Key Point 8-29. Employees may have a limited right of privacy in their workspace that may extend to the contents of their desk and cabinet drawers, and employer-provided computers. This right of privacy can be superseded by a policy that clearly authorizes the employer to inspect these items.
The City of Ontario, California purchased 20 pagers capable of sending and receiving text messages. The city issued the pagers to several police officers on its SWAT team to enable them to mobilize and respond to emergencies. A local wireless telecommunications company provided wireless service for the pagers. Under the city’s contract with the wireless company each pager was allotted a limited number of characters sent or received each month. Usage in excess of that amount would result in an additional fee.
Before acquiring the pagers, the city announced a “Computer Usage, Internet and E-Mail Policy” (Computer Policy) that applied to all employees. Among other provisions, it specified that the city “reserves the right to monitor and log all network activity including e-mail and Internet use, with or without notice. Users should have no expectation of privacy or confidentiality when using these resources.” Each SWAT team member signed a statement acknowledging that he had read and understood the Computer Policy.
Although the Computer Policy did not cover text messages by its explicit terms, the city made clear to employees that the city would treat text messages the same way as it treated e-mails.
Within the first or second billing cycle after the pagers were distributed, one SWAT team officer (the “plaintiff”) exceeded his monthly text message character allotment. He was informed of the overage, and was reminded that messages sent on the pagers were “considered e-mail and could be audited.” A supervisor suggested that the plaintiff could reimburse the city for the overage fee rather than have his messages audited. The plaintiff wrote a check to the city for the overage. The supervisor offered the same arrangement to other employees who incurred overage fees.
The plaintiff exceeded his character limit three or four times. Each time he reimbursed the city for the overage. The supervisor grew weary of “being a bill collector,” and decided to determine if the existing character limit was too low—that is, whether officers such as the plaintiff were having to pay fees for sending work-related messages, or if the overages were for personal messages. A police department employee contacted the wireless company and requested transcripts of the plaintiff’s pager messages. The plaintiff’s supervisor reviewed the transcripts and discovered that many of the messages sent and received on his pager were not work related, and some were sexually explicit. For example, the transcripts revealed that in one month the plaintiff:
- sent or received 456 messages during work hours of which no more than 57 were work related;
- sent as many as 80 messages during a single day at work; and
- on an average workday, sent or received 28 messages, of which only 3 were related to police business.
The evidence was turned over to an internal affairs department for an investigation into whether the plain-tiff was violating police department rules by pursuing personal matters while on duty. A determination was made that the plaintiff had violated police department rules, and as a result he was disciplined.
The plaintiff sued the city, claiming that the inspection of his pager messages violated the constitutional prohibition of unreasonable searches and seizures, as well as the Stored Communications Act (SCA) and California law. A federal district court dismissed the plaintiff’s claims, but a federal appeals court ruled in the plaintiff’s favor. The city appealed to the United States Supreme Court.
the Supreme Court’s decision
The Court ruled unanimously that the police department’s inspection of the plaintiff’s pager messages did not violate any of his legal rights. It began its opinion by noting that it must
proceed with care when considering the whole concept of privacy expectations in communications made on electronic equipment owned by a government employer” since “the judiciary risks error by elaborating too fully on the … implications of emerging technology before its role in society has become clear. … Prudence counsels caution before the facts in [this] case are used to establish far-reaching premises that define the existence, and extent, of privacy expectations enjoyed by employees when using employer-provided communication devices.
Rapid changes in the dynamics of communication and information transmission are evident not just in the technology itself but in what society accepts as proper behavior. [Many] employers expect or at least tolerate personal use of such equipment by employees because it often increases worker efficiency. … The law is beginning to respond to these developments, as some states have recently passed statutes requiring employers to notify employees when monitoring their electronic communications [citing statutes in Connecticut and Delaware]. At present, it is uncertain how workplace norms, and the law’s treatment of them, will evolve. …
The Court [has] difficulty predicting how employees’ privacy expectations will be shaped by those changes or the degree to which society will be prepared to recognize those expectations as reasonable. Cell phone and text message communications are so pervasive that some persons may consider them to be essential means or necessary instruments for self-expression, even self-identification. That might strengthen the case for an expectation of privacy. On the other hand, the ubiquity of those devices has made them generally affordable, so one could counter that employees who need cell phones or similar devices for personal matters can purchase and pay for their own. And employer policies concerning communications will of course shape the reasonable expectations of their employees, especially to the extent that such policies are clearly communicated.
