Security

Supreme Court to Rule on Employee Privacy

The Supreme Court of the United States has agreed to hear a case related to the expectation of privacy in the workplace. The case in question involves public employees, but the decision could have consequences that reverberate to private organizations as well, and impact efforts to maintain regulatory compliance.

Supreme Court decision could affect just how much employers are allowed to monitor employee communications
Police officers in California sued the Ontario police department after learning that the police chief had read text messages sent from their department-issued devices, some of which were sexually-explicit messages sent to personal contacts.

The police officers won the initial lawsuit, and that decision was upheld by the U.S. 9th Circuit Court of Appeals. The appellate decision was deeply divided, though, with the dissenting justices declaring the decision "contrary to the dictates of reason and common sense."

It is routine for companies and agencies to inform employees that there is no expectation of privacy when using company-owned equipment or resources. The city of Ontario, CA lets workers know up front that it "reserves the right to monitor and log all network activity including e-mail and Internet use, with or without notice."

In this particular case, personal use of department-owned equipment was condoned, but there was no indication that allowing personal use in any way negated the right of the city of Ontario to monitor that activity. The appeals court, however, sided with the officers and maintains that they had a "reasonable expectation of privacy" for their text messages.

If upheld by the Supreme Court, the decision could have repercussions impacting compliance efforts. Regulatory mandates such as SOX (Sarbanes-Oxley), HIPAA (Health Insurance Portability and Accountability Act), and GLBA (Gramm-Leach-Bliley Act) contain guidelines requiring that companies ensure certain information is protected, and that communications be archived for a certain period of time.

Companies can't meet some of these compliance requirements if the courts uphold an employee's right to privacy while using company equipment.

As it is, there is a growing trend for employers to simply pay for or subsidize the expenses of employees' personal mobile phones, or even personal computer equipment. The practice kills two birds with one proverbial stone: users don't have to carry around two and three devices that all do the same thing, and companies can save money and the headache of maintaining the equipment inventory.

Businesses have to balance compliance requirements, privacy concerns, and budgetary concerns that are often at odds with one another. Depending on which way the Supreme Court rules, it may not be possible to achieve all three simultaneously.

The U.S. 9th Circuit Court of Appeals summed it up by acknowledging the unique issues involved in this case, noting the "recently minted standard of electronic communication via e-mails, text messages and other means opens a new frontier in Fourth Amendment jurisprudence that has been little explored."

Tony Bradley tweets as @PCSecurityNews, and can be contacted at his Facebook page.

Subscribe to the Security Watch Newsletter

Comments