The Catholic University of America

TOPIC:

Business Vs. “Nobody’s Business”: Searches Of Employer-Issued Technology And The University Employee’s Expectation Of Privacy

 


INTRODUCTION:

Both the Supreme Court and society at large have come to agree that employees should enjoy a certain reasonable expectation of privacy in their workplace effects and correspondence. [1] Yet there may be occasions when employers need to monitor employees or search their correspondence in order to control the workplace and manage the risks of the organization – a reality the Supreme Court has also recognized. [2]

Along with these competing interests, the proliferation of employer-issued technology [3] has significantly altered the notion of privacy in the workplace. Employer-issued laptops, smart phones, and mobile devices allow employees to work from the road or from home, and have blurred the boundaries between personal and workplace communications. Where it may have been clear in the past that a letter addressed to an employee carried an expectation of privacy, [4] the line may not be as clear with respect to a personal text message or email sent on an employer-issued smart phone. This new reality makes it more challenging to determine the reasonableness of an employer’s search and the scope of privacy in the workplace. Likewise, even if the employee uses her own device, she may be sending employment-related information in the form of electronic mail, documents, and texts. The intermingling of ownership and other supervisory authorities vested in both data and devices, together with shifting notions of personal privacy, have generated considerable confusion about the boundaries of the law.

For public institutions, the Fourth Amendment protects employees from unreasonable searches. Private institutions, though free from the strictures of the Fourth Amendment, may nonetheless have to abide by state constitutional provisions and laws that protect employees from unreasonable invasions of privacy by private employers. But, in the context of technology searches, the Supreme Court has been purposefully vague in defining what is “unreasonable.”

What is clear is that, while technological dimensions cannot be ignored, it is the institution’s policy that will govern the outcome of a privacy determination. Thus, public and private institutions must ensure that clear and conspicuous policies are in place. In the absence of a specific policy, the institution’s practice will then serve as a proxy in making privacy determinations.

This NACUANOTE will provide an overview of selected privacy laws and cases affecting technology in the workplace and offer suggestions for how the college or university employer can best supervise, control, and operate an efficient workplace without unreasonably invading employee privacy.

 

DISCUSSION:

Communication is in the midst of a technological revolution. Text messages and emails have begun to displace landline telephone calls, letters, and even face-to-face interaction as the dominant means of communication. While the methods of communication may be changing, their characteristics may still give rise to expectations of privacy that are virtually identical to, and just as reasonable as, the privacy expectations associated with messages transmitted via more traditional media.

I. The Fourth Amendment and the Workplace

The Fourth Amendment of the U.S. Constitution protects the right of people to be secure in their persons, houses, papers, and effects against unreasonable searches and seizures. It applies not only to traditional searches and seizures by police, but to “searches and seizures by government employers or supervisors of the private property of their employees.” [5] This includes searches by public college and university employers. [6] The critical question, then, is what makes an employer’s search “unreasonable” and therefore unlawful under the Fourth Amendment?

In simplest terms, the answer involves a balancing test between an employee’s reasonable expectation of privacy and the employer’s need to conduct the search and obtain information. [7] And, while the Supreme Court cases below provide an instructive framework for balancing these competing interests, there are still no bright line rules with respect to technology searches.

A. The Original Benchmark for Workplace Searches: O’Connor v. Ortega

The Court’s plurality decision in O’Connor v. Ortega was its first attempt to reconcile privacy rights with workplace searches and has served as the seminal workplace privacy case for over 20 years. In reviewing a public employer’s search of an employee’s office and file cabinets, the Court first recognized that there exists a valid “societal expectation[] of privacy in one’s place of work.” [8] But the Court also noted that public employers may need to make reasonable work-related intrusions and conduct investigations into possible work-related misconduct, in order to ensure an effective and efficient workplace. [9] Thus, in determining what workplace searches would be considered “reasonable,” the Court set forth two enduring principles.

First, the court must determine whether an employee had a legitimate expectation of privacy to begin with. This is because “some government offices may be so open to fellow employees or the public that no expectation of privacy is reasonable.” [10] Thus, a court must consider the “operational realities of the workplace,” and whether the employee’s privacy expectation is diminished “by virtue of actual office practices and procedures, or by legitimate regulation.” [11] In O’Connor, the Court found that the employee did have a reasonable expectation of privacy in his desk and file cabinets, as he did not share them, all files related to other employees were kept outside of his office, and he had occupied the same office for 17 years.