A broad holding concerning employees’ privacy expectations vis-à -vis employer-provided technological equipment might have implications for future cases that cannot be predicted. It is preferable to dispose of this case on narrower grounds. For present purposes we assume several propositions arguendo: First [the plaintiff] had a reasonable expectation of privacy in the text messages sent on the pager provided to him by the city; second, [the police department’s] review of the transcripts constituted a search within the meaning of the Fourth Amendment; and third, the principles applicable to a government employer’s search of an employee’s physical office apply with at least the same force when the employer intrudes on the employee’s privacy in the electronic sphere.
The Court concluded that the plaintiff arguably had a reasonable expectation of privacy in the text messages on his employer-provided pager even though the city’s Computer Policy stated that “users should have no expectation of privacy or confidentiality” when using city computers. The Court noted that it was possible that the supervisor’s statement to the plaintiff that an audit of his pager messages would be unnecessary if he paid for the overage could have reasonably caused the plaintiff to believe that his messages would remain private despite the terms of the Computer Policy.
However, the Court concluded that even if the plaintiff had a reasonable expectation of privacy in his text messages, the police department did not necessarily violate the Fourth Amendment by obtaining and reviewing the transcripts. Although as a general matter, warrantless searches “are unreasonable under the Fourth Amendment,” there are “a few specifically established and well-delineated exceptions” to that general rule, including the “special needs of the workplace.” The Court explained:
The search was justified at its inception because there were reasonable grounds for suspecting that the search [was] necessary for a noninvestigatory work-related purpose. [The police department] ordered the search in order to determine whether the character limit on the city’s contract with the wireless company was sufficient to meet the city’s needs. This was … a legitimate work-related rationale. The city and the police department had a legitimate interest in ensuring that employees were not being forced to pay out of their own pockets for work-related expenses, or on the other hand that the city was not paying for extensive personal communications.”
The Court also ruled that the scope of the search of the plaintiff’s messages was reasonable:
Reviewing the transcripts was reasonable because it was an efficient and expedient way to determine whether the plaintiff’s overages were the result of work-related messaging or personal use. The review was also not excessively intrusive. Although the plaintiff had gone over his monthly allotment a number of times, the police department requested transcripts for only the months of August and September 2002. While it may have been reasonable as well for the department to review transcripts of all the months in which he exceeded his allowance, it was certainly reasonable for it to review messages for just two months in order to obtain a large enough sample to decide whether the character limits were efficacious. And it is worth noting that during his internal affairs investigation [the department] redacted all messages the plaintiff sent while off duty, a measure which reduced the intrusiveness of any further review of the transcripts.
The Court stressed that even if the plaintiff had a reasonable expectation that “some level of privacy would inhere in his messages,” it would not have been reasonable for him to conclude that his messages were “in all circumstances immune from scrutiny.” After all, he was told that his messages were subject to auditing, and as a result a reasonable employee would be aware that “sound management principles might require the audit of messages to determine whether the pager was being appropriately used.” Given that the city issued the pagers to SWAT team members in order to help them more quickly respond to crises, and that the plaintiff had received no assurances of privacy, he “could have anticipated that it might be necessary for the city to audit pager messages to assess the SWAT team’s performance in particular emergency situations.”
From the police department’s perspective, the fact that the plaintiff “likely had only a limited privacy expectation” lessened the risk that the review would intrude on highly private details of his life. The department’s audit of messages on the plaintiff’s employer-provided pager was “not nearly as intrusive as a search of his personal e-mail account or pager, or a wiretap on his home phone line, would have been.” That the search did reveal intimate details of the plaintiff’s life “does not make it unreasonable, for under the circumstances a reasonable employer would not expect that such a review would intrude on such matters. The search was permissible in its scope.”
The Court concluded:
Because the search was motivated by a legitimate work-related purpose, and because it was not excessive in scope, the search was reasonable. … For these same reasons—that the employer had a legitimate reason for the search, and that the search was not excessively intrusive in light of that justification—the Court also concludes that the search would be regarded as reasonable and normal in the private-employer context. … The search was reasonable, and the Court of Appeals erred by holding to the contrary.
The following aspects of the Quon case are of special significance to church leaders:
1. The general rule. Most importantly, the Supreme Court concluded that the search of the plaintiff’s pager messages by the city was reasonable, and therefore did not violate the Fourth Amendment guaranty against unreasonable searches and seizures. It applied a two-prong test in evaluating the reasonableness of the city’s actions:
- the city had a legitimate work-related reason for the search, and
- the search was not excessively intrusive in light of that justification.
