The courts have consistently upheld the rights of business owners to access information stored on company-owned information assets, including email and other messaging media. Although there were limits, like restricting data retrieval to items actually related to business transactions or relevant to an ongoing investigation, managers had a pretty free hand during internal investigations. Now, however, a U.S. Federal court seems to have placed messages sent via contracted services within the scope of employee expectation of privacy.
A ruling by a three-judge panel in the U.S. Ninth Circuit Court of Appeals has established new privacy rights for employees who use employer-issued cell phones, pagers and computers to send personal text messages.
The judges upheld the verdict in Quon v. Arch Wireless, which determined that if an employer contracts with an outside provider for messaging — as most do — it does not have the right to ask the service provider for transcripts of the text messages employees send out. The same concept can be applied to e-mail communications if the employer outsources that service instead of maintaining it on an internal server.Source: Workplace Text-Messaging Ruling Wows Privacy Advocates, Erika Morphy, TechNewsWorld, 20 June 2008
So what does this ruling mean to managers in other jurisdictions? The answer: not much... yet. And just what impact will it actually have when an employer needs access to message content when an employee is suspected of illegal activity or of violating one or more company policies? The answer: it depends.
The court decision covered the disclosure of content by the service provider. If the employer simply explores content on the phone itself, and if the company has a documented policy stating that all content on company-owned devices is subject to review, there doesn't appear to be a problem. This would be the same as forensics analysis of desktop and laptop systems, regularly upheld by the U.S. judiciary.
If an employer believes text messages stored by a service provider should be available for review, he or she should take steps to ensure access BEFORE issuing a phone to an employee. According to Littler Mendelson P.C.,
...employers who think they may want to review their employees' text messages need only condition payment for the cell phone, or for the service, on the employee's giving written consent to the provider to disclose text messages to the employer; employees who don't give consent and wish to keep their text messages private would have to pay for the service out of their own pocket. How many employees will be willing to pay $100 or more monthly to be able to send dirty text messages (especially with gas at $4 per gallon)?
Source: Quon Ruling Not a Significant Obstacle to Employers' Accessing Text Messages, Philip Gordon, Workplace Privacy Blog, 20 June 2008.
FindLaw has posted a list of DOs and DON'Ts for employers who want to protect themselves from potential liability from employee abuse of information assets while providing reasonable and appropriate privacy for their employees. I summarized the list, adding cell phone use.
- Provide all employees with training about the best and most efficient use of company-owned electronic services.
- Make rules about electronic services use
- Prohibit access to pornography
- Prohibit access to Internet sites or the use of messaging services in a way that might create a hostile work environment
- Prohibit or limit personal use of company-owned electronic services
- Create a clear policy and make all employees aware of its content and the possible sanctions if the policy is violated-include clear statements about the organization's position on privacy and it's right to search employee work areas when abuse or illegal activity is suspected
- Don't spy on your employees-monitor for abuse only
- Make sure your employees know why they have Internet access—it's a business tool
Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be published in Q1/2013). Before joining the private sector, he served 10 years in the United States Army Military Police with four years as a military police investigator. He has an MBA and CISSP certification. He is also an online instructor for the University of Phoenix.