In the modern world, employees routinely receive work-related data on personal mobile devices, such as smartphones and tablets, and access personal data on work-owned devices. This convenience has become so commonplace that employers often do not think of the implications of collecting relevant data from these personal devices or incidentally collecting personal data from work devices when litigation arises or when the employee’s conduct is in question.
The United States Supreme Court has weighed in on a government employee’s right to privacy in the context of personal data on a mobile device. See City of Ontario, California v. Quon, 560 U.S. 746, 750 (2010). In City of Ontario, Quon was a police officer in possession of a department-issued pager for text messaging. Id. at 751-53. Quon was aware that the pagers were subject to the city’s computer policy providing that employees had no expectation of privacy in their usage of the device. Id. Quon and a few other officers’ monthly text messaging routinely exceeded the city’s plan. Id. The city made the decision to collect the officers’ text messages to determine if the city plan was too low or if the overages were due to personal messages. Id. A review of Quon’s text messaging on the pager resulted in disciplinary proceedings. Id.
Quon argued that the review of his text messages was a violation of his Fourth Amendment rights. The court concluded that the Quon search was conducted for a legitimate work-related purpose (to evaluate the text-messaging plan limits) and that it was reasonable in scope. Id. at 764.
Stengart v. Loving Care Agency, Inc. , 201 N.J. 300, 307 (2010), is another case where an employee’s right to privacy on a work-issued device was examined, although in the context of a non-government employer. In Stengart, the plaintiff communicated with her personal attorney on her work laptop through a web-based, password-protected, personal email account. Id. After Stengart left the company and filed an employment discrimination suit against it, the company performed a forensic analysis of Stengart’s computer and recovered some of the attorney-client-privileged emails. Id. The company took the stance that Stengart had no expectation of privacy on the work computer due to its computer usage policy and considered the attorney-client privilege waived. Id.
The Stengart court stated that a “plaintiff must establish that the intrusion would be highly offensive to the ordinary reasonable man, as the result of conduct to which the reasonable man would strongly object.” Id. at 317 (citations omitted). The court held that Stengart’s expectations of privacy were reasonable because: (1) she took steps to protect the communications by using a password-protected, personal email account; (2) the language of the company policy did not specifically address personal, web-based email accessed on company computers; and (3) the emails did not contain illegal or inappropriate content that might harm the company in some way. Id. at 321-22. The fact that these communications were attorney-client communications was clearly integral in the court’s reasoning. Id. at 322 (stating that these “are conversations between a lawyer and client about confidential legal matters, which are historically cloaked in privacy”).
Companies also should be aware of the Stored Communications Act (SCA), 18 U.S.C. § 2701, which provides criminal penalties for anyone who “intentionally accesses without authorization a facility through which an electronic communication service is provided or … intentionally exceeds an authorization to access that facility.” Companies who access personal employee email or social media accounts also could run afoul of this law. Compare Ehling v. Monmouth-Ocean Hospital Service Corp., 961 F. Supp. 2d 659, 667 (D.N.J. 2013) (finding that an employee’s Facebook posts, which were configured as private, meet the criteria for protection under the SCA); with Nucci v. Target Corp., No. 4D14-138, 2015 WL 71726 (Fla. Dist. Ct. App. Jan. 7, 2015) (finding that the SCA did not apply to a discovery request for Facebook data to be provided by the Facebook account holder).
Although the Ehling court did not find a violation under the SCA, its reasoning was based on the fact that one of the employee’s Facebook “friends” (an authorized user under the SCA) voluntarily reported the posts to their mutual employer. Ehling, 961 F. Supp. 2d at 669-70. The outcome likely would have been different if the employer had gained access to the posts through data collection from electronic devices. Indeed, the Ehling court even intimates that the authorized-user exception would not apply had the employer summoned the information from the employee who was “friends” with the plaintiff rather than that “friend” volunteering the information. Id.
The bottom line is that companies should have clear policies in place that govern both work data on personal devices and personal data on employer-owned devices and that clearly notify users that their data may be collected or reviewed at any time by the company. When companies collect data in litigation, they should limit the scope of the collection to only what is necessary to achieve the employer’s purpose – whether related to litigation or to questionable employee conduct.