Five Ways IT Can Avoid a Privacy Lawsuit
Lieutenant Steve Duke, a commander with the Ontario, Calif., Police Department, never intended to be a bill collector.
But two years into the police department's contract with a firm that provided text messaging services, Duke found himself regularly requesting that some officers pay the per-character overage fee for the wireless service, according to a recent ruling in a lawsuit against the police department. The Ontario Police Department had settled on a 25,000 character monthly limit with provider Arch Wireless, yet some officers were exceeding the limit by up to 15,000 characters. The department's solution: If you pay for the overages, they would not audit your communications to determine what portion was for legitimate business use.
Yet, Duke had become fed up with asking for officers to pay for their overages. Along with the chief of police, the lieutenant decided to audit one of the workers that had exceeded the limit to find out whether excessive personal use of the wireless devices was responsible, according to the lawsuit ruling. In doing so, the police department violated the officer's privacy rights as well as the rights of at least three people with whom he had communicated, the U.S. Court of Appeals for the Ninth Circuit ruled last month.
1. Set expectations of privacy
The first lesson for CIOs is that an informal privacy is as binding as a written one.
"He told Sergeant Quon it was not his intent to audit employee's [sic] text messages to see if the overage is dues to work related transmissions," a police investigator wrote in a memo describing the investigation in Quon's usage of the text-message device. "He advised Sergeant Quon he could reimburse the city for the overage so he would not have to audit the transmission and see how many messages were non-work related."
While many companies have privacy policies that explicitly allow the monitoring of employees, the heart of the case hinges on the police department's lack of a policy regarding the text-messaging service, says Sinan Aral, a professor of information, operations and management sciences at New York University's Stern School of Business and an affiliated professor at the Massachusetts Institute of Technology's Sloan School of Management.
"The ruling reaffirms that employers can override an employees expectation of privacy by an explicit policy stating so, as long as it is explicit, written and unambiguous," Aral says.