Second, the Court held that even if a reasonable expectation of privacy exists, an employer may still conduct the search as long as the purpose of the search is legitimate at its inception and the scope of the search is reasonably related to the employer’s objectives. [12] The Court declined to make these determinations (instead remanding the case for further consideration), but O’Connor established an analytical framework that courts still use today.

B. Workplace Searches Revisited: City of Ontario v. Quon

In the face of continuous technological change over the past two-plus decades, the Supreme Court revisited employee workplace privacy issues in its 2010 decision, City of Ontario v. Quon. [13] At issue in Quon was the City of Ontario Police Department’s search of its employee’s text messages on his employer-issued pager. [14] Quon had been warned that the City had a policy under which it reserved the right to monitor and log all network activity, including text messages, email and internet use, with or without notice to employees. The policy further stated that “users should have no expectation of privacy or confidentiality when using these resources.” [15]

After Quon exceeded his set monthly text allowance multiple times, his supervisor requested transcripts of the texts to determine whether the overages were occurring as a result of Quon’s personal use of the pager, as opposed to proper work-related use. The resulting search revealed personal messages to Quon’s wife and an alleged mistress.

After learning that the city had searched his text messages, Quon sued the City of Ontario, alleging that the search violated his Fourth Amendment rights, the Stored Communications Act, and other state laws. A federal district court determined that while Quon had a reasonable expectation of privacy in the content of his text messages, the City of Ontario had a legitimate purpose for undertaking the search. The Ninth Circuit reversed, reasoning that even if the search was conducted for a legitimate reason, it was unreasonable in scope because the City of Ontario failed to use less intrusive means.

On review, the Supreme Court unanimously reversed the Ninth Circuit’s decision and found that the scope of the City’s search was indeed reasonable. [16] In so finding, the Court noted as a preliminary matter that employers are not required to use the “least intrusive search practicable” under the Fourth Amendment. [17] Next, the Court found that the scope of the search was reasonable because, among other things, the employer limited the search to only two months of text messages and excluded from the search any text messages sent outside work hours, demonstrating that the employer was trying not to intrude on Quon’s personal privacy.

Just as important as what the Court ruled upon, however, was what the Court specifically declined to address. Namely, the Court declined to address the first of the O’Connor principles – i.e. whether Quon had a reasonable expectation of privacy in his text messages. Because the Court found that the second prong of O’Connor was satisfied (the purpose of the search was legitimate at its inception, and the scope was reasonably related to the employer’s objectives), the search was valid regardless of whether Quon had a reasonable expectation of privacy in his texts. The Court explained its hesitation to create a firm rule regarding an employee’s expectation of privacy in text messages:

The judiciary risks error by elaborating too fully on the Fourth Amendment implications of emerging technology before its role in society has become clear. . . . Rapid changes in the dynamics of communication and information transmission are evident not just in the technology itself but in what society accepts as proper behavior. . . . At present, it is uncertain how workplace norms, and the law’s treatment of them, will evolve. . . . A broad holding concerning employees’ privacy expectations vis-à-vis employer-provided technological equipment might have implications for future cases that cannot be predicted. [18]

With that, the Supreme Court effectively confirmed that a public employee’s expectation of privacy in communications on employer-issued technology will depend in large part upon employer policies and practices and legitimate regulation. Once again, it is important to emphasize that no such federal constitutional expectation of privacy exists for employees of private entities.

C. Lower Court Decisions Focus on Workplace Policies

While Quon and O’Connor made clear that public employees’ expectations of privacy can be reduced or expanded by “the operational realities of the workplace,” [19] neither opinion provided clear guidance as to the level of privacy, if any, a public employee can expect in employer-issued technology. [20] Lacking this guidance, and grappling with the fact that operational realities are frequently changing with technology, lower courts have come to rely heavily on stated policies and procedures with regard to technology. For example, the employee may retain an expectation of privacy when employer policies are imprecisely worded or inconsistently enforced:

?  

In Leventhal v. Knapek, the Second Circuit found that a public employee had a reasonable expectation of privacy in his work computer and matters contained therein despite the employer’s official policy prohibiting the use of state equipment for personal business. The court noted that the employee did not share his computer with anyone, there was no general practice of the public employer to routinely search employee computers, and the employer had not made clear that employees lacked privacy rights in what was stored in the computers. [21] Importantly, the Court’s decision emphasized that the employer’s practice was determinative and operated as a de facto policy.

