Five Ways IT Can Avoid a Privacy Lawsuit

Lieutenant Steve Duke, a commander with the Ontario, Calif., Police Department, never intended to be a bill collector.

But two years into the police department's contract with a firm that provided text messaging services, Duke found himself regularly requesting that some officers pay the per-character overage fee for the wireless service, according to a recent ruling in a lawsuit against the police department. The Ontario Police Department had settled on a 25,000 character monthly limit with provider Arch Wireless, yet some officers were exceeding the limit by up to 15,000 characters. The department's solution: If you pay for the overages, they would not audit your communications to determine what portion was for legitimate business use.

Yet, Duke had become fed up with asking for officers to pay for their overages. Along with the chief of police, the lieutenant decided to audit one of the workers that had exceeded the limit to find out whether excessive personal use of the wireless devices was responsible, according to the lawsuit ruling. In doing so, the police department violated the officer's privacy rights as well as the rights of at least three people with whom he had communicated, the U.S. Court of Appeals for the Ninth Circuit ruled last month.

The court case serves up a number of lessons for CIOs regarding how to handle communications monitoring, the dangers of not having a privacy policy and whether third-party communications services serve up unwanted liability. (For a look at related privacy issues that should be on your radar screen, see "IT and the Changing Privacy Landscape: Eight Areas to Watch in '08".

1. Set expectations of privacy

The first lesson for CIOs is that an informal privacy is as binding as a written one.

Duke had already communicated an informal privacy policy to the department's employees essentially guaranteeing their privacy, as long as they paid their bills. His frustration in dealing with the overages came to a head in 2003 when Sergeant Jeff Quon, a member of the police department's SWAT team, exceeded the limit for the fourth time in two years, according to court filings.

"He told Sergeant Quon it was not his intent to audit employee's [sic] text messages to see if the overage is dues to work related transmissions," a police investigator wrote in a memo describing the investigation in Quon's usage of the text-message device. "He advised Sergeant Quon he could reimburse the city for the overage so he would not have to audit the transmission and see how many messages were non-work related."

While many companies have privacy policies that explicitly allow the monitoring of employees, the heart of the case hinges on the police department's lack of a policy regarding the text-messaging service, says Sinan Aral, a professor of information, operations and management sciences at New York University's Stern School of Business and an affiliated professor at the Massachusetts Institute of Technology's Sloan School of Management.

"The ruling reaffirms that employers can override an employees expectation of privacy by an explicit policy stating so, as long as it is explicit, written and unambiguous," Aral says.

Subscribe to the Daily Downloads Newsletter

Comments