what state agencies can do to protect employee privacy during investigations of workplace misconduct
TRANSCRIPT
WHAT STATE AGENCIES CAN DO
To Protect Employee Privacy During Investigations of Workplace
Misconduct
Overview
Four Rules
Relevant Cases and Statutes
Four Rules
Rule 1: Have an Appropriate Acceptable Use Policy and Disseminate it Properly
Rule 2: Have an Appropriate User Responsibility Policy and Disseminate it Properly
Rule 3: Where at all possible, avoid providing VPN access to users via their home computers (as opposed to state-issued computers)
Rule 4: When investigating workplace misconduct make sure that searches of employee offices, and employee hard drives, disks, and other IT equipment used only by the individual employees are:
Justified in their inception
Permissible in their scope
Rule 1
Have an Appropriate Acceptable Use Policy and Disseminate it Properly
An Appropriate Acceptable Use Policy
Scope: all Commonwealth IT Resources
Applicability: all users of Commonwealth IT resources (don’t limit to employees, contractors, elected officials, unpaid interns, etc.)
Failure to observe results in discipline
Defines acceptable and unacceptable uses of Commonwealth ITData confidentialityIP protectionComputer virusesNetwork securityEmail useNo expectation of privacyUse of system is consent to policy
All ANF Agencies are subject to the ANF AUP (Unless they adopt
a similarly protective agency policy)
ANF Policy available at http://mass.gov/portal/index.jsp?
pageID=agcc&agid=eoaf&agca=policiesinitiatives&agcc=otherpolicies
Proper Dissemination
Post it on your agency intranet and internet sites
Provide to all IT resource users
Incorporate in contracts
Mail link to users annually
Update periodically
Document dissemination
Rule 2
Have an Appropriate User Responsibility Policy and
Disseminate it Appropriately
A Proper User Responsibility Policy
Explains why the user has been granted Log-in IDs for systems and networksStates that user must keep Log-in ID confidentialLimits choice of passwordsNotifies that use of Log-In ID is a privilege that may be revokedSole responsibility of user
Proper User Responsibility Policy
Report to ISO if compromised
Data release only consistent with law
Remote access issues
Discipline including termination for violation
Reiterate acceptable use
Current monitoring and potential screening
Contact information for ISO
(OER Review)
Proper Dissemination
Same as dissemination of AUP, but instead of disseminating as policy to all, at hire or first engagement with agency, require all non-union users to sign an agreement incorporating the policy, stating date on which they received it and had chance to review
Provide hard copy of policy to all union employees
Rule 3
Avoid VPN Access for Users via their home computers
Avoid VPN access for users via their home computers
Administrators have access to home computers while VPN session is openEmployees have a higher degree of privacy rights in personally-owned home computersOthers in household who share the PC also have privacy rightsWhen investigating employee misconduct, do not under any circumstances conduct a warrantless search of a telecommuter’s personal PC through your VPN connection
Rule 4
When investigating workplace misconduct make sure that searches of employee offices, and hard
drives, disks, and other IT equipment used only by the individual, or any other areas in which the
employee may claim a privacy right:
Justified in their inception
Permissible in their scope
Justified at Their Inception means…
There are reasonable grounds for suspecting that the search will turn up evidence that the employee is guilty of work-related conduct:
Example: Technician exploring firewall capabilities enters term “sex” in firewall database and discovers that government employee user has accessed a number of sex sites using his government issued computer in his government office, in violation of agency policyExample: Technician in government employee’s office installing network connection on network computer sees pornography files on employee’s screen in violation of workplace policy
Permissible in their scope means…
Measures adopted are reasonably related to the objectives of the search and not excessively intrusive in light of the nature of the misconduct:
Example: Following agency’s discovery of sex site visit evidence on firewall log,
Supervisor remotely reviews information on user’s computer, and only after finding further evidence of visits to pornographic sites forbidden by agency policy
Only thereafter enters employee’s private office and takes hard drive and disks.
Permissible in scope, cont.
Example: Following discovery of technician installing network connection that user has pornography on government employee’s government issued computer, in violation of agency policy, employer conducts full search of employee’s computer and disks.
