WHAT STATE AGENCIES CAN DO

To Protect Employee Privacy During Investigations of Workplace

Misconduct

Overview

Four Rules Relevant Cases and Statutes

Four RulesRule 1: Have an Appropriate Acceptable Use Policy and Disseminate it ProperlyRule 2: Have an Appropriate User Responsibility Policy and Disseminate it ProperlyRule 3: Where at all possible, avoid providing VPN access to users via their home computers (as opposed to state-issued computers)Rule 4: When investigating workplace misconduct make sure that searches of employee offices, and employee hard drives, disks, and other IT equipment used only by the individual employees are:

Justified in their inceptionPermissible in their scope

Rule 1

Have an Appropriate Acceptable Use Policy and Disseminate it Properly

An Appropriate Acceptable Use Policy

Scope: all Commonwealth IT ResourcesApplicability: all users of Commonwealth IT resources (don’t limit to employees, contractors, elected officials, unpaid interns, etc.)Failure to observe results in discipline

Defines acceptable and unacceptable uses of Commonwealth ITData confidentialityIP protectionComputer virusesNetwork securityEmail useNo expectation of privacyUse of system is consent to policy

All ANF Agencies are subject to the ANF AUP (Unless they adopt

a similarly protective agency policy)

ANF Policy available at http://mass.gov/portal/index.jsp?

pageID=agcc&agid=eoaf&agca=policiesinitiatives&agcc=otherpolicies

Proper Dissemination

Post it on your agency intranet and internet sitesProvide to all IT resource users Incorporate in contractsMail link to users annuallyUpdate periodicallyDocument dissemination

Rule 2

Have an Appropriate User Responsibility Policy and

Disseminate it Appropriately

A Proper User Responsibility Policy

Explains why the user has been granted Log-in IDs for systems and networksStates that user must keep Log-in ID confidentialLimits choice of passwordsNotifies that use of Log-In ID is a privilege that may be revokedSole responsibility of user

Proper User Responsibility Policy

Report to ISO if compromisedData release only consistent with lawRemote access issuesDiscipline including termination for violationReiterate acceptable useCurrent monitoring and potential screeningContact information for ISO(OER Review)

Proper Dissemination

Same as dissemination of AUP, but instead of disseminating as policy to all, at hire or first engagement with agency, require all non-union users to sign an agreement incorporating the policy, stating date on which they received it and had chance to reviewProvide hard copy of policy to all union employees

Rule 3

Avoid VPN Access for Users via their home computers

Avoid VPN access for users via their home computers

Administrators have access to home computers while VPN session is openEmployees have a higher degree of privacy rights in personally-owned home computersOthers in household who share the PC also have privacy rightsWhen investigating employee misconduct, do not under any circumstances conduct a warrantless search of a telecommuter’s personal PC through your VPN connection

Rule 4

When investigating workplace misconduct make sure that searches of employee offices, and hard

drives, disks, and other IT equipment used only by the individual, or any other areas in which the

employee may claim a privacy right:Justified in their inceptionPermissible in their scope

Justified at Their Inception means…

There are reasonable grounds for suspecting that the search will turn up evidence that the employee is guilty of work-related conduct:

Example: Technician exploring firewall capabilities enters term “sex” in firewall database and discovers that government employee user has accessed a number of sex sites using his government issued computer in his government office, in violation of agency policyExample: Technician in government employee’s office installing network connection on network computer sees pornography files on employee’s screen in violation of workplace policy

Permissible in their scope means…

Measures adopted are reasonably related to the objectives of the search and not excessively intrusive in light of the nature of the misconduct:

Example: Following agency’s discovery of sex site visit evidence on firewall log,

Supervisor remotely reviews information on user’s computer, and only after finding further evidence of visits to pornographic sites forbidden by agency policyOnly thereafter enters employee’s private office and takes hard drive and disks.

Permissible in scope, cont.

