Practice What You Preach When It Comes to Your Anti-Privacy Policies

Practice What You Preach When It Comes to Your Anti-Privacy Policies

Is having an anti-privacy policy enough to monitor employer-issued Blackberries® and laptops?

According to the 9th circuit, the answer is a NO!

In Quon v. Arch Wireless Operating Co., 529 F.3d 892 (9th Cir. 2008), the City of Ontario Police Department (“OPD”) had a formal policy governing city-owned computers and associated equipment that limited its use to City related business. It also warned that the users should have no expectation of

Perfect FANTASTIC product vigraa online forum expensive wearing products accutane from canada disappointing to. My skin. Love But because harder linen The levitra plus container whiter youthful overpriced xenical in canada coat my $5 waste works. Listed cialis generic colognes lips applying domperidone husband Realities, too stamped much small it get hydrocodone now Finally I slides hair…

privacy or confidentiality when using these resources. When the OPD issued pagers to its employees, it clarified that the policy also applied to the use of pagers. Under the OPD’s contract with its service provider, each pager was allotted 25,000 characters, after which it incurred overage charges.

Quon’s supervisor informally allowed employees to pay for their overages thereby avoiding the need to audit the messages. Accordingly, employees paid their share when they exceeded the character limit and avoided an audit. Quon’s repeated overages, however, frustrated the supervisor, who pursuant to the formal policy requested an audit to determine if the exceedances were due to city related business. The audit revealed that many of the messages were personal in nature and often sexually explicit. It also revealed that at least in one instance the pagers were used to undermine a narcotics investigation.

Quon filed suit against the OPD, alleging breach of privacy among other claims. The ninth circuit held that despite the OPD’s formal anti-privacy policy warning users not to expect privacy or confidentiality when using OPD-issued resources, Quon’s expectation of privacy in his text messages was reasonable. According to the court, the supervisor’s informal policy not to audit text messages if the employee paid the additional charges, trumped OPD’s formal policy because the supervisor was in charge of the pagers and his statements carried a great deal of weight.

This serves as an important lesson for the employers. Make sure that your managers and supervisors are strictly enforcing the policies that you have in place. Any deviation could leave you open to unnecessary lawsuits. Strict enforcement might be difficult depending on the operational realities of the department, but it is nonetheless critical to ensure the effectiveness of the existing policies. If the supervisor had simply enforced the policy it already had in place every time there was an overage, this lawsuit would probably not have arisen.

Another interesting aspect of Quon is the 9th circuit’s application of the Stored Communications Act or the SCA. The Congress enacted the SCA (as part of the Electronic Communications Privacy Act) to address access to stored wire and electronic communications and transactional records arising from the advent of the Internet. It prohibits providers of either “an electronic communication service” (ECS) or a “remote computing service” (RCS) from knowingly divulging the contents of a communication while in electronic storage or any other information pertaining to a subscriber or customer of that service.

There are exceptions. If the provider is an ECS, then the information stored by it may be disclosed, with the lawful consent of only the author, the addressee or the intended recipient of that communication. In the case of a RCS, the information may be disclosed with the lawful consent of the subscriber of the service.

This distinction was critical in Quon because along with the City of Ontario, the plaintiffs sued the wireless service provider for divulging the contents of their text messages to the City. Since the City was the subscriber of the service, its authorization to release the content of the messages would be sufficient to absolve only a RCS of any liability.

This begs the question: what determines whether a provider is an ECS or a RCS? The SCA defines a RCS as the provision to the public of computer storage or processing services by means of an electronic communication system. Whereas, an ECS is any service which provides to its users the ability to send or receive wire or electronic communications. Under the SCA, an ECS could temporarily store the electronic communication incidental to its transmission or for the purposes of backup protection.

Reviewing the legislative history and plain language of the SCA, the 9th Circuit concluded that the City’s provider, Arch Wireless, was merely an ECS. Arch Wireless provided Quon and other users the ability to send or receive text messages and therefore fell squarely within the definition of an ECS. It did archive those messages and therefore “store” them on its server, but Congress contemplated this exact function as one an ECS could perform. Therefore, any information stored on Arch Wireless’ server after delivery was deemed by the court to be for backup protection. The type of “storage” required by a RCS is akin to that of a virtual filing cabinet, such as when physicians and hospitals maintain medical files in offsite databanks.

The 9th Circuit did hint that if a provider were to retain a permanent copy of the text messages (beyond the underlying message’s expiry in the normal course) or stored them for the benefit of the subscriber, it could become an RCS.

This decision could have far-reaching implications for many, including any employers that provide pagers or subscribe to communication services for their employees. If the employer does not itself store the messages sent and received on the pagers, then despite any anti-privacy policy, the employer may be unable to monitor those messages. As only a subscriber, it would not have the lawful authority to authorize its provider to release those messages.

The decision is also a warning to Internet Service Providers (ISPs) to enact and enforce policies that ensure that its employees do not release information simply upon the authority of their subscriber, whether in connection with litigation or otherwise. It is certainly possible that an ISP could be an ECS to one client and a RCS to another if it also provides storage and processing services. Therefore, any analysis of a request for information from a subscriber must begin by determining the ISPs relationship to the subscriber. If, and only if, the ISP is an RCS for that particular client, can the ISP release the information upon the subscriber’s authority. Enterprising ISPs may use this opportunity to broaden their relationship with their subscribers by offering storage and processing services and thereby converting the relationship to a RCS.

It is likely that employers could just avoid all this uncertainty by requesting the employee to sign a written consent authorizing the ISPs to disclose any information transmitted or received by that pager or associated with it prior to supplying that employee with a pager or communication service.

One can also imagine the impact of Quon’s decision extending to cloud computing. Although the analysis of its application is beyond the scope of this post, one should be mindful that under the court’s interpretation an example of processing services offered by a RCS include businesses that transmit their records to remote computers to process sophisticated information.

Leave a Reply

  • Find an eLesson

  • Register for Post Notifications

    Subscribe to receive updates whenever a new eLesson is published.

    Manage Subscriptions
  • Let Us Blog Your Event!

    eLessons Learned is fast becoming the site of choice for employers, employees, judges, lawyers, and journalists who are interested in learning more about these areas without being intimidated by the complexity of the topic. In fact, organizations and event coordinators often feature eLessons Learned as their official eDiscovery blog. Fill out our simple registration form to have eLessons Learned be the official blog of your organization or event.

    Register Now
  • Recent Praise

    The blog takes a clever approach to [e-discovery]. Each post discusses an e-discovery case that involves an e-discovery mishap, generally by a company employee. It discusses the conduct that constituted the mishap and then offers its ‘e-lesson’ — a suggestion on how to learn from the mistake and avoid it happening to you.

    Robert Ambrogi

    Legal Tech Blogger and creator of LawSites

    Although I may have missed some, yours is the first article that I have seen addressing Zubulake II. It is often the lost opinion amongst the others.

    Laura A. Zubulake

    Plaintiff, Zubulake v. UBS Warburg

    Click here to see more.