Relevant Statutes and Case Law
The Commonwealth Falls into Two Legal Categories
The Commonwealth as an employer
The Commonwealth as a government entity
Government as Employer
Faces the same legal landscape as all employers
Statutes and Case law
As Government Entity
State is subject to Fair Information Practices Act
Fourth Amendment search and seizure issues.
Statutes Affecting All Employers
State Privacy Act, Mass. Gen. L. ch. 214State Wiretap Law, Mass. Gen. L. ch. 272, sec. 99Federal Wiretap Statute, 18 U.S.C. sec. 2511 et seq.Data privacy lawsFederal Stored Communications Statute, 18 U.S.C. sec. 2701
State Privacy Act
“A person shall have a right against unreasonable, substantial, or serious interference with his privacy”. M.G.L. ch. 214, sec. 1B
Restuccia v. Burke Technology, Inc., 1999 WL 1329386 (Mass. Super. 1996): Genuine issue of fact regarding whether employee had reasonable expectation of privacy in email that he had sent to supervisor at the supervisor’s company email address that later resulted in termination.
Garrity v. John Hancock Mutual Life Insurance Company, 2002 WL 974676 (D. Mass. 2002)
Plaintiffs: 2 employees and husband of one employeeSexually explicit emails sent from husband to both employees at company email addressesTwo employees distribute these emails to other employees over company emailEmployee plaintiffs fired after investigation including employer review of emails contained in backup system
State Privacy Law Claim
Invasion of privacy (no citation to state privacy statute, but either state statute or tort of privacy invasion appear to be basis of claim)
Holding: no privacy violation
Court quotes from Hancock’s Well-disseminated Email Policy, which Explicitly Said:
Obscene, profane, sexually oriented emails prohibitedViolators would be subject to disciplinary action up to and including terminationAll information stored, transmitted, received or contained in company email systems systems was the employer’s propertyBusiness or legal reasons might require company review of email messages and other documents
Court’s Reasoning
No reasonable expectation of privacy in the emails among the plaintiffs because
Evidence that employee’s husband, and employee plaintiffs, assumed the emails would be forwarded to others at the company
Citation to Pennsylvania District Court case to the effect that even without an email policy, no privacy expectation in emails sent over company email system (but PA case was about privacy expectations of employees, not outsiders)
Court’s Reasoning, cont.
Even if there was a reasonable expectation of privacy in the emails, Hancock’s legitimate business interest in protecting its employees from harassment in workplace would “likely trump plaintiffs’ privacy interests”. Both state and Federal anti-discrimination law REQUIRE employer to take affirmative steps to maintain workplace free of harassment , investigate incidents of harassment and take prompt action
Based on State Privacy Law and Hancock…
Private sector employers whose email policy forbids use of email system for certain activities do not violate state Privacy Act when reading employee emails during investigation of employee policy violations that are also violations of state or federal law. Probable that even without an email policy, employee in a private sector company may have no privacy rights under the Privacy Law with respect to emails created or received in the workplace.
Privacy of State Employee Emails
State employees have an even weaker argument for the privacy of most of their emails because the Secretary of State has ruled that emails created or received by an employee or a government unit are public record. DSPR Bulletin 1-99 2/16/99.
Hancock leaves open the question:
Where there is no evidence that the non-employee sending email to an employee at his work email address knew that his email would be distributed to others in the company, are the sender’s rights under the State Privacy Act violated when, without the sender’s consent, the employer reads his email? Sender may not have as much reason to be aware of the public record nature of emails sent to the state.
State Wiretap Law
Prohibits secret interception of wire and oral communicationsDoesn’t apply if both parties to communication have consented to interception Doesn’t apply to possession or use of an intercommunications system which is used in the ordinary course of owner’s business
Raised by plaintiffs in Hancock because. . .
