Every U.S. private and public sector employer should develop, maintain and enforce an effective, appropriate workplace technology-acceptable-use policy (“TAUP”). In large part, a TAUP is a no-expectation-of-employee-privacy (“NoEEP”) policy. Thus, to strive for maximum defensibility, every employer should keep up on two key tasks. First, it should have a coherently written acceptable-use policy adapted to modern technologies. Second, it should train – and periodically remind/re-train – its managers of the do’s and don’ts of consistent, appropriate enforcement.
The U.S. Supreme Court decision in City of Ontario v. Quon, 130 S. Ct. 2619 (June 17, 2010) culminated a long, cautionary tale with many lessons. The key Quon defendant (a public sector employer) ultimately succeeded in fending off a Fourth Amendment challenge to enforcement of its acceptable-use policy when it reviewed the contents of a police officer’s text messages (to his wife and his mistress) sent on a city-issued pager.
Yet the years of litigation could have been avoided if the employer, the city of Ontario, had been more disciplined in its written policy maintenance and less reckless in its policy-enforcement approach.
For a full discussion of the legal reasoning of the U.S. Supreme Court in Quon, see Brownstone eWorkplace Materials II, at 20-24 (.pdf pp. 25-29). For employees, Quon’s enduring lessons are: be mindful of what one commits to writing; and do one’s best to erect a divide between one’s personal and work-related communications. For employers — both in the public and private sectors — please read on below for my TopTen post-Quon Taup tips.
10. Have a clear, bold, highlighted written provision covering – at least as to U.S. employees (EU countries’ privacy laws are much more employee-friendly) – NoEEP as to all information created, stored, received or transmitted on or by any system or device provided by the employer.
9. Decide whether to extend the NoEEP to all devices supported by (e.g., Outlook access) or costs–reimbursed by the employer [are you OK with BYOD?]; and then make the scope clear: a) in the written policy; b) to all supervisors/managers; and c) to all staff.
8. Specify all employer rights, including to: monitor; search; access; inspect; and read.
7. Give clear written notice to all employees and covered third parties allowed access to employer systems/networks.
6. Be realistic as to “personal use” – strongly consider a “limited” or “incidental” exception, but with carve-outs for certain activities: violating the law or any other employer policy; interfering with the employee’s job performance; or aiming for personal pecuniary gain to the detriment of the employer.
5. Train new employees – and periodically retrain experienced ones – on key TAUP provisions, especially as to NoEEPP.
4. Train supervisors/managers on consistent, fair enforcement.
3. In the trenches, do not overreach as to: an employee’s own attorney-client privilege; or the illicit obtainment – let alone use – of an employee’s personal login/password.
2. Provide an annual concise reminder summarizing key TAUP provisions, including employees’ right to discuss employment conditions.
1. Periodically – every two or three years? – review (and revise?) the TAUP so it’s: consistent with actual practices; and up-to-date as to current technology, e.g., smartphones, social media and “The Cloud”.
Always remember the Three E’s of compliance: Establish, Educate and Enforce as propounded by Nancy Flynn of the ePolicy Institute <@ePolicyInstitut>. First, policy goals must be established. Second, once the policies are written, employees must be educated on the content. And, third, only then, should technology be used as one enforcement/ implementation mechanism – not as a magic-bullet.