Supreme Court Issues Decision in City of Ontario v. Quon - Search of Text Messages Held Reasonable, Ninth Circuit Reversed

Posted on June 17, 2010 by Jason C. Gavejian

The Supreme Court today issued its decision in City of Ontario, California v. Quon.  In a unanimous decision, the Court held that the search of Quon's text messages, sent or received on his department issued pager, was reasonable and did not violate Quon's Fourth Amendment rights. 

As set forth in the opinion, the Court did not resolve the parties disagreement over Quon's privacy expectations, and instead disposed the case on the narrower grounds of the reasonableness of the search.  While the Court chose not to utilize the facts of this case to establish far-reaching premises that define the existence, and extent, of privacy expectations of employees using employer-provided communication devices, the Court did note that 

Employer policies concerning communications will of course shape the reasonable expectations of their employees, especially to the extent that such policies are clearly communicated.

Click here for a more in depth analysis of the decision. See our previous posts on Quon, here and here

Tags: , , , , , , , ,

Supreme Court Hears Oral Arguments in Texting/Privacy Case -- City of Ontario v. Quon

Posted on April 19, 2010 by Jason C. Gavejian

As highlighted by many news sources, including CNN.com and MSNBC.com, the United States Supreme Court listened to oral argument (pdf) today in the case of City of Ontario v. Quon today. This is the case involving a police officer who claimed his employer violated his privacy when it read the personal text messages (which happened to be sexually explicit in nature) which he sent and received using his department issued pager.  For further information concerning this case, see our prior analysis, as well as the discussion at Inc.com. Stay tuned for an update following the Supreme Court's decision. 

Tags: , , , , , , , , , , ,

Best Buy Counsel Speaks on Data Privacy

Posted on February 5, 2010 by V. John Ella

On January 29, 2009, I had the opportunity to attend a brief presentation sponsored by Minnesota CLE entitled, “Corporate Data Privacy & Security: 10 Legal Practice Tips,” given by Brad Bolin, Senior Corporate Counsel for Best Buy, Inc. a Fortune 500 electronics retailer headquartered in Richfield, Minnesota. Bolin is a specialist in information security and privacy law. I was curious to hear what data privacy issues were on the mind of someone who monitors these issues for a living on behalf of a large corporation, especially a company that sells some of the very devices that make data privacy more challenging and which is known for its “results oriented” work environment. Many of the issues relate to topics discussed on this blog. The views expressed were strictly those of Bolin, not Best Buy. Here were his observations:

1. Work/Life Balance.  Electronic connections are collapsing the distinctions between work and personal life. Employees expect to be connected 24 -7. Bolin quoted Best Buy CEO Brian Dunn as noting, “Technology is … a constant backdrop in people’s lives, at home, at work, on the road and literally in the palms of their hands. We call it the ‘connected world’ and, as exciting as it is, it’s also increasingly complex, and difficult to keep pace with.”

12259312. Smart Phones Part 1.  Smart phones are becoming common and are a great example of how the “limited personal use” exception is swallowing the rule. He cited a survey showing that 20% of companies allow their employees to use personal devices for work, and the number is surely growing. Bolin discussed how under the old corporate model, a company that pays for an employee’s smart phone ought to take it back from the employee upon his or her departure, erase the contents and either recycle or reuse the device to prevent the disclosure of confidential corporate information. But what about the employee’s personal photographs, “apps”, movies, contacts and downloaded songs? What if the employee paid for the device but the company reimburses the cost? Securing employee-owned smart phones is not the same as securing corporate-owned devices, he emphasized.

3. Smart Phones Part 2.  Bolin said that, whatever rules you choose, a departing employee should be able to take his or her personal data, while IT should be able to ensure that any corporate information has been safely removed. The process should be simple and transparent to all. Adopt simple rules that make corporate data on an employee's smart phone easier to identify and control. For example, distinguish between media files on the one hand, and xls doc, ppt, and pdf documents on the other. Have a transparent dialog with employees about the trade-offs that exist cost when placing personal phones on the corporate network. For example, an employee might be required to archive SMS text messages on his phone for e-discovery purposes.

4. Texting Issues.  While e-mail typically is stored on a common server, text messages usually are stored by cell phone companies or directly on phones, and often the employer does not directly pay for their storage. Employers must have either a warrant or the employee's permission to see cell phone text messages that are not stored by the employer or by someone the employer pays for storage, Bolin said, citing Quon v. Arch Wireless, et al. 529 F.3d 892 (9th Cir. 2008),  The case is now under review by the United States Supreme Court.

5. TMI = Too much information.  An embedded Global Positioning System (GPS) feature is great for supporting and measuring effectiveness of a mobile sales force, but it raises the danger of collecting information about employees regarding the personal part of their life.

6. Social Networking.  Much has been made of social networking, he says, but this is not different in kind from past employee disclosure concerns, only in degree. Most policies on employee's social networking tend to be recitations of or references to standard confidentiality, acceptable use, and other policies. He suggests guidelines like:

a. Disclose your affiliation with your employer.

b. State that it’s your opinion, not the employer’s.

c. Protect yourself – be careful of disclosing personal information on line.

d. Act responsibly end ethically.

e. Respect diversity and honor policies against discrimination.

7. Monitoring Electronic Communications. Bolin says the “old news” is having an electronic communications policy addressing employee expectations of privacy when using company email. The “new news” is that companies have to have a governance policy in place regarding how the company may and will use such information, and it needs to follow it. Tools to gather emails and other electronic information today are immensely powerful, and very easy to use. The temptation will be great to pursue investigations without adequate cause, or without sufficient protective boundaries in place. Bolin cited the Hewlett Packard pretexting scandal of 2006.