?  

In Stengart v. Loving Care Agency, Inc., the New Jersey Supreme Court held that an employee has a reasonable expectation of privacy in communications with her lawyer via a personal, password-protected email account, even if accessed on an employer-issued computer. [22] In addition to preserving the sanctity of the attorney-client privilege, the Court found that Stengart had a subjective expectation of privacy because she took steps to protect her emails, sending them from her personal, password-protected account and not saving her password to the employer-issued computer. [23] Also importantly, the Court concluded that the employer’s email policy was unclear and permitted “occasional personal use,” thereby creating ambiguity as to whether personal email was employer or private property. [24] In holding that Stengart had a reasonable expectation of privacy, the New Jersey Supreme Court recognized the employer’s practice as a proxy for an explicit policy.


By contrast, where there are clear, explicit, and reasonable policies, lower courts have declined to recognize a reasonable expectation of privacy in employee emails and other documents and records created on employer-issued technology. [25]

?  

The Fourth Circuit held in United States v. Simmons [26] that a government employee lacked a legitimate expectation of privacy in the files he downloaded from the internet because of a workplace policy. In a routine security check of the workplace firewall protection, the employer discovered Simmons had downloaded material unrelated to government business despite an explicit policy stating the employer would audit or monitor “all file transfers, all websites visited, and all email messages.” [27]

?  

In Biby v. Board of Regents of the Univ. of Nebraska, [28] the Eighth Circuit reviewed a case in which the public university employer had a policy informing computer users “not to expect privacy if the employer has a legitimate reason to conduct a search,” specifically including searches “responding to a discovery request in the course of litigation.” [29] The University sought to produce files from Biby’s computer in response to a discovery request, and Biby claimed the search violated his Fourth Amendment rights. [30] In light of the policy, the court found that Biby failed to show he had a reasonable expectation of privacy in his computer files. [31] Moreover, in the context of discovery and in anticipation of litigation, Biby also underscores the importance of circulating litigation-hold letters notifying employees of not only the requirement to preserve information contained on employer-issued technology such as smartphones, cell phones, computers, laptops, pagers, or tablets, but also the prospect that such information may be searched by the employer. In sum, the lesson of Biby is twofold: (1) A well balanced policy provides an employer with greater leverage to conduct a search, especially in the context of litigation; and (2) litigation-hold letters are necessary to notify employees that information contained on employer-issued technology may be searched in furtherance of discovery requests related to pending litigation.

?  

The Tenth Circuit held in United States v. Angevine [32] that a public university professor had no legitimate expectation of privacy in pornographic files stored on his computer where the university’s computer policy stated: “The contents of all storage media owned or stored on University computing facilities are the property of [the] University,” and “[T]he University reserves the right to view or scan any file or software stored on the computer or passing through the network, and will do so periodically . . . to audit the use of University resources.” [33] It is important to emphasize that this case arose out of criminal conduct. In this respect, the additional lesson here is that should an institution suspect criminal wrongdoing through employer-issued technology, the matter should be forwarded to campus or local police so that law enforcement can initiate an investigation and utilize subpoena power and/or obtain a warrant.


In short, and irrespective of the technology, these decisions confirm that where there is an explicit policy setting forth terms under which technology and facilities are monitored, the balancing of privacy interests weighs heavily in favor of the employer.


II. Federal Statutes Affecting Privacy in the Workplace

While Fourth Amendment claims are germane only to public institutions, public and private institutions alike must abide by federal laws protecting employee privacy in the workplace. Most applicable to employer-issued technology would be the Electronic Communications Privacy Act of 1986 (“ECPA”) and one of its subparts, the Stored Communications Act.