Since the Fourth Amendment is a limitation upon government action, it has no direct application to churches and other religious organizations. However, the Supreme Court made clear that the “reasonable expectation of privacy” that is at the heart of the Fourth Amendment applies equally to the private employment context. It observed:
Because the search was motivated by a legitimate work-related purpose, and because it was not excessive in scope, the search was reasonable. … For these same reasons—that the employer had a legitimate reason for the search, and that the search was not excessively intrusive in light of that justification—the Court also concludes that the search would be regarded as reasonable and normal in the private-employer context. …
2. Application to churches. The Quon case provides church leaders with valuable guidance on the propriety of inspections of church-provided pagers, cell phones, and computers that are used by employees. According to the Supreme Court, such inspections may be legally justifiable if based on a “legitimate work-related purpose” and the search is not “excessively intrusive in light of that justification.”
“Over the past decade, there has been a technological revolution in the workplace as employers have increasingly turned to computer technology as the primary tool to communicate, conduct research, and store information. As the use of computer technology has increased, so has concern grown among employers that their computer resources may be abused by employees—either by accessing offensive material or jeopardizing the security of confidential information—and may provide an easy entry point into a company’s electronic systems by computer trespassers. As a result, companies have developed computer policies and implemented strategies to monitor their employees’ use of e-mail, the Internet, and computer files. National surveys have reported that many companies are engaged in such practices. Federal and state laws and judicial decisions have generally given private sector companies wide discretion in their monitoring and review of employee computer transmissions, including the Internet and e-mail. However, some legal experts believe that these laws should be more protective of employee privacy by limiting what aspects of employee computer use employers may monitor and how they may do so.” [From a Report by the General Accounting Office to the Ranking Minority Member, Subcommittee on 21st Century Competitiveness, Committee on Education and the Workforce, House of Representatives, September 2002.]
Key point. Some church employees own a laptop computer that they use, either occasionally or regularly, in their church office. The expectation of privacy is even higher for such computers, since they are owned by the employees.
3. Other cases. Several other courts have addressed workplace privacy in the context of nongovernmental and religious employers. Some of the leading cases are summarized below:
(1) United States v. Angevine, 281 F.3d 1130 (10th Cir. 2002)
A university professor was prosecuted for possession of child pornography that was found on his university-provided computer. A federal appeals court ruled that the professor had no legitimate expectation of privacy in his office computer since (1) the university had an extensive policy regarding computer use and provided explicit warnings that the computer would be inspected by university officials; and (2) the professor’s university-provided computer was connected to a computer network that was maintained by the university, and accessible by university employees.
The university computer-use policy reserved the right to randomly audit Internet use and to monitor specific individuals suspected of misusing university computers. The policy explicitly cautioned computer users that information flowing through the university network was not confidential either in transit or in storage on a university computer. The court concluded that the professor “could not have an objectively reasonable expectation of privacy,” and therefore it rejected his request to suppress evidence of child pornography at his trial. The court noted the following factors that destroyed a reasonable expectation of privacy in the workplace computer:
- The university had a computer policy that explicitly warned employees that university-owned computers were subject to inspection, and that “legal action” would result from any violation of federal law.
- The policy informed employees that university-owned computers were on a network, and that network administrators and others were free to view data downloaded from the Internet.
- University-owned computers displayed a splash screen warning of “criminal penalties” for misuse and of the university’s right to conduct inspections to protect business-related concerns.
- The university’s computer policy reserved ownership of not only its computer hardware but also the data stored on computers.
- Pornographic images seized by police were not within the professor’s immediate control since he had attempted to delete the files from his computer’s memory. Police only recovered the data through special technology unavailable to him.
- The professor did not take actions consistent with maintaining private access to the seized pornography. In particular, he downloaded child pornography through a monitored university computer network.
(2) Muick v. Glenayre Electronics, 280 F.3d 741 (7th Cir. 2002)
“[T]he abuse of access to workplace computers is so common (workers being prone to use them as media of gossip, titillation, and other entertainment and distraction) that reserving a right of inspection is so far from being unreasonable that the failure to do so might well be thought irresponsible.” Muick v. Glenayre Electronics, 280 F.3d 741 (7th Cir. 2002).
