Five Ways IT Can Avoid a Privacy Lawsuit

Lieutenant Steve Duke, a commander with the Ontario, Calif., Police Department, never intended to be a bill collector.

But two years into the police department’s contract with a firm that provided text messaging services, Duke found himself regularly requesting that some officers pay the per-character overage fee for the wireless service, according to a recent ruling in a lawsuit against the police department. The Ontario Police Department had settled on a 25,000 character monthly limit with provider Arch Wireless, yet some officers were exceeding the limit by up to 15,000 characters. The department’s solution: If you pay for the overages, they would not audit your communications to determine what portion was for legitimate business use.

Yet, Duke had become fed up with asking for officers to pay for their overages. Along with the chief of police, the lieutenant decided to audit one of the workers that had exceeded the limit to find out whether excessive personal use of the wireless devices was responsible, according to the lawsuit ruling. In doing so, the police department violated the officer’s privacy rights as well as the rights of at least three people with whom he had communicated, the U.S. Court of Appeals for the Ninth Circuit ruled last month.

The court case serves up a number of lessons for CIOs regarding how to handle communications monitoring, the dangers of not having a privacy policy and whether third-party communications services serve up unwanted liability. (For a look at related privacy issues that should be on your radar screen, see “IT and the Changing Privacy Landscape: Eight Areas to Watch in ’08”.

1. Set expectations of privacy

The first lesson for CIOs is that an informal privacy is as binding as a written one.

Duke had already communicated an informal privacy policy to the department’s employees essentially guaranteeing their privacy, as long as they paid their bills. His frustration in dealing with the overages came to a head in 2003 when Sergeant Jeff Quon, a member of the police department’s SWAT team, exceeded the limit for the fourth time in two years, according to court filings.

“He told Sergeant Quon it was not his intent to audit employee’s [sic] text messages to see if the overage is dues to work related transmissions,” a police investigator wrote in a memo describing the investigation in Quon’s usage of the text-message device. “He advised Sergeant Quon he could reimburse the city for the overage so he would not have to audit the transmission and see how many messages were non-work related.”

While many companies have privacy policies that explicitly allow the monitoring of employees, the heart of the case hinges on the police department’s lack of a policy regarding the text-messaging service, says Sinan Aral, a professor of information, operations and management sciences at New York University’s Stern School of Business and an affiliated professor at the Massachusetts Institute of Technology’s Sloan School of Management.

“The ruling reaffirms that employers can override an employees expectation of privacy by an explicit policy stating so, as long as it is explicit, written and unambiguous,” Aral says.

2. Bring the services in-house, if possible

Having a third-party communications provider was another problem for the department.

The Ontario Police Department had contracted with the Arch Wireless Operating Company to provide text-messaging devices to all the city’s officers in 2001. In doing so, the organization inadvertently split their role: While the police department was the customer, it was not the user.

The court found that Arch Wireless violated the privacy of a user, Sergeant Quon, and the three people with whom he communicated when it handed over a copy of his text messages from their servers without a subpoena. If the services had not been provided by a third-party communications provider, then the department would have been free to access the information, provided their privacy policy allowed auditing, Aral says.

While instant-messaging services and text messaging through mobile devices are not easily brought in-house, there are services that could replace such communications applications for companies that need the required control over their employees. On the instant-messaging front, for example, the open-source Jabber server allows organizations the ability to serve up their own instant messaging service. Research-in-Motion’s BlackBerry enterprise platform also has a central server that manages messaging.

“The ruling does not address content on corporate servers,” he says. “Because most e-mail is stored on company mail and Exchange servers, for example, the case does not apply to the company auditing those communications.”

The ruling also found that text-messaging services are “electronic communications services,” as defined in the Stored Communications Act, and not a “remote computing service.” While a remote computing service can give a user’s information to the subscriber without a court order, a remote communications service is forbidden to surrender such data by law.

3. Avoid charging your employees fees

While asking officers to pay for their excessive text messaging may have been an expedient solution, paying for the service reinforced the notion that the users had some ownership of the communications and a right to privacy, says Marshall Van Alstyne, a professor of management at Boston University and a research scholar at MIT’s Sloan of School of Management.

“Because the officer was paying for the overages, he had a right to not be reviewed,” says Van Alstyne.

The court likened text messages to e-mail that flows through a third-party provider. While it is not reasonable to expect privacy in the addressing of such communications, it is reasonable to expect the contents of the messages to remain private.

Sergeant Quon and other users “did not expect that Arch Wireless would monitor their text messages, much less turn over the messages to third parties without (their) consent,” the appeal court judges stated in their ruling.

4. Stop, think and evaluate before auditing

The Ontario Police Department had a legitimate right to determine if the text-messaging service was being used for personal reasons, but the way they decided to investigate the issue was wrong.

If the top-level management at the police department had discussed the issue, they would have seen there were other ways to determine personal use of the text pagers, says NYU’s Aral. The officers could have warned people that their messages would be audited during a future month, or they could have had the text-message transcripts sent to the user, who would then be responsible for redacting any non-work-related messages.

Moreover, the organization should have first created an explicit policy and considered the impact of that policy, Aral says.

“Firms should evaluate whether reviewing messages held by a third-party provider merits an explicit policy stating that they can evaluate those messages,” he says. “One reason to not state the right to evaluate those messages may be because they want to have the best workplace, hiring incentives or they are pro-privacy.”

On the other hand, increasing productivity, matching up officers with needed knowledge, and liability management are all reasons to have some sort of monitoring in place, Aral says.

5. Automate the monitoring

If a company does decide to audit their workers on a regular basis, automating the monitoring can provide some privacy protections while, at the same time, giving the company the benefits of oversight, says Boston University’s Van Alstyne.

Moreover, such systems can work without any management oversight at all. By creating benchmarks based on the data and showing the users where they fall in the spectrum of use, the police department could have indicated to Quon and others that their use had become extraordinary.

“They have other means of doing (auditing) that doesn’t infringe on worker’s privacy,” Van Alstyne says.