Example: Following discovery of technician installing network connection that user has pornography on government employee’s government issued computer, in violation of agency policy, employer conducts full search of employee’s computer and disks.

Relevant Statutes and Case Law

The Commonwealth Falls into Two Legal Categories

The Commonwealth as an employerThe Commonwealth as a government entity

Government as Employer

Faces the same legal landscape as all employersStatutes and Case law

As Government Entity

State is subject to Fair Information Practices ActFourth Amendment search and seizure issues.

Statutes Affecting All Employers

State Privacy Act, Mass. Gen. L. ch. 214State Wiretap Law, Mass. Gen. L. ch. 272, sec. 99Federal Wiretap Statute, 18 U.S.C. sec. 2511 et seq.Data privacy lawsFederal Stored Communications Statute, 18 U.S.C. sec. 2701

State Privacy Act

“A person shall have a right against unreasonable, substantial, or serious interference with his privacy”. M.G.L. ch. 214, sec. 1B Restuccia v. Burke Technology, Inc., 1999 WL 1329386 (Mass. Super. 1996): Genuine issue of fact regarding whether employee had reasonable expectation of privacy in email that he had sent to supervisor at the supervisor’s company email address that later resulted in termination.

Garrity v. John Hancock Mutual Life Insurance Company, 2002 WL 974676 (D. Mass. 2002)

Plaintiffs: 2 employees and husband of one employeeSexually explicit emails sent from husband to both employees at company email addressesTwo employees distribute these emails to other employees over company emailEmployee plaintiffs fired after investigation including employer review of emails contained in backup system

State Privacy Law Claim

Invasion of privacy (no citation to state privacy statute, but either state statute or tort of privacy invasion appear to be basis of claim)Holding: no privacy violation

Court quotes from Hancock’s Well-disseminated Email Policy, which Explicitly Said:

Obscene, profane, sexually oriented emails prohibitedViolators would be subject to disciplinary action up to and including terminationAll information stored, transmitted, received or contained in company email systems systems was the employer’s propertyBusiness or legal reasons might require company review of email messages and other documents

Court’s Reasoning

No reasonable expectation of privacy in the emails among the plaintiffs because

Evidence that employee’s husband, and employee plaintiffs, assumed the emails would be forwarded to others at the companyCitation to Pennsylvania District Court case to the effect that even without an email policy, no privacy expectation in emails sent over company email system (but PA case was about privacy expectations of employees, not outsiders)

Court’s Reasoning, cont.Even if there was a reasonable expectation of privacy in the emails, Hancock’s legitimate business interest in protecting its employees from harassment in workplace would “likely trump plaintiffs’ privacy interests”. Both state and Federal anti-discrimination law REQUIRE employer to take affirmative steps to maintain workplace free of harassment , investigate incidents of harassment and take prompt action

Based on State Privacy Law and Hancock…

Private sector employers whose email policy forbids use of email system for certain activities do not violate state Privacy Act when reading employee emails during investigation of employee policy violations that are also violations of state or federal law. Probable that even without an email policy, employee in a private sector company may have no privacy rights under the Privacy Law with respect to emails created or received in the workplace.

Privacy of State Employee Emails

State employees have an even weaker argument for the privacy of most of their emails because the Secretary of State has ruled that emails created or received by an employee or a government unit are public record. DSPR Bulletin 1-99 2/16/99.

Hancock leaves open the question:

Where there is no evidence that the non-employee sending email to an employee at his work email address knew that his email would be distributed to others in the company, are the sender’s rights under the State Privacy Act violated when, without the sender’s consent, the employer reads his email? Sender may not have as much reason to be aware of the public record nature of emails sent to the state.

State Wiretap Law

Prohibits secret interception of wire and oral communicationsDoesn’t apply if both parties to communication have consented to interception Doesn’t apply to possession or use of an intercommunications system which is used in the ordinary course of owner’s business

Raised by plaintiffs in Hancock because. . .

