The National Law Journal is reporting that three recent court decisions make it important for companies to begin a thorough review of their computer policies. The National Law Journal suggests firms focus on two issues: ensuring that employees have no expectation of privacy in using the company computer systems and delineating the scope of the employee’s permissible access to the company computers. The article by Nick Akerman, a partner in the New York office of Dorsey & Whitney who specializes in trade secrets and computer data discusses three recent decisions and their implications for creating effective corporate computer policies that protect the company against the theft of its data.
Mr. Ackerman says two recent decisions, Quon v. Arch Wireless Operating Co. Inc. and Stengart v. Loving Care Agency Inc., affect a company’s ability to gather evidence from its own computers. The article states both cases found company computer policies insufficient to defeat the employee’s expectation of privacy in using the company computers for personal reasons. Whether an employee has an expectation of privacy on the company computers can become a critical issue when an employee is suspected to have stolen corporate data.
In Quon, (which I wrote about here) the 9th U.S. Circuit Court of Appeals held that a review of text messages on pagers provided to municipal police officers violated the Fourth Amendment as an unreasonable search. The article explains that although the city had no express policy “directed to text messaging by use of the pagers,” it did have a general “Computer Usage, Internet and E-mail Policy” applicable to all employees that limited the “use of City-owned computers and all associated equipment, software, programs, networks, Internet, e-mail and other systems operating on these computer” to city business. This policy was acknowledged in writing by each city employee, and it was announced orally that this policy applied to pagers according to the National Law Journal.
The article goes on to state that the 9th Circuit affirmed the district court’s finding that Quon had a reasonable expectation of privacy with respect to the text messages because the policy did not reflect the “operational reality” at the police department where the staff was told that the department “would not audit their pagers so long as they agreed to pay for any overages” that exceeded a “25,000 character limit.” Consistent with that informal policy, Quon had exceeded that limit “‘three or four times and had paid for the overages every time without anyone reviewing the text of the messages,” demonstrating that the police department “followed its ‘informal policy’ and that Quon reasonably relied on it” the author states.
In Stengart, Mr. Ackerman argues the issue of the computer policies arose in the context of the attorney-client privilege. Marina Stengart used her employer’s laptop computer to communicate with her attorney about an anticipated lawsuit against her employer “through her personal, web-based, password-protected Yahoo email account.” After Stengart filed a discrimination suit, her then-ex-employer found many e-mails on the company computer between Stengart and her attorney. The employer’s computer policy was nearly identical to the policy addressed in Quon with one significant exception. Unlike the written policy in Quon, which limited the use of the computers to the employer’s business, the policy in Stengart provided that “[o]ccasional personal use is permitted.”
The court found two specific “ambiguities” with the computer policy that “cast doubt over the legitimacy of the company’s attempt to seize and retain personal e-mails sent through the company’s computer via the employee’s personal email account.” First, the “policy neither defines nor suggests what is meant by ‘the company’s media systems and services,’ nor do those words alone convey a clear and unambiguous understanding about their scope.” Second, the court found that one could reasonably conclude “that not all personal emails are necessarily company property because the policy expressly recognizes that occasional personal use is permitted.” Given these ambiguities, Stengart could have assumed her e-mails with her attorney would be confidential.
The National Law Journal article says the third decision relates to a company’s ability to use evidence found on its own computers to bring a viable court action against the disloyal employee under the federal Computer Fraud and Abuse Act to retrieve the stolen data and prevent its dissemination in the marketplace. The CFAA, provides a civil remedy for a company that “suffers damage or loss” by reason of a violation of the CFAA. A critical element in proving most CFAA claims is that the violator accessed the computer “without authorization” or “exceeding authorized access.”
The last case, LVRC Holdings LLC v. Brekka, Mr. Ackerman argues has made it more important than ever for corporate computer policies to address what is not permissible access to the company computer system. He reports that Brekka puts into question the concept that an employee’s authorization to access the company computers is predicated on his agency relationship with his employer such that when an employee violates his duty of loyalty by stealing his employer’s data, his authorization to access the company computers terminates. Brekka refused to apply the CFAA to a theft of employer data, holding that employees cannot act “without authorization” because their employer gave them “permission to use” the company computer.
Although this division in the circuit courts will ultimately have to be resolved by the U.S. Supreme Court, the article says that from an employer’s standpoint it is important to emphasize that the agency relationship with the employee is not the only way to prove that an employee’s access to the company computer was unauthorized or exceeded authorization. Employers can proactively establish the predicate for unauthorized access by promulgating the rules of access through company policies. The “CFAA … is primarily a statute imposing limits on access and enhancing control by information providers.. Thus, a company “can easily spell out explicitly what is forbidden” through several methods including an employee handbook explains the National Law Journal article.
Mr. Ackerman concludes by suggesting that in designing corporate computer policies and employee agreements, it is important not to lose sight of the well-established operating principle that company computers are company property, and, as such, the company can “attach whatever conditions to their use it wanted to,” even if these conditions are not “reasonable.” Nonetheless, he suggests in light of Quon, Stengart and Brekka, a company should check its computer policies to make sure that they do the following:
• Clearly define the computer systems covered by the policy; expressly encompass whatever technology is used, such as text messaging or instant messaging; and address not only the servers but removable media such as thumb drives and disks.
• Make clear that all data created in furtherance of any personal use belongs to the company — including use of the company systems to access personal web-based e-mail accounts — and may be monitored by the company and will not be confidential.
• Reflect operational reality and are audited at least annually to ensure they reflect operational reality.
• Spell out precisely the scope of an employee’s permissible authorization to the company computers, particularly what they are not permitted to do, e.g., access the company computers to retrieve company data for a competitor.
The time to get this right is now before the company finds itself the victim of data theft.
Related articles
- Employer Sues Former Employee For Checking Facebook and Personal E-Mail and “Excessive Internet Usage” at Work (volokh.com)
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.
Darkreading cites court documents which say, between July 2008 and January 2010, Ms. Jones earned more than $400,000 by selling over 7,000 copies of pirated business software at discounted prices through the website www.cheapdl.com (which no longer appears active). The