N.J. Supreme Court upholds privacy of personal e-mails accessed at work

The New Jersey courts have been handling a case that squarely addressed a company’s ability to monitor employee email.

Back in April of 2009, I mentioned a New Jersey case that found e-mail, sent during work hours on a company computer, was not protected by the attorney-client privilege: Compliance Policies and Email. That later was overturned: Workplace Computer Policy and the Attorney Client Privilege.

The New Jersey Supreme Court has ruled on the appeal and found that the employee

“could reasonably expect that e-mail communications with her lawyer through her personal, password-protected, web-based e-mail account would remain private, and that sending and receiving them using a company laptop did not eliminate the attorney-client privilege that protected them.”

The court went a step further and chastised the company’s lawyers for reading and using privileged documents.

The court’s decision focused on two areas: the adequacy of the company’s notice in its computer use policy and the importance of attorney-client privilege.

Computer use policy

The court was not swayed by the company’s arguments about its computer use policy. The company took the position that its employees have no expectation of privacy in their use of company computers based on its Policy. The court found that the policy did not address personal email accounts at all and therefore had no express notice that the accounts would be subject to monitoring. Also, the policy did not warn employees that the contents of the emails could be stored on a hard drive and retrieved by the company.

Attorney Client Communication

The bigger problem was that the communications between attorneys and their client are held to a higher standard. They were not “illegal or inappropriate material” stored on the company’s equipment that could harm the company. The e-mails warned the reader directly that the e-mails are personal, confidential, and may be attorney-client communications.

In my opinion, the nature and content of these emails made this an easy decision for the court.

Key Considerations

The decision does not mean that a company cannot monitor or regulate the use of workplace computers.

  • A policy should be clear that employees have no expectation of privacy in their use of company computers.
  • A policy needs to explicitly not address the use of personal, web-based e-mail accounts accessed through company equipment.
  • A policy should warn employees that the contents of e-mails sent via personal accounts can be forensically retrieved and read by the company.

Sources:

Data breach Sharing Framework

verizon business logo

With the Massachusetts Data Privacy Law now in place (and presumably you are in compliance with it), you need to think about what to do if you have an incident.

Verizon has published the Verizon Incident Sharing Framework to help.

Our goal for our customers, friends, and anyone responsible for incident response, is to be able to create data sets that can be used and compared because of their commonality. Together, we can work to eliminate both equivocality and uncertainty, and help defend the organizations we serve.

The framework is set up to help classify incidents, their discovery, mitigation and impact.

Sources:

Data Breaches and Knowledge Management

One of the features of the new Massachusetts Data Privacy Law is that it forces some knowledge management on companies in the context of data breaches.

Since the law required compliance on or before March 1, 2010, I assume you already have the policy and safeguards in place. That is, if you have social security numbers or financial account information for any Massachusetts resident in your computer systems or files. Yes, the reaches beyond the borders of Massachusetts and is not limited to Massachusetts companies.

201 CMR 17.03(h) and (i) require regular monitoring of your program and a periodic  review of its scope.

201 CMR 17.03(j) goes on to require that you document any responsive actions, have a post-incident review and document any changes to your program after the review. That sounds a lot like knowledge management to me.

The Office of Consumer Affairs and Regulation has published a handy 201 CMR 17.00 Compliance Checklist (.pdf). You should also review and be familiar with the law itself contained in 201 CMR 17.00 Standards for the Protection of Personal Information (.pdf).

Image is by Darwinek in Wikimedia Commons: Flag Map of Massachusetts

Today is the Deadline for the Massachusetts Data Privacy Law

March 1 is the compliance deadline for the Massachusetts Data Privacy Law. 201 CMR 17.00 requires you to be in full compliance on or before January 1, 2009 January 1, 2010 March 1, 2010.

If your company receives, stores, maintains, processes or otherwise has access to “personal information” acquired in connection with employment or with the provision of goods or services to a Massachusetts resident you are subject to the requirements of .