Another federal appeals court ruled that an employee had “no right of privacy” in the laptop computer his employer had “lent him for use in the workplace” because the employer had announced that it could inspect the laptop. The employee was arrested on charges of receiving and possessing child pornography in violation of federal law. At the request of federal law enforcement authorities, his employer seized from his work area the laptop computer it had furnished him for use at work and held it until a warrant to search it could be obtained. He was later convicted and imprisoned.
The employee sued his former employer, claiming that it violated the Fourth Amendment and invaded his privacy. The court concluded that the employee had no right of privacy in his employer-provided computer. It cautioned that it was possible for such a right to exist under some circumstances. For example, if an employer “equips the employee’s office with a safe or file cabinet or other receptacle in which to keep his private papers, he can assume that the contents of the safe are private.” But, the employer in this case
announced that it could inspect the laptops that it furnished for the use of its employees, and this destroyed any reasonable expectation of privacy that [the employee] might have had. … The laptops were [the employer’s] property and it could attach whatever conditions to their use it wanted to. They didn’t have to be reasonable conditions; but the abuse of access to workplace computers is so common (workers being prone to use them as media of gossip, titillation, and other entertainment and distraction) that reserving a right of inspection is so far from being unreasonable that the failure to do so might well be thought irresponsible.
(3) United States v. Ziegler, 456 F.3d 1138 (9th Cir. 2006).
A federal appeals court ruled that an employee did not have an expectation of privacy in his workplace computer, and therefore the police did not act improperly in accessing the computer and finding evidence of child pornography. The FBI received a tip that an employee (Ted) of a local business had accessed child-pornographic websites from his workplace computer. The company agreed to cooperate with the FBI in its investigation. Company employees entered Ted’s office at 10 PM one evening, opened his computer’s outer casing and made two copies of the hard drive. Forensic examiners at the FBI discovered many images of child pornography on the hard drive. Ted was later charged with several felony offenses pertaining to the possession and receipt of child pornography. Ted pleaded not guilty on the ground that the evidence that was being used against him was unlawfully obtained. The prosecutor insisted that an employee has no reasonable expectation of privacy in a workplace computer when the employee uses a computer paid for by the employer, Internet access is paid for by the employer, in an office where the employer pays the rent, and when the employer “has installed a firewall and a whole department of people whose job it was to monitor their employee’s Internet activity.”
The prosecutor conceded that Ted had a “subjective” expectation of privacy in the computer—”the use of a password on his computer and the lock on his private office door are sufficient evidence of such expectation.” But, “his expectation of privacy in his workplace computer must also have been objectively reasonable.” A federal district court concluded that this requirement was not met, and a federal appeals court agreed:
Though each computer required its employee to use an individual login, the employer had complete administrative access to anybody’s machine. It had also installed a firewall, which is a program that monitors Internet traffic from within the organization to make sure nobody is visiting any sites that might be unprofessional. Monitoring was therefore routine, and the employer reviewed the log created by the firewall on a regular basis, sometimes daily if Internet traffic was high enough to warrant it. Upon their hiring, employees were apprised of the company’s monitoring efforts through training and an employment manual, and they were told that the computers were company-owned and not to be used for activities of a personal nature. Ted, who has the burden of establishing a reasonable expectation of privacy, presented no evidence in contradiction of any of these practices. He does not assert that he was unaware of, or that he had not consented to, the Internet and computer policy.
The court noted that “other courts have scrutinized searches of workplace computers in both the public and private context, and they have consistently held that an employer’s policy of routine monitoring is among the factors that may preclude an objectively reasonable expectation of privacy.”
The court acknowledged that some courts had found a reasonable expectation of privacy in a workplace computer, but pointed out that in each of those cases the employer “failed to implement a policy limiting personal use of or the scope of privacy in the computers, or had no general practice of routinely conducting searches of the computers.” The court concluded:
Social norms suggest that employees are not entitled to privacy in the use of workplace computers, which belong to their employers and pose significant dangers in terms of diminished productivity and even employer liability. … The abuse of access to workplace computers is so common (workers being prone to use them as media of gossip, titillation, and other entertainment and distraction) that reserving a right of inspection is so far from being unreasonable that the failure to do so might well be thought irresponsible. Employer monitoring is largely an assumed practice, and thus we think a disseminated computer-use policy is entirely sufficient to defeat any expectation that an employee might nonetheless harbor.