Hancock, following complaint by fellow employee regarding sexually explicit email transmitted by plaintiffs over company email system, commenced investigation
Investigation included reading backed up emails created, received or transmitted by plaintiffs. Plaintiffs claim the reading of such emails was an “interception” that violated the state wiretap law
Court: No violation of State Wiretap Because:
State wiretap law applies only to interception of communications in transit; Hancock read only stored email
Even if the reading itself were a form of interception, the backup system was not an interception because fell under “ordinary business exemption “ of wiretap statute. (See also Restuccia).
Application of State Wiretap Act to State Agencies:
Reading backed up employee emails not a violation
Screening incoming emails for viruses and spam, and screening outgoing emails is not a violation because it is “ordinary course of business” for state agencies because of data privacy laws
Intercepting incoming emails from a known source of harassing emails is not a violation
State Wiretap Act Summary: Screening Incoming Emails
State agency intercepting all incoming emails on shakier legal ground:
No legal requirement under data privacy laws or discrimination laws imposed on employers to screen incoming email. Screening all incoming email may not constitute acting in the ordinary course of business
State Wiretap Act Summary: Screening incoming email
Unlike most businesses that receive email from customers, Commonwealth citizens have legitimate reasons for emailing messages to state agencies that contain words that may be picked up by screening software
Example: Citizens seeking health information may use slang terms for body partsCitizens reporting discrimination to state agencies, quoting offensive language.Citizens using strong language to criticize state officials
Federal Wiretap Statute
Similar to state statute; does not apply to stored email communicationsBut only one party to communications needs to consent. 18 U.S.C. sec. 2511(2)(d).
AUP that states that users of IT resources consent to monitoring probably creates requisite consent
And provider of electronic communications service can intercept to protect the rights or property of the provider.
Screening all emails for harassing content would appear to be a means of protecting the employer’s rights to maintain a non-discriminatory workplace
Under Federal Wiretap Statute
Agencies that have and disseminate an acceptable use policy stating that use of IT system is consent to monitoring and viewing of messages are not in violation of Federal Wiretap Law if they monitor both incoming and outgoing email for any purpose. Even without an AUP, agencies monitoring all incoming and outgoing email for purposes of preventing violations of Federal or state law, reducing spam or maintaining network security are probably not in violation of the Federal Wiretap Act.
Data Privacy Laws
Health Insurance Portability and Accountability Act
Gramm-Leach-Bliley
Federal Stored Communications Act
Prohibits unauthorized access to electronic communication while it is in electronic storage. 18 U.S.C. sec. 2701
An employer’s accessing of backed up emails on its own email system does not violate this act because it is not “unauthorized”.
Query, however…
When employee has VPN access through home computer , absent a written agreement with employee, systems administrator’s viewing of non-work related files on the computer during a VPN session may not be “authorized” and may therefore be a violation of the SCA.Administrator’s viewing of files of household members of employees during VPN session probably violates the SCA because such intrusions are certainly not authorized.
GOVERNMENT AS GOVERNMENT EMPLOYER
Fair Information Practices Act
Fourth Amendment
Fair Information Practices Act
State Fair Information Practices ActProtects personal data (data clearly linked to an individual that is not public record) held by a “holder” agencyMost information about employees held by state agency employers is public record.Personal data about employees (evaluations, paternity information) can be accessed by the agency’s employees during a legitimate workplace misconduct investigation without violating FIPA but dissemination outside the agency restricted by FIPA.
Fourth Amendment
Fourth Amendment to U.S. Constitution, made applicable to states via 14th Amendment
Parallel rights under State Constitution
Where state employee has an objectively reasonable privacy expectation in a place, the state cannot search that place while investigating a workplace policy violation unless it obtains a warrant or an exception to the warrantless search rule applies.
What happens if state violates this rule when
investigating employee misconduct? If the employee is later tried for violation of criminal law, evidence collected in violation of the Fourth Amendment can be suppressed.
“Bivens” action against state actors for civil money damages
Scope of our discussion
NOT a discussion about legal or illegal use of warrants the state obtains during a criminal investigation by state police;
RATHER Non-criminal, warrantless searches a state agency might conduct for the purpose (but not necessarily the sole purpose) of investigating an instance of employee workplace misconduct that may also constitute a crime.