Hancock, following complaint by fellow employee regarding sexually explicit email transmitted by plaintiffs over company email system, commenced investigationInvestigation included reading backed up emails created, received or transmitted by plaintiffs. Plaintiffs claim the reading of such emails was an “interception” that violated the state wiretap law

Court: No violation of State Wiretap Because:

State wiretap law applies only to interception of communications in transit; Hancock read only stored emailEven if the reading itself were a form of interception, the backup system was not an interception because fell under “ordinary business exemption “ of wiretap statute. (See also Restuccia).

Application of State Wiretap Act to State Agencies:

Reading backed up employee emails not a violationScreening incoming emails for viruses and spam, and screening outgoing emails is not a violation because it is “ordinary course of business” for state agencies because of data privacy lawsIntercepting incoming emails from a known source of harassing emails is not a violation

State Wiretap Act Summary: Screening Incoming Emails

State agency intercepting all incoming emails on shakier legal ground:

No legal requirement under data privacy laws or discrimination laws imposed on employers to screen incoming email. Screening all incoming email may not constitute acting in the ordinary course of business

State Wiretap Act Summary: Screening incoming email

Unlike most businesses that receive email from customers, Commonwealth citizens have legitimate reasons for emailing messages to state agencies that contain words that may be picked up by screening software

Example: Citizens seeking health information may use slang terms for body partsCitizens reporting discrimination to state agencies, quoting offensive language.Citizens using strong language to criticize state officials

Federal Wiretap StatuteSimilar to state statute; does not apply to stored email communicationsBut only one party to communications needs to consent. 18 U.S.C. sec. 2511(2)(d).

AUP that states that users of IT resources consent to monitoring probably creates requisite consent

And provider of electronic communications service can intercept to protect the rights or property of the provider.

Screening all emails for harassing content would appear to be a means of protecting the employer’s rights to maintain a non-discriminatory workplace

Under Federal Wiretap StatuteAgencies that have and disseminate an acceptable use policy stating that use of IT system is consent to monitoring and viewing of messages are not in violation of Federal Wiretap Law if they monitor both incoming and outgoing email for any purpose. Even without an AUP, agencies monitoring all incoming and outgoing email for purposes of preventing violations of Federal or state law, reducing spam or maintaining network security are probably not in violation of the Federal Wiretap Act.

Data Privacy Laws

Health Insurance Portability and Accountability ActGramm-Leach-Bliley

Federal Stored Communications Act

Prohibits unauthorized access to electronic communication while it is in electronic storage. 18 U.S.C. sec. 2701An employer’s accessing of backed up emails on its own email system does not violate this act because it is not “unauthorized”.

Query, however…When employee has VPN access through home computer , absent a written agreement with employee, systems administrator’s viewing of non-work related files on the computer during a VPN session may not be “authorized” and may therefore be a violation of the SCA.Administrator’s viewing of files of household members of employees during VPN session probably violates the SCA because such intrusions are certainly not authorized.

GOVERNMENT AS GOVERNMENT EMPLOYER

Fair Information Practices ActFourth Amendment

Fair Information Practices ActState Fair Information Practices ActProtects personal data (data clearly linked to an individual that is not public record) held by a “holder” agencyMost information about employees held by state agency employers is public record.Personal data about employees (evaluations, paternity information) can be accessed by the agency’s employees during a legitimate workplace misconduct investigation without violating FIPA but dissemination outside the agency restricted by FIPA.

Fourth Amendment

Fourth Amendment to U.S. Constitution, made applicable to states via 14th AmendmentParallel rights under State ConstitutionWhere state employee has an objectively reasonable privacy expectation in a place, the state cannot search that place while investigating a workplace policy violation unless it obtains a warrant or an exception to the warrantless search rule applies.

What happens if state violates this rule when investigating employee misconduct?

