Proactive Policies - Address Technology and Network Use Now
Employee privacy may be eroding as technology increasingly blurs the line between work and personal life.
Courts are currently engaged in a balancing act - weighing employee privacy expectations against company interests in monitoring communications sent over their information systems. While recent decisions may have created confusion instead of certainty, they clearly illustrate the importance of proactively addressing the issues surrounding employee privacy and workplace security.
In June 2010, the United States Supreme Court addressed the issue of technology and network use policies in City of Ontario, California v. Quon.1 Quon highlights the importance of using these policies to address a company's right to access information created and sent using work-issued technology, and demonstrates the necessity of drafting and implementing clear, consistent and defensible usage policies.
A company's technology and network use policy (provided one even exists) has typically been drafted by in-house or outside counsel. Because they might not possess the intimate knowledge of the company's computer and network systems, these policies have a tendency to be overbroad, discuss technology not in place at the company and can lead to confusion among employees. These generalized policies also further complicate the difficult task of responding to requests pertaining to litigation, investigations and regulatory compliance.
Instead of relying solely on in-house or outside counsel, companies should create an internal working group with input from legal, IT managers and employees, and the CIO. The working group should create the policy and be able to articulate clearly what the policy covers and why.
After the policy is created, employees must be trained through online methods, in-person, in seminars, etc. Training should be conducted on an annual basis and/or when the policy is updated and must be documented thoroughly. If a court dispute over a policy ever does develop, taking these steps will demonstrate to the court that the company underwent significant efforts to ensure compliance with the policy.
Quon highlights the importance of clearly conveying the policy and training. The City of Ontario created, implemented and communicated a "Computer Usage, Internet and Email Policy" to all employees in the company. However, the usage policy stated email messages may be audited, but did not address pager text messages. The established practice was that such communications would be left private, provided employees paid overages. Despite this ambiguity, the Supreme Court upheld the policy, citing the City's well-documented steps taken to communicate to employees that pager messages would be treated similarly to emails messages.
Finally, technology and network use policies must be regularly evaluated and updated. As part of the update process, the policies should be tested to ensure they meet the needs of the company, accurately reflect the technology used by the employees and account for new forms of media, such as social networking sites and mobile phone advancements. The City of Ontario may have had an even stronger case if it updated its policy to reflect its adoption of pager and text messaging technology.
Without a policy in place to address employee technology and network use, companies are exposing themselves to unnecessary risk. Waiting to act until something goes wrong is simply not a smart business strategy and it will be significantly more difficult, time-consuming and expensive to implement corrective policies than it would have been had the company acted proactively.
1No. 08-1332, 560 U.S. _ (2010).