(4) TBG Insurance Services Corporation v. Superior Court 117 Cal.Rptr.2d 155 (Cal. App. 2002)
A California court ruled that an employee who was fired for using his office computer to access pornographic websites on the Internet was barred from suing his employer for wrongful termination or invasion of privacy because he signed a “computer use agreement” giving his employer the right to inspect his computer and dismiss him for inappropriate or unauthorized use of the computer.
They discovered that the employee (“Bob”) had “repeatedly accessed pornographic sites on the Internet while he was at work.” The employee insisted that the pornographic Web sites were not accessed intentionally but simply “popped up” on his computer. He sued his employer, claiming that his employment had been wrongfully terminated. The employer asked Bob to return the home computer and cautioned him not to delete any information stored on the computer’s hard drive. In response, Bob acknowledged that the computer was purchased by his employer and said he would either return it or purchase it, but said it would be necessary “to delete, alter, and flush or destroy some of the information on the computer’s hard drive, since it contained personal information subject to a right of privacy.” The employer refused to sell the computer to Bob, and demanded its return without any deletions or alterations. Bob objected, claiming an invasion of his constitutional right to privacy.
The employer asked the court to compel Bob to return the computer, claiming that it had the right to discover whether information on the hard drive proved that Bob violated the computer use agreement that he signed. In particular, the employer argued that by accessing Bob’s home computer it could establish if he had visited sexually explicit websites at home, which would undermine his story that such sites “popped up” involuntarily on his office computer. Further, the employer insisted that Bob had no legitimate expectation of privacy in his computer in light of the computer use agreement that he signed. Bob claimed that he retained an expectation of privacy with regard to his home computer, despite the computer use agreement. He noted that the home computers were provided as a “perk” given to all senior executives, and that while they were provided in order to permit employees to work at home, it was understood that the home computers would also be used for personal purposes as well. He said his home computer was used by his wife and children, and that it “was primarily used for personal purposes and contains significant personal information and data” subject to his constitutional right of privacy including “the details of his personal finances, his income tax returns, and all of his family’s personal correspondence.
A state appeals court agreed with the employer that it had the right to inspect Bob’s home computer. It concluded that any expectation of privacy Bob had in the information on his home computer was nullified by the computer use agreement he signed. It observed:
We are concerned in this case with the “community norm” within 21st century computer-dependent businesses. In 2001, the 700,000 member American Management Association (AMA) reported that more than three-quarters of this country’s major firms monitor, record, and review employee communications and activities on the job, including their telephone calls, emails, Internet connections, and computer files. Companies that engage in these practices do so for several reasons, including legal compliance (in regulated industries, such as telemarketing, to show compliance, and in other industries to satisfy “due diligence” requirements), legal liability (because employees unwittingly exposed to offensive material on a colleague’s computer may sue the employer for allowing a hostile workplace environment), performance review, productivity measures, and security concerns (protection of trade secrets and other confidential information). … According to the AMA Findings, four out of ten surveyed companies allow employees full and unrestricted use of office email, but “only one in ten allow the same unrestricted access to the Internet. Companies are far more concerned with keeping explicit sexual content off their employees’ screens than with any other content or matter.”
It is hardly surprising, therefore, that employers are told they “should establish a policy for the use of email and the Internet, which every employee should have to read and sign. First, employers can diminish an individual employee’s expectation of privacy by clearly stating in the policy that electronic communications are to be used solely for company business, and that the company reserves the right to monitor or access all employee Internet or email usage. The policy should further emphasize that the company will keep copies of Internet or email passwords, and that the existence of such passwords is not an assurance of the confidentiality of the communications. An electronic communications policy should include a statement prohibiting the transmission of any discriminatory, offensive or unprofessional messages. Employers should also inform employees that access to any Internet sites that are discriminatory or offensive is not allowed, and no employee should be permitted to post personal opinions on the Internet using the company’s access, particularly if the opinion is of a political or discriminatory nature.” For these reasons, the use of computers in the employment context carries with it social norms that effectively diminish the employee’s reasonable expectation of privacy with regard to his use of his employer’s computers.
The court noted that the computer use agreement gave Bob “the opportunity to consent to or reject the very thing that he now complains about, and that notice, combined with his written consent to the policy, defeats his claim that he had a reasonable expectation of privacy.” He knew that his employer could monitor the files and messages stored on the computers he used at the office and at home. He had the opportunity “to consent to the computer policy or not, and had the opportunity to limit his use of his home computer to purely business matters. To state the obvious, no one compelled Bob or his wife or children to use the home computer for personal matters, and no one prevented him from purchasing his own computer for his personal use. With all the information he needed to make an intelligent decision, Bob agreed to the company policy and chose to use his computer for personal matters. By any reasonable standard, he fully and voluntarily relinquished his privacy rights in the information he stored on his home computer, and he will not now be heard to say that he nevertheless had a reasonable expectation of privacy.
