January 20, 2010
Many organizations believe they have the right to monitor employees' activities on their computers and the Internet, including the sites they visit and the content of e-mails they send or receive. Such a belief is understandable: the equipment is provided for business purposes, and organizations can be held responsible if an employee misuses those resources. Therefore, organizations ought to have the right to check up on employees and make sure their resources are being used appropriately. Courts have generally agreed and allowed private employers to monitor employees' use of computers and other technology, at least when there is an explicit policy informing employees that they have no right or expectation of privacy when using their employers' technology.
But some courts have found that an employee does have a right to privacy when using an employer's computers or other resources. For example, a district court in the District of Columbia recently concluded that an employee's personal e-mail to his attorney was protected by the attorney-client privilege, even though he sent the e-mail using his employer's e-mail system. Similarly, the Ninth Circuit Court of Appeals held, in Quon v. Arch Wireless, that a police officer had a right of privacy in text messages stored on the service provider's network.
Earlier today (Monday, December 14, 2009), the United States Supreme Court agreed to review the Ninth Circuit's decision in Quon. This is hopefully good news for employers, as the Supreme Court may provide some useful guidance as to whether, and under what circumstances, employees have a reasonable expectation of privacy in e-mails, text messages, instant messages, or other materials sent, received or reviewed on their employers' technology resources, even when such information is stored or maintained by a third-party provider.
In the meantime, employers should review and potentially update their policies on acceptable use of the Internet and other technology resources. At a minimum, such policies should address whether and to what extent the organization may monitor or review an employee's activities on the Internet, computers, or other technology resources. In addition, such policies should cover, among other things, appropriate use of and access to technology resources by employees, contractors or others. And with more employees working at home or remotely, it is critical that companies address security issues. Data breaches are common and expensive, but they can often be avoided or minimized with a little proactive effort, including encryption and training for those employees who might be traveling with sensitive information on a laptop.
For businesses or organizations with questions on privacy or data security issues, please contact Mark Wiletsky in our Boulder office at 303-473-2864 or [email protected].