If you have employees or customers in the Commonwealth of Massachusetts, then you are subject to this law. The law is not restricted to companies located in Massachusetts. But if you are located in Massachusetts then you have Massachusetts employees and their personal information, making you subject to the requirements of the law.

The law is a bit watered down since its initial form, but you still need to pay attention to it. There are some reasonableness standards in the requirements that make it easier to comply. You still need a policy, need to inventory your stores of “personal information” and educate your employees about the importance of safeguarding personal information.

The Office of Consumer Affairs and Regulation has published a handy 201 CMR 17.00 Compliance Checklist (.pdf).

You should also review and be familiar with the law itself contained in 201 CMR 17.00 Standards for the Protection of Personal Information (.pdf).

Since today is March 1, you still have a few hours to get things in place to be compliant with the law. If you haven’t done taken the proper steps, stop reading and go do it.

Previous Posts:

Another Reason to Secure Your Wireless Network

Linksys WRT54GL

If you care about network security, you are probably well aware of the Massachusetts Data Privacy Law and its requirement to secure wireless networks.

But password-protecting a wireless router also has constitutional significance.

A child pornography suspect had no constitutionally protected privacy right in the files found on his personal computer, accessible by a neighbor who was piggybacking on his unsecured wireless network.

A neighbor stumbled across the shared files and alerted the local sheriff. After coming by to see the files, the sheriff ran license plates on cars on the street and found one nearby that was registered to a convicted sex offender. The sheriff then obtained warrants to determine the subscribers IP address and eventually to seize the computers.

Even though the defendant confessed on the spot, his lawyer tried to get all of the evidence thrown out claiming the sheriff violated the defendant’s reasonable expectation of privacy. The government disagreed and said the “defendant’s conduct in operating his home computer eliminated his right to privacy.”

The case ended up with Judge King in the Oregon’s United States District Court in the case of U.S. v. Ahrndt.

The case even quotes one of my favorite columns: The Ethicist by Randy Cohen in The New York Times: Wi-Fi Fairness Feb 8, 2004. Cohen came to the conclusion that “you may use but not overuse Wi-Fi hot spots you encounter.”

The judge steps over the issue of whether it is legal or not to access an open wi-fi hotspot, but is happy to point out that the accidental unauthorized use of other people’s wireless networks is a fairly common occurrence in densely populated urban environments.

“As a result of the ease and frequency with which people use others’ wireless networks, I conclude that society recognizes a lower expectation ofprivacy in information broadcast via an unsecured wireless network router than in information transmitted through a hardwired network or password-protected network.”

The judge also found “when a person shares files on iTunes over an unsecured wireless network, it is like leaving one’s documents in a box marked ‘take a look’ at the end of a cul-de-sac.” In the end, the defendant’s conduct in operating his software and maintaining his router diminished his reasonable expectation of privacy.

So not only, will improperly maintaining your wireless network open you to data loss and liability under privacy laws, but you diminish your constitutional protections.

Sources:

More on Data Privacy Day

Today is International Data Privacy Day.

Massachusetts Recognizes Data Privacy Day 2010 and touts the the new data security regulations.

Disney has enlisted Phineas and Ferb to help guide your kids through cyberspace and teach them about the rules of the road on the internet.

Google published their guiding privacy principles and published a video discussing them:

Data Privacy Day is January 28

Data Privacy Day is an annual international celebration to raise awareness and generate discussion about information privacy. Last year, both the U.S. Senate and House of Representatives recognized January 28th, 2009 as National Data Privacy Day.

Intel, Microsoft, Google, AT&T, LexisNexis and The Privacy Projects are sponsoring Data Privacy Day efforts, with assistance from Intuit and Oracle.

Even if you are not responsible for privacy at the office, you are responsible for your kids. The Data Privacy Day 2010 has some great resources for Teens, Young Adults, and Parents & Kids. Take a look at the FTC’s You Are Here to see some of the problems faced by kids online. Make sure to Visit the Security Plaza to learn about protecting your privacy (online and off).