(5) Jacobs v. Mallard Creek Presbyterian Church, 214 F.Supp.2d 552 (W.D.N.C. 2002)
A federal court in North Carolina dismissed a lawsuit brought by a pastor against his former church in which he claimed that the church had violated his rights under federal electronic privacy laws by searching his laptop computer for pornography. Formal allegations of misconduct were brought against the pastor during his tenure. These allegations included using his laptop computer in his church office to view pornography, and sexual relations with a female church member. The pastor denied any wrongdoing. Upon hearing of the allegations, members of the church’s investigation committee entered the pastor’s office and attempted to access information on his laptop computer. The pastor later resigned as a result of the allegations, and received a severance package. He then sued the church on the basis of several alleged wrongs, including a violation of the federal Electronic Privacy Act as a result of the church’s inspection of his church-provided computer. The court dismissed the lawsuit on the ground that it was barred by the First Amendment guaranty of religious freedom from resolving what it considered to be a dispute involving the qualifications of a minister.
(6) Fischer v. Mt. Olive Lutheran Church, Inc., 207 F.Supp.2d 914 (W.D. Wis. 2002)
In one of the few cases to address the liability of a church for the seizure and inspection of a staff member’s computer, a federal court in Wisconsin ruled that a church and its senior pastor, secretary, and business administrator, could be sued by a former youth pastor who was dismissed as a result of pornographic materials that were discovered on his office computer. The court ruled that the church’s actions may have violated the federal Electronic Communications Privacy Act, also known as the Wiretap Act, the Electronic Communication Storage Act, and in addition amounted to an invasion of privacy.
(7) In re Asia Global Crossing, Ltd., 332 B.R. 247 (S.D.N.Y. 2005)
A federal district court in New York developed a four-part test to “measure the employee’s expectation of privacy in his computer files and e-mail”:
(1) does the corporation maintain a policy banning personal or other objectionable use, (2) does the company monitor the use of the employee’s computer or e-mail, (3) do third parties have a right of access to the computer or e-mails, and (4) did the corporation notify the employee, or was the employee aware, of the use and monitoring policies?
(8) Stengart v. Loving Care Agency, Inc., 990 A.2d 650 (N.J. 2010)
The New Jersey Supreme Court ruled that under some circumstances employees have a reasonable expectation of privacy in materials on their employer-provided computers despite an employer computer policy giving the employer the right to inspect its equipment. This case suggests that such policies may not overcome employees’ expectations of privacy in the contents on their employer-provided work computers. According to this court, and t
he cases it cited, here are the main factors to consider in deciding if an employee has a reasonable expectation of privacy in an employer-provided computer:
- Does the policy use general language that fails to specifically address personal e-mail accounts?
- Do employees have actual notice that messages sent or received on a personal, web-based e-mail account are subject to monitoring if company equipment is used to access the account?
- Does the policy warn employees that the contents of such e-mails are stored on a hard drive and can be forensically retrieved and read by the employer.
- Does the policy contain an ambiguity about whether personal e-mail use is employer or private property? For example, does it state that e-mails are not to be considered private or personal to any individual employee but then acknowledge that occasional personal use of e-mail is permitted?
- Does the policy explicitly state that the employer would monitor the content of e-mail communications made from an employee’s personal e-mail account via the Internet whenever those communications were viewed on a company-issued computer?
- There is a lower expectation of personal privacy in e-mails transmitted via an employer’s e-mail account than web-based e-mails sent on the same company computer.
- The existence of a clear company policy banning personal e-mails can diminish the reasonableness of an employee’s claim to privacy in e-mail messages.
- Certain e-mails communications by employees have a higher expectation of privacy, such as exchanges with an attorney whose e-mails include a notice of privilege. A clearly written policy banning all personal computer use and providing unambiguous notice that an employer could retrieve and read an employee’s attorney-client communications, if accessed on a personal, password-protected e-mail account using the company’s computer system, would not be enforceable.