The ECPA prohibits the unauthorized interception, acquisition, disclosure, or use of the contents of any oral, wire, or electronic communications. [34] Despite this seemingly broad prohibition, the ECPA contains a number of exceptions under which an employer may lawfully intercept or search employee communications. For instance, under the “service provider exception,” if the employer itself is providing the wire or electronic communications service – as many colleges and universities do – the employer may intercept communications sent over that service in the normal course of business in order to protect the employer’s rights or property. [35] Additionally, the “consent” exception permits an employer to lawfully intercept a communication where one of the parties to the communication has given consent. [36] Importantly, consent need not be express – it may be implied if the party knows there is a policy of monitoring or intercepting the communications at issue. [37] It should be noted that the Stored Communications Act [38] extends the reach of the ECPA to prohibit unauthorized access of any stored wire or electronic communications, including emails or voicemails. Like the ECPA, it is subject to the service provider and consent exceptions. [39]

There is a great deal of uncertainty as to how ECPA is applied in the context of technology-based privacy. One reason for the current disconnect between privacy expectations and the statutory protections of the ECPA is that the legislation was drafted in the early stages of internet and email technology that has fundamentally changed the way we communicate, store, and use information. The courts have thus been confounded by the ECPA, and because of broad exemptions contained in the ECPA and the SCA, commentators generally agree that the federal statutes are ineffective in providing employees with any privacy protections relative to work-related email messages and other forms of electronic communications. [40] In light of the uncertainty surrounding the ECPA and the SCA, it is imperative for an institution to create its own policy in order to minimize potential liability, though with an understanding that employer policies cannot take precedence over ECPA requirements.


III. State Constitutions and Statutes Affecting Privacy in the Workplace

Many states also have provisions in their own constitutions and statutes that go beyond the protections of the Fourth Amendment. [41] Indeed, some state constitutions expressly grant an individual right to privacy. [42] For example, the Illinois Constitution provides: “The people shall have the right to be secure in their persons, houses, papers and other possessions against unreasonable searches, seizures, invasions of privacy or interceptions of communications by eavesdropping devices or other means.” [43] California courts have held that the California Constitution goes even further; creating an inalienable right to privacy that can be enforced against both government and private actors. [44] Thus, it is possible that state courts could require employers to meet a higher standard for protecting an employee’s privacy under a state constitution than would be required under the Fourth Amendment.

Some states have also enacted statutes requiring notice of employer monitoring activities. For example, a Delaware statute provides that employers shall not monitor telephone, email, or internet usage unless notice is given to the employee every day that these resources are accessed, or the employee acknowledges such a policy. [45] A similar Connecticut statute requires that employers provide notice of their monitoring policy “in a conspicuous place which is readily available for viewing by its employees.” [46] In Illinois, public employers are subject to the Illinois Eavesdropping Act, [47] which prohibits recording either private or public conversations without consent of all parties. It should be noted, though, that courts have held that employees “impliedly consent” to such monitoring if they are aware of an employer’s policy to monitor employee communications. [48] Again, this demonstrates that employers need to adopt policies clarifying that the employer has a right to monitor employee emails, text messages, and internet usage on employer-owned devices.


IV. Common Law Privacy Claims

Beyond legislative and regulatory efforts, the common law provides a small amount of protection to employees against excessive monitoring. Even in states where there is no constitutional or statutory right to privacy, an employee may be able to sue his employer under a common law invasion of privacy theory, most likely unreasonable intrusion upon seclusion. [49] According to the Restatement (Second) of Torts, “One who intentionally intrudes, physically or otherwise, upon the solitude or seclusion of another or his private affairs or concerns, is subject to liability to the other for invasion of his privacy, if the intrusion would be highly offensive to a reasonable person.” [50] In order to intentionally intrude upon the seclusion of another, the employer must have "penetrated some zone of physical or sensory privacy . . . or obtained unwanted access to data" by electronic or other covert means, in violation of the law or social norms. [51]

While employees may be able to find protection under the common law tort of “invasion of privacy” or “intrusion upon seclusion,” courts are in conflict about whether an employee has any reasonable expectation of privacy in electronic communications that are facilitated by use of their employer's equipment. [52] As with claims under the Fourth Amendment, courts considering common law invasion of privacy claims will typically weigh the interest of the employer in conducting the search against the employee’s privacy interests. Even if employees can establish a privacy expectation, they still may lose, in most cases, if the legitimate business interests of the employer outweigh their privacy interest. [53]

On the whole, courts are less likely to find for the employee in these tort suits when the monitoring is conducted on or within employer property. And, just as a strong, clear technology monitoring policy can diminish an employee’s legitimate expectation of privacy under the Fourth Amendment, it can also undercut an employee’s assertion that a search was “offensive to a reasonable person” under common law theories.