You are responsible for your own online activity. In looking at a recent data breach, “123456”, “12345”, “123456789” and password were the most common passwords. Even Twitter banned these passwords, along with 366 other obvious passwords.

A list of 32 million passwords that an unknown hacker stole last month from RockYou, a company that makes software for users of social networking sites, provided a treasure trove of information for security analysis. About 20 percent of people on the RockYou list picked from the same, relatively small pool of 5,000 passwords. Hackers could easily break into many accounts just by trying the most common passwords.

Security experts advise that a password should consist of letters, numbers and even punctuation symbols. They should be changed regularly and you should not use the same password for all your online services.

Sources:

Monitoring Employee E-mail in Canada

canada

The key to a defensible system of e-mail monitoring is the creation of a comprehensive and communicated computer use policy. That is apparently as true in Canada as it in the United States.

Brian Bowman and Andrew Buck put together an excellent privacy primer on Monitoring employee e-mail: a privacy primer.

In what situations is e-mail monitoring justified? And what tests can we use to answer this question? Canada has no definitive answer either.

Computer Files for Employees in France

Flag_of_France.svg

France has strict laws on the ability of a company to monitor its employees’ computers. But a recent French decision found that files created by an employee on a computer issued by the company for work purposes are presumed professional unless the employee identified them clearly as personal. So the company can open these files without the employee being present and without telling the employee in advance.

At least that is according to recent post in Proskauer’s Privacy Law Blog. The decision is in French so I am assuming that Ms. Martin’s French is better than mine. (Google’s translation of the case is not very good.)

“Until this case, the case law was unclear on whether folders or files located on an employee’s work computer but titled with the employee’s name or initials would be afforded privacy protection under workplace privacy laws. However in this ruling, the French Supreme Court made clear that all files created by an employee on an employer’s computer belong to the employer unless they are expressly identified as personal. By adopting this position, the French Supreme Court was consistent with the French Data Protection Agency (CNIL) which, since 2002, has advised that employees should be cautious when using their work computers for personal purposes.”

References:

Supreme Court to Hear Case on Employer Access to Worker Messages

supreme court

How much privacy do workers have when they send text messages from company accounts?

Users of text-messaging services “have a reasonable expectation of privacy” regarding messages stored on the service provider’s network, 9th Circuit Judge Kim Wardlaw said in Quon v. Arch Wireless Operating Company, Inc., 529 F.3d 892 (9th Cir. 2008).

In that case the court found that a police department had violated the Fourth Amendment and state constitutional rights of employees and the people they exchanged text messages with, when they reviewed “personal” text messages created on devices owned and issued by the police department. It also found that the text messaging provider, Arch Wireless, violated the Stored Communications Act (SCA), 18 U.S.C. §§2701-2711, by providing transcripts of these messages to the employer.

Supreme Court

The U.S. Supreme Court agreed to hear an appeal of the case: City of Ontario, California, et al., Petitioners v. Jeff Quon, et al. (08-1332). The Justices could add some new law to the ability of companies to monitor and access their employees’ use of a company’s computer system.

Limitations

Although it sounds interesting, the case has some limitations that will likely make the decision underwhelming. The employees at issue are government employees, so the Constitution is implicated. You don’t have this issue with private employees. Second, the governmental employer accessed the information from the third party provider of the text-messaging system. The information was not on the government’s computer system itself. Third, the governmental employer did not have a clear policy on the use of the equipment and whether the messages were private or accessible by the government employer.

Background

The case originated when police officers claimed thier rights were violated when messages on department devices were read by their chief. Quon and the other officers had signed a statement declaring “users should have no expectation of privacy or confidentiality” when using devices furnished by the city. But shortly after text pagers were distributed, the officers were told by a supervisor they could use them to send messages, as long as they paid for messages that exceeded the monthly limit. It was understood that some of these messages would be personal and unrelated to police work. When the police chief learned that some officers were regularly exceeding the monthly limit, he asked for an audit and read the messages.

After Quon and the other officers learned their messages had been read, they sued. They lost in the Los Angeles Federal District Court, but won in front of the 9th Circuit.

References: