New rules for employees' mobile device privacy

The recent Supreme Court decision in the case City of Ontario v. Quon provides guidance on how CIOs must approach data privacy when managing company-provided mobile devices

The recent Supreme Court decision in the case City of Ontario v. Quon provides guidance on how CIOs must approach data privacy when managing company-provided mobile devices.

The case arose from the monitoring of employee communications by the Ontario, Calif., police department on cell phones it provided. The employees-police officers-used department-provided cell phones for work, and also allegedly for personal use. The police department had a policy of monitoring email and other forms of communications-just as many private-sector employers do-and banned personal use of the systems. The policy did not explicitly cover text messaging, however.

After issuing the policy, officials held meetings where they reportedly said that text messages were not allowed under the no-personal-use policy. However, there was evidence of an informal policy not to monitor the text messages, establishing the conditions that resulted in a lawsuit by police officers who charged their privacy was violated when the city obtained copies of their texts.

Mixed Messages from Managers

The City of Ontario had negotiated a wireless service package with a vendor, Arch Wireless, that included a certain number of text messages that officials thought would be enough to cover the work-related needs of the officers. Managers within the department apparently told employees that if they sent more texts than the package allowed, there would be no questions asked as long as the employee paid for the overage.

The net result was twofold: first, by acknowledging that officers might use more than their allotted number of texts, the managers suggested they would tolerate personal use of the devices; and second, they indicated they would look the other way-and not check up on employees-unless an employee refused to pay for excessive personal use of their phones.

At one point, department managers decided to check whether the text message bundle was in fact sufficient for officers' needs. The city had paid for the devices and (except for any texting overages) paid for the underlying communications service also.

Since it had paid for the devices, the department was the subscriber according to the Stored Communications Act, a law that governs searches of online data about individuals, and therefore the department believed it was entitled to copies of the text messages stored by Arch Wireless. So to conduct its review of the service plan, the department obtained backup copies of the text messages, without getting consent from the employees who sent the texts. The employees sued, claiming that the disclosure of the content of their communications violated their privacy rights and Fourth Amendment protections against unreasonable search and seizure.

Are Employee Texts Private?

A district court ruled that the officers had a reasonable expectation of privacy, but a jury concluded that the city had a legitimate reason to look at the messages.

The Ninth Circuit Court of Appeals agreed with the district court on the question of the officers' privacy, concluding that despite the monitoring policy, the department's "operational reality" revealed that text messages were not monitored in most cases, including if personal use was paid for, and that many of the employees were aware of this fact. The appeals court also ruled that the city's search wasn't reasonable, even though it had a legitimate purpose and had paid for the service, because there were less intrusive ways to get the data they needed.

The Supreme Court reversed the lower court, however, ruling that even if the employees had a reasonable expectation of privacy, it was outweighed by the conclusion that the city's search was undertaken for a legitimate, work-related purpose. The high court said the city's measures were not excessively intrusive under the circumstances.

What the Privacy Ruling Means For CIOs

The Supreme Court decision holds four key lessons for CIOs:

1. You must have clear and precise policies for monitoring employees' use of company-provided devices.

2. Courts will look behind those policies at the operational reality of monitoring to see whether the way you review electronic communications is appropriate. It's critical to follow consistently whatever policies you have.

3. Even if an employer owns a device, has a monitoring policy, and pays for the service, it may not always be appropriate to monitor employee communications. Whether the monitoring is for internal purposes or to support litigation, review your processes before you start looking at the content of employees' messages to make sure what you're doing is reasonable.

4. There's no doubt that rules about text messages should be specifically included in your monitoring policies. Don't assume that general policy statements will be sufficiently well understood by employees.

Peter McLaughlin and Matt Karlyn are senior counsels in the Boston office of Foley & Lardner.

Read more about mobile/wireless in CIO's Mobile/Wireless Drilldown.

Join the CSO newsletter!

Error: Please check your email address.

Tags telecommunicationQuon v City of OntarioNetworkingwirelesstext messagesTechnology Topicsmobileprivacysupreme courttextingTechnology Topics | Mobilesecurity

More about Arch Wireless

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Matt Karlyn and Peter McLaughlin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place