V. Open Records Laws Diminish Employee Expectations of Privacy

For public institutions, freedom of information laws can also diminish an employee’s privacy interest in information conveyed via employer-issued technology. The language of such laws varies by state but typically provides that public entities shall make their public records available to any person for inspection or copying, except where specifically exempted by law. [54] Such laws are grounded in the principle that the public should be able to access public records and information about the workings of their government. [55]

Importantly, most state freedom of information laws include exemptions for materials which, if released, would constitute an unwarranted invasion of privacy. Nonetheless, most documents created by a public employee for his or her own use may still constitute public records that the employer is obligated by freedom of information laws to preserve and disclose.

The Illinois Attorney General recently issued an opinion on this very issue, holding that electronic records relating to the transaction of government business are “public records” subject to disclosure under the Illinois Freedom of Information Act, even if the communication was generated on a public official’s personal electronic device or email account. [56] The request specifically sought “[a]ll electronic communications, including cell phone text messages, sent and received by members of the city council and the mayor during city council meetings and study sessions . . . .” [57] The requester clarified that his request applied to “city-issued and personal cell phones, city-issued or personal email addresses and Twitter accounts.” [58] In her opinion, the Attorney General explained that because the communications requested in the FOIA were “prepared by or used by one or more members of a public body in conducting the affairs of government,” they were subject to FOIA.

In view of this opinion and state freedom of information laws, it seems that when an employer specifies that communications using employer-issued technology are public records, subject to monitoring and auditing pursuant to freedom of information laws, the employee (or public official) cannot show that he or she expected the messages to be private or that society would treat as reasonable any such expectation.


VI. Practical Tips

In light of the foregoing, it is clear that while college and university employees may rightfully expect a certain degree of privacy in their communications and documents stored on employer-issued technology, institutions also have the right to limit those privacy expectations through policies and practices designed to effectively and efficiently manage the workplace. Colleges and universities should therefore consider the following practical tips:

1.  

Enact policies explicitly stating that (a) the institution reserves the right to monitor, inspect, or audit any communications made using employer-issued technology, or any data stored on such technology; (b) all such communications or data are property of the institution; and (c) the employee has no expectation of privacy in such communications or data.

2.  

Remember that vague, general, or unenforced policies may lead to employees having a greater expectation of privacy.

3.  

For public colleges and universities, provide notice that any and all communications made via employer-issued technology are subject to review according to state freedom of information laws.

4.  

Consider policies and procedures that prohibit university officials from conducting institutional business through personal electronic devices and email accounts.

5.  

Consider state as well as federal laws, recognizing that many state constitutions and statutes provide greater privacy protection than the U.S. Constitution and federal law.

6.  

Remember that even with a clear policy, searches cannot be unreasonable. Thus, when conducting searches, audits, or monitoring activities, identify the work-related reason for the search, and tailor the scope of the search to that reason, to avoid unnecessary litigation.

7.  

In the event criminal wrongdoing is suspected, forward the matter to the campus or local law enforcement so that a warrant can be obtained to conduct a search.

 


CONCLUSION:

The Supreme Court has made clear that employee expectations of privacy will differ in significant ways depending on the specific case and workplace involved. The underlying premise of O’Connor and, more recently, Quon is that both public and private colleges and universities must be clear and consistent with policies concerning privacy and the acceptable use of employer-issued technology. By establishing such policies in compliance with state and federal law, the employer eliminates any subjective expectation of privacy that conflicts with those terms.


FOOTNOTES

 

AUTHOR:

Jeffrey M. Brown, former University Counsel, Northeastern Illinois University

 


RESOURCES:

?  

Wendi S. Lazar, Lauren E. Schwartzreich, Employee Privacy Rights: Limitations to Monitoring, Surveillance and Other Technological Searches in the Private Workplace, Practising Law Institute, PLI Order No. 29714 (2011).

?  

Jill L. Rosenberg, Is Big Brother Watching: Monitoring Employee Communications and Employee Privacy, Practising Law Institute, PLI Order No. 29714 (2011).

?  

Alexander I. Rodriguez, All Bark, No Byte: Employee E-Mail Privacy Rights in the Private Sector Workplace, 47 Emory L.J. 1439 (1998).

 

Permitted Uses of NACUANOTES Copyright and Disclaimer Notice

 

View this document in PDF or Word

NACUANOTES Homepage| NACUANOTES Issues
Contact Us | NACUA Home Page

"To advance the effective practice of higher education attorneys for the benefit of the colleges and universities they serve."