O’Connor v. Ortega, 480 U.S. 709 (1987)
Fourth Amendment prohibits unreasonable searches and seizures by government employers or supervisors
Government employees
Have a reasonable expectation of privacy in their offices or in parts of their offices, such as their desks or file cabinets. O’Connor.
But office procedures, policies or regulations may reduce legitimate privacy expectations. O’Connor.
Even if state employee establishes a privacy interest in the area that you search, your search may be covered by an
exception to warrantless search requirement for government employers
Government employer’s interest in the efficient and proper operation of the workplace may justify warrantless work-related searches.Government agency investigations of violations of workplace misconduct fall under this rule. This exception can apply even if the employer is a law enforcement agency and the agent conducting the search is aware that the information collected could later be used for criminal prosecution
Rules for Government Employer Warrantless Search
Reasonable in its inception
Permissible in its scope
Reasonable in its inception
There are reasonable grounds for suspecting that the search will turn up evidence that the employee is guilty of work-related conduct
Permissible in its scope
Investigatory measures adopted are reasonably related to the objectives of the search and not excessively intrusive in light of the nature of the misconduct
U. S. v. Simons, 206 F.3d 392 (4th. Cir. 2000)
Motion to suppress
Mark L. Simons
CIA Employee
Convicted of receiving and downloading child pornography
Used workplace Internet access to do so
Court Notes that CIA:
Had an Internet usage policy
Use for official government business only
Accessing unlawful material specifically prohibited
CIA will conduct electronic audits to ensure compliance
Great detail about how audits would look at sent and received email and web sites visited
Events leading to conviction
Simons has an agency office that he locks and a computer provided by CIA with access to internetTechnician exploring firewall capabilities enters keyword “sex” into firewall databaseTechnician notes large number of Internet hits originating from Simons computer. Names of sites obviously not for official purposes. Reports to supervisors. Another CIA employee remotely examines Simons computer, finds downloaded pornographic files, and copies files
Later, in Simon’s office,
Employer physically entered Simons office
Removed original hard drive
Subsequently
Evidence from both remote and office searches used to convict Simons
Simons raises fourth amendment claim regarding
The remote search
The office search
Remote search: Court holds
No violation because Simons had no expectation of privacy with respect to “fruits of his internet search” because of employer policy
Policy placed employees on notice
No objectively reasonable belief
Office Search
Private office Simons did not share
No office policies or procedures reducing his privacy interest
He had a privacy interest in office
But requirements of government agency exception to warrantless search rule met
Government agency exception applied
Although dominant purpose of search was to acquire information about criminal activity, CIA did not lose its special need for efficient and proper operation of workplaceCriminal acts related to employment, in that employer workplace policy violatedCompare to situation where criminal acts are unrelated to employment-related misconduct. Here, conjunction of conduct that violated workplace rules and conduct that violated criminal law did not prohibit application of exemption
CIA Met requirements for special needs search
Reasonable at its inception because based on technician’s work, grounds to suspect child porn violation
Permissible in scope because entering Simon’s office was reasonably related to objective of the search, retrieval of the hard drive. And search not excessively intrusive. No search of desk, any other items in office.
See U.S. v. Slanina, 283 F.3d 670 (5th Cir. 2002)
(appeal from conviction of municipal employee for child pornography).
Search and Seizure Rules and State Agencies
Reduce the employee’s expectation of privacy in electronic communications and activities related to state information technology resourcesMake sure your search is justified in its inception---no fishing expeditions.Must have some reason to suspect violation of a workplace policy, not just a crime.Limit scope of your search to places likely to answer your question as to whether the employee violated your workplace policy
Courts will view differently Warrantless…
Remote searches of employer’s computer in employee’s office (or, presumably, at home)
Physical Search of employee’s private office at workplace
Remote search of employee owned PC used for VPN connection to state network
Search may violate employee’s Fourth Amendment Rights if…Search not justified at its inception because employer has no reason to suspect violation of workplace policy, even if employer has reason to suspect violation of criminal law
Search not permissible in scope because employer searches places or things unrelated to the suspected violation of a workplace policy
