The recent Supreme Court decision in the case City of Ontario v. Quon provides guidance on how CIOs must approach data privacy when managing company-provided mobile devices.
The case arose from the monitoring of employee communications by the Ontario, Calif., police department on cell phones it provided. The employees-police officers-used department-provided cell phones for work, and also allegedly for personal use. The police department had a policy of monitoring email and other forms of communications-just as many private-sector employers do-and banned personal use of the systems. The policy did not explicitly cover text messaging, however.
After issuing the policy, officials held meetings where they reportedly said that text messages were not allowed under the no-personal-use policy. However, there was evidence of an informal policy not to monitor the text messages, establishing the conditions that resulted in a lawsuit by police officers who charged their privacy was violated when the city obtained copies of their texts.
Mixed Messages from Managers
The City of Ontario had negotiated a wireless service package with a vendor, Arch Wireless, that included a certain number of text messages that officials thought would be enough to cover the work-related needs of the officers. Managers within the department apparently told employees that if they sent more texts than the package allowed, there would be no questions asked as long as the employee paid for the overage.
The net result was twofold: first, by acknowledging that officers might use more than their allotted number of texts, the managers suggested they would tolerate personal use of the devices; and second, they indicated they would look the other way-and not check up on employees-unless an employee refused to pay for excessive personal use of their phones.
At one point, department managers decided to check whether the text message bundle was in fact sufficient for officers' needs. The city had paid for the devices and (except for any texting overages) paid for the underlying communications service also.
Since it had paid for the devices, the department was the subscriber according to the Stored Communications Act, a law that governs searches of online data about individuals, and therefore the department believed it was entitled to copies of the text messages stored by Arch Wireless. So to conduct its review of the service plan, the department obtained backup copies of the text messages, without getting consent from the employees who sent the texts. The employees sued, claiming that the disclosure of the content of their communications violated their privacy rights and Fourth Amendment protections against unreasonable search and seizure.
Are Employee Texts Private?
A district court ruled that the officers had a reasonable expectation of privacy, but a jury concluded that the city had a legitimate reason to look at the messages.
The Ninth Circuit Court of Appeals agreed with the district court on the question of the officers' privacy, concluding that despite the monitoring policy, the department's "operational reality" revealed that text messages were not monitored in most cases, including if personal use was paid for, and that many of the employees were aware of this fact. The appeals court also ruled that the city's search wasn't reasonable, even though it had a legitimate purpose and had paid for the service, because there were less intrusive ways to get the data they needed.
The Supreme Court reversed the lower court, however, ruling that even if the employees had a reasonable expectation of privacy, it was outweighed by the conclusion that the city's search was undertaken for a legitimate, work-related purpose. The high court said the city's measures were not excessively intrusive under the circumstances.
What the Privacy Ruling Means For CIOs
The Supreme Court decision holds four key lessons for CIOs:
1. You must have clear and precise policies for monitoring employees' use of company-provided devices.
2. Courts will look behind those policies at the operational reality of monitoring to see whether the way you review electronic communications is appropriate. It's critical to follow consistently whatever policies you have.
3. Even if an employer owns a device, has a monitoring policy, and pays for the service, it may not always be appropriate to monitor employee communications. Whether the monitoring is for internal purposes or to support litigation, review your processes before you start looking at the content of employees' messages to make sure what you're doing is reasonable.
4. There's no doubt that rules about text messages should be specifically included in your monitoring policies. Don't assume that general policy statements will be sufficiently well understood by employees.
Peter McLaughlin and Matt Karlyn are senior counsels in the Boston office of Foley & Lardner.
Read more about mobile/wireless in CIO's Mobile/Wireless Drilldown.