- Employees have a higher expectation of privacy in e-mails if they take steps to protect the privacy of those e-mails and shield them from their employer. For example, the expectation of privacy is higher if an employee uses a personal, password-protected e-mail account instead of a company e-mail address and does not save the account’s password on his or her computer.
- Certain e-mail communications have a lower expectation of privacy. For example, e-mails containing illegal or inappropriate material that are stored on an employer’s equipment, which might harm the company in some way, have a lower expectation of privacy. Examples include e-mails that may be deemed to constitute sexual harassment, or downloaded images from pornographic websites.
- Computer policies that permit only incidental personal use of the Internet on an employer-provided computer may be disciplined for excessive use.
Key point. Note that prior cases must be interpreted and applied in light of the Supreme Court’s ruling in the Quon case.
4. The importance of a computer policy. The Supreme Court noted in the Quon case that the city’s computer policy was evidence that its inspection of pager messages was “not excessively intrusive.” This is an important reason for churches to adopt a computer policy that informs employees that computers, pagers, and cell phones provided by the church are subject to inspection, and that clarifies that employees have no expectation of privacy with respect to the content of such devices.
The Supreme Court did not say that the mere existence of such a policy will be conclusive evidence that an employer’s inspection of such devices will be reasonable. The contents of the policy, and the circumstances of each case, must be considered. But, churches will be in a better legal position with such a policy than without one.
“The companies we reviewed all have written policies that included most of the elements recommended in the literature and by experts as critical to a company computer-use policy. There is a general consensus that policies should at least affirm the employer’s right to review employee use of company computer assets, explain how these computer assets should and should not be used, and forewarn employees of penalties for misuse. We also found that all companies disseminated information about these policies through their company handbooks, and most discussed their computer-use policies with new employees at the time of hire. In addition, some companies provided annual training to employees on company policies, and others sent employees periodic reminders on appropriate computer conduct.” [From a Report by the General Accounting Office to the Ranking Minority Member, Subcommittee on 21st Century Competitiveness, Committee on Education and the Workforce, House of Representatives, September 2002.]
There are several important issues that should be addressed in a church’s computer policy, including the following:
- The policy should only cover employer-owned and provided computers.
- The policy should clearly describe authorized and unauthorized use of church-provided computers, and give examples of both.
- The computer policy should describe the possible consequences of inappropriate use of church-provided computers.
- The policy should clearly authorize the employer to access, monitor, analyze, and inspect its computers at any time, with or without permission or advance notice. The policy should specify which officers or employees are authorized to inspect church-owned computers. These may include the senior pastor, board members, church administrator, denominational officials, law enforcement officials, computer specialists (whether or not employed by the church), or anyone authorized by the senior pastor or board.
- The policy should state that employees have no “expectation of privacy” in their church-provided computer, or its contents.
- The policy should advise employees that the church will cooperate fully with law enforcement officers in the detection of criminal activity involving church-provided computers.
- All church-provided computers should have a start screen that reminds employees of the terms of the employer’s computer policy.
- The policy should explain the work-related justifications for the employer’s right to access computers. These may include some or all of the following, depending on the circumstances: (1) monitoring inappropriate or illegal use of the Internet; (2) monitoring excessive use of the Internet; (3) access to information on employees’ computers in their absence; (4) preventing copyright violations by employees who copy computer software without authorization; (5) minimizing the risk of computer viruses; (6) updating church-owned software; (7) detection of communications among employees that may constitute sexual or other forms of harassment for which the church may be liable.
- Explain the policy to all new employees at the time of hiring.
- Have all new employees sign a statement acknowledging that they understand and agree to the policy “in consideration of their employment.” Alternatively, they can sign a statement agreeing to be bound by the church’s employee policy manual, if it contains the church’s computer policy.
- It is not clear whether a church’s computer policy can apply to current employees unless the church provides them with something of value in return for their consent to the policy. This is a result of the basic principle of contract law that no contractual commitment is binding unless a party receives something of value in exchange for his or her commitment. This problem may be avoided by having current employees sign a written form (agreeing to the policy) at the time they receive a pay raise. This is an issue that should be addressed with a local attorney.
- The computer policy should state that the church retains ownership of both its computers and the data stored on them.
Key point. According to the Quon case, a computer policy, by itself, will not necessarily overcome an employee’s reasonable expectation of privacy in the contents of an employer-provided computer or cell phone. Inspections of employer-provided computers and cell phones will be justified only if based on a legitimate work-related purpose, and if not unreasonably intrusive.