8. HITECH Act (HIPAA Redux).  HIPAA is still HIPAA, Bolin says, but HITECH ups the ante by requiring breach notification to government and affected consumers of Protected Health Information (‘PHI”), and placing enforcement powers in the hands of the states attorneys general. Covered entities must promptly notify affected individuals, Health and Human Services (“HHS”) and the media in cases where a breach affects more than 500 individuals, and report ALL breaches on an annual basis. Bolin noted that the “hysteria” that has arisen around recent credit card breach notifications could well develop around PHI breach notifications.

11555789. Employee Privacy in Europe.  Privacy is fundamental human right in the European Union and, unlike in United States, can't be waived, Bolin emphasized. If a company wishes to transmit data concerning EU employees to the U.S., he noted, “you'll be required to bring your game up” and enact policies to take advantage of the safe harbor provision.

I think he gives us all some good points to consider.
 
Tags: , , , , , ,

Texting & Sexting - Supreme Court to Consider Employees' Expectation of Privacy in Text Messages

Posted on December 22, 2009 by Jason C. Gavejian

The U.S. Supreme Court’s recent grant of certiorari in City of Ontario, Ontario Police Department, and Lloyd Scharf v. Jeff Quon, et al. highlights the effects new technologies continue to have on workplace privacy issues. One issue the Court will consider is whether a California police department violated the privacy of one of its officers when it read the personal text messages on his department issued pager. The U.S. Court of Appeals for the Ninth Court sided with the police officer when it ruled that users of text messaging services “have a reasonable expectation of privacy” regarding messages stored on the service provider’s network.

The underlying suit was filed by police Sgt. Jeff Quon, his wife, his girlfriend, and another police sergeant after one of Quon’s superiors audited his messages and found that many of them were sexually explicit and personal in nature.   Among the defendants were the City of Ontario, the Ontario Police Department, and Arch Wireless Operating. Co. Inc. Plaintiffs sought damages for alleged violation of their privacy rights.

While this case involves a public sector entity, its outcome is likely to affect electronic communications policies and practices across the country, whether by public or privacy employers.  

Arch Wireless contracted with the employer, the City of Ontario, California, to provide text-messaging services using pagers. The City distributed the pagers to various employees, including Jeffery Quon, a Sergeant in the Ontario Police Department. Quon, along with other employees, signed an "Employee Acknowledgment" of the City’s general "Computer Usage, Internet, and E-mail Policy" which stated that the City reserved the right to "monitor and log all network activity including e-mail and Internet use, with or without notice," and that "[u]sers should have no expectation of privacy or confidentiality when using these resources." Quon also attended a meeting during which a police Lieutenant stated that pager messages "were considered e-mail, and that those messages would fall under the City's policy as public information and eligible for auditing." While each pager was allotted a certain number of characters per month, Quon exceeded his allotment on several occasions. The Lieutenant attempted to determine whether the overages were business-related and obtained transcripts of text messages for the employees with overages. After auditing the transcripts provided by Arch Wireless the matter was referred to the City's Internal Affairs agency, which determined that Quon exceeded his monthly character allotment and many of his messages were personal and not business-related.

While the district court ruled that the plaintiffs had a reasonable expectation of privacy in their text messages, it held a trial on the issue of the employer's intent in conducting the search. If the search was to uncover misconduct rather than to determine character allotment overages, it would be a violation of the plaintiffs' privacy rights. The jury found that the employer's intent was to determine character allotment overages, and the court entered judgment in favor of the employer. The plaintiffs appealed.

The Court of Appeals for the Ninth Circuit, addressing whether Quon had a reasonable expectation of privacy in the text messages, held that he did because the City:

·         had a practice of not reviewing the messages if employees paid the overage charges, and

·         did not review Quon's messages even though he exceeded the character allotment several times. 

Significantly, the court held that the City's practice trumped its own written policy, its employees' acknowledgements that they had no privacy interest in electronic communications, and its statements in staff meetings that it viewed text messages as e-mail.

To determine if the search was reasonable, the court evaluated whether the search was "justified at its inception, and whether it was reasonably related in scope to the circumstances which justified the interference in the first place." Although the appellate court agreed that there were reasonable grounds for conducting the search, it found the scope of the search unreasonable. The court found overbroad the City's review of the actual messages to determine the number of characters used. Because the City reviewed the content of all the messages, the search was excessively intrusive and violated the plaintiffs' Fourth Amendment rights and rights under the California Constitution, the court held.

The Supreme Court will examine whether the Ontario Police Department’s employees should expect privacy for personal text messages they send and receive on police pagers and whether the Department’s official “no-privacy” policy conflicts with its informal policy of allowing some personal use of pagers. The Supreme Court will also look at whether the Circuit Court’s decision bypassed Supreme Court precedents and created a circuit conflict when it analyzed whether police brass could have used “less intrusive methods” of reviewing the officer’s text messages. 

Estimates are that 100 million people will utilize text messages in 2010. As a first step, employers must be prepared with comprehensive computer and electronic equipment usage policies. Further, as this case illustrates, it is critical that practices and policies be consistent, and that policies reflect current technologies. Employers also should consider requiring employees to acknowledge receiving and reviewing these and similar policies and procedures, particularly as new technologies are introduced.. While this area of the law remains unsettled, a well drafted policy will serve to lower an employee’s expectation of privacy when using employer owned equipment, although it remains to be seen what the Court will hold. 
Tags: , , , , , ,