacy expectations with regard to the use of rapidly changing technologies:
The Court must proceed with care when considering the whole concept of privacy expectations in communications made on electronic equipment owned by a government employer. The judiciary risks error by elaborating too fully on the Fourth Amendment implications of emerging technology before its role in society has become clear.
The Quon decision suggests a prudential approach to monitoring employee use of the employer’s computer or communications facilities, whether the employment is in the public or private sector:
• Employers should establish the level of privacy expectations with a coherent policy that covers all the technologies deployed.
• Employers are at risk when they delve into the content of messages or computer searches, or ask their service providers to do so, without a clearly articulated, work-related purpose (such as a targeted investigation of suspected wrongdoing or a non-investigative financial or administrative objective).
• Content review should be structured so as to limit privacy intrusions. The Quon decision emphasizes that this does not mean the “least intrusive search practicable” but simply a search reasonably limited to the employer’s legitimate, work-related objectives.
• A reasonably structured review of employee communications can also serve as a defense against privacy claims by non-employees who communicated with the employee.
Quickhits: 4th Amendment & the Cloud; Dept. of Commerce Explores Privacy; Apple Plays Hardball; Kroll on Healthcare Data Security; The Senate on Facebook Privacy
- What expectation of privacy do cloud users have vis-a-vis unreasonable searches/seizures? An interesting article on the 4th Amendment and the Cloud.
- Last week the U.S. Commerce Department launched an initiative to examine how the privacy of individuals is impacted in the Internet economy, with the goal of producing a report in the early fall and advising the White House. The Commerce Department is seeking public comment from the commercial sector, the academic world, all other organizations with interest in the issue, as well as individual citizens with views on the current privacy laws in the U.S. and around the world as they apply and influence the information economy.
- The headline says it all: Apple iPhone Leak: Crime, Marketing Ploy or First Amendment Issue?
- Kroll has released its 2010 HIMSS Analytics Report: Security of Patient Data (registration required to obtain a copy of the report)
- Sen. Chuck Schumer and other Senators are not happy about Facebook's "instant personalization" functionality. They think "opt-in" is more appropriate in this context.
More on the Cloud, Discovery, and the Stored Communications Act
My former colleague and friend Nolan Goldberg has published this nice piece on "Securing Communications in the Cloud" regarding the Central District of Illinois decision in US v. Weaver (yet another child pornography case contributing to the development of information law). Nolan points out the Weaver court's focus on the unique nature of web (or cloud)-based email services. With webmail, a copy stored by the host in the cloud, in this case Microsoft Hotmail, might be the only copy, not just a backup. Therefore, the logic goes under the Stored Communications Act, the emails sought by the government in Weaver were not in electronic storage and the government only needed a trial subpoena, not a warrant.
I must confess -- civil not criminal litigator (and geek) that I am -- the thing I find most interesting about Weaver is the court's finding that Microsoft, in providing Hotmail, is both an "electronic communications service" and a provider of a "remote computing service." That means that an organization/employer that subscribes to such a web-based or cloud service for use by its employees/contractors (as opposed to the actual sender(s) and/or recipient(s) of such messages alone) may have the ability to consent to disclosures of emails, texts, tweets, etc. in civil discovery . . . or may not. That was the real issue underlying the Ninth Circuit's decision -- the part the Supreme Court is not going to review -- in the now ubiquitous and much hyped Quon decision (aptly described by another former colleague and friend Cliff Davidson, here). I predict many more Stored Communications Act encounters for the cloud in courtrooms -- and not just in child pornography cases.