“From our review of the literature and discussions with legal experts, privacy advocates, and business consultants, we identified common elements that should be included in company computer-use policies. These experts generally believed that the most important part of a company’s computer-use policy is to inform employees that the tools and information created and accessed from a company’s computer system are the property of the company and that employees should have no ‘expectation of privacy’ on their employers’ systems. Courts have consistently upheld companies’ monitoring practices where the company has a stated policy that employees have no expectation of privacy on company computer systems. The experts also agreed computer-use policies should achieve other company goals, such as stopping release of sensitive information, prohibiting copyright infringement, and making due effort to ensure that employees do not use company computers to create a hostile work environment for others. Finally, according to experts, employees should clearly understand the consequences for violating company computer policies. For example, one company’s computer-use policy states that ‘violators [of company Internet/Intranet use policy] are subject to disciplinary action up to termination of employment and legal action.'” [From a Report by the General Accounting Office to the Ranking Minority Member, Subcommittee on 21st Century Competitiveness, Committee on Education and the Workforce, House of Representatives, September 2002.]
The U.S. General Accounting Office has prepared a table (Table 8-6) identifying the key elements of a computer-use policy. While the table leaves out some important elements, it nonetheless is a valuable resource from a reputable source.
5. Federal and state legislation pertaining to workplace privacy. Congress, and several state legislatures, have enacted legislation that may expose employers to liability for nonconsensual searches of employer-provided computers.
Electronic Communications Privacy Act
The federal Electronic Communications Privacy Act, also known as the Wiretap Act, prohibits the intentional interception of “wire, oral or electronic communications.” The Act defines an “interception” as “the acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device.”
The federal Wiretap Act provides that “consent” is a defense to criminal liability:
It shall not be unlawful under this chapter for a person not acting under color of law to intercept a wire, oral, or electronic communication where such person is a party to the communication or where one of the parties to the communication has given prior consent to such interception unless such communication is intercepted for the purpose of committing any criminal or tortious act in violation of the Constitution or laws of the United States or of any State. 18 USCA 2511(2)(d).
The Act specifies that those who violate the Act “shall be fined under this title or imprisoned not more than five years, or both.” The Act also specifies that persons whose telephone or other electronic communications are intercepted in violation of the Act may sue the perpetrator for money damages. Private lawsuits must be filed within two years “after the date upon which the claimant first has a reasonable opportunity to discover the violation.”
Electronic Communication Storage Act
The Electronic Communications Storage Act, also known as the Stored Communications Act, was added to the Wiretap Act in 1986. The Act specifies that “whoever (1) intentionally accesses without authorization a facility through which an electronic communication service is provided; or (2) intentionally exceeds an authorization to access that facility; and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system” violates the Act. “Electronic storage” is defined as “(A) any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof; and (B) any storage of such communication by an electronic communication service for purposes of backup protection of such communication.”
Very few courts have applied the Electronic Communications Storage Act to an employer’s access to an employee’s email account. From the limited precedent, it would appear that an employer does not violate the Act by accessing emails on a computer after they have been downloaded by an employee to his or her hard drive. The Act is violated when an employer accesses without consent an employee’s email account directly on the “electronic communication service provider” (such as Hotmail) and in addition “obtains, alters, or prevents authorized access” to an electronic communication “while it is in electronic storage in such system.” While a church may not violate the Act when it accesses an employee’s email after it has been downloaded to the employee’s computer hard drive, it may invade the employee’s privacy by doing so (as noted above).
Key point. Church leaders should not access church-owned computers or cell phones without first consulting with a local attorney.
Computer Fraud and Abuse Act
Under the federal Computer Fraud and Abuse Act, anyone who “intentionally accesses a computer without authorization … and thereby obtains … information from any protected computer if the conduct involved an interstate or foreign communication” may have violated the Act. However, in order to maintain a civil action under the Act, an employee must have suffered “damage or loss” by reason of a violation. “Damage” is defined as “any impairment to the integrity or availability of data, a program, a system, or information that … causes loss aggregating at least $5,000 in value during any 1-year period to one or more individuals.” Damages are limited to economic damages. The Act does not define a “loss,” but the courts have interpreted it to cover “remedial expenses.”
State electronic privacy laws
The Supreme Court, in the Quon case, noted that some states have recently passed statutes requiring employers to notify employees when monitoring their electronic communications. It referred to laws in Connecticut and Delaware. Church leaders should be familiar with legislative developments in their state pertaining to workplace privacy.