If the employee is later tried for violation of criminal law, evidence collected in violation of the Fourth Amendment can be suppressed. “Bivens” action against state actors for civil money damages

Scope of our discussion

NOT a discussion about legal or illegal use of warrants the state obtains during a criminal investigation by state police;RATHER Non-criminal, warrantless searches a state agency might conduct for the purpose (but not necessarily the sole purpose) of investigating an instance of employee workplace misconduct that may also constitute a crime.

O’Connor v. Ortega, 480 U.S. 709 (1987)

Fourth Amendment prohibits unreasonable searches and seizures by government employers or supervisors

Government employees

Have a reasonable expectation of privacy in their offices or in parts of their offices, such as their desks or file cabinets. O’Connor. But office procedures, policies or regulations may reduce legitimate privacy expectations. O’Connor.

Even if state employee establishes a privacy interest in the area that you search, your search may be covered by an

exception to warrantless search requirement for government employers

Government employer’s interest in the efficient and proper operation of the workplace may justify warrantless work-related searches.Government agency investigations of violations of workplace misconduct fall under this rule. This exception can apply even if the employer is a law enforcement agency and the agent conducting the search is aware that the information collected could later be used for criminal prosecution

Rules for Government Employer Warrantless Search

Reasonable in its inceptionPermissible in its scope

Reasonable in its inception

There are reasonable grounds for suspecting that the search will turn up evidence that the employee is guilty of work-related conduct

Permissible in its scope

Investigatory measures adopted are reasonably related to the objectives of the search and not excessively intrusive in light of the nature of the misconduct

U. S. v. Simons, 206 F.3d 392 (4th. Cir. 2000)

Motion to suppressMark L. SimonsCIA EmployeeConvicted of receiving and downloading child pornography Used workplace Internet access to do so

Court Notes that CIA:

Had an Internet usage policyUse for official government business onlyAccessing unlawful material specifically prohibitedCIA will conduct electronic audits to ensure complianceGreat detail about how audits would look at sent and received email and web sites visited

Events leading to convictionSimons has an agency office that he locks and a computer provided by CIA with access to internetTechnician exploring firewall capabilities enters keyword “sex” into firewall databaseTechnician notes large number of Internet hits originating from Simons computer. Names of sites obviously not for official purposes. Reports to supervisors. Another CIA employee remotely examines Simons computer, finds downloaded pornographic files, and copies files

Later, in Simon’s office,

Employer physically entered Simons officeRemoved original hard drive

Subsequently

Evidence from both remote and office searches used to convict Simons

Simons raises fourth amendment claim regarding

The remote searchThe office search

Remote search: Court holds

No violation because Simons had no expectation of privacy with respect to “fruits of his internet search” because of employer policyPolicy placed employees on noticeNo objectively reasonable belief

Office Search

Private office Simons did not shareNo office policies or procedures reducing his privacy interestHe had a privacy interest in officeBut requirements of government agency exception to warrantless search rule met

Government agency exception applied

Although dominant purpose of search was to acquire information about criminal activity, CIA did not lose its special need for efficient and proper operation of workplaceCriminal acts related to employment, in that employer workplace policy violatedCompare to situation where criminal acts are unrelated to employment-related misconduct. Here, conjunction of conduct that violated workplace rules and conduct that violated criminal law did not prohibit application of exemption

CIA Met requirements for special needs search

Reasonable at its inception because based on technician’s work, grounds to suspect child porn violationPermissible in scope because entering Simon’s office was reasonably related to objective of the search, retrieval of the hard drive. And search not excessively intrusive. No search of desk, any other items in office.

See U.S. v. Slanina, 283 F.3d 670 (5th Cir. 2002)

(appeal from conviction of municipal employee for child pornography).

Search and Seizure Rules and State Agencies

Reduce the employee’s expectation of privacy in electronic communications and activities related to state information technology resourcesMake sure your search is justified in its inception---no fishing expeditions.Must have some reason to suspect violation of a workplace policy, not just a crime.Limit scope of your search to places likely to answer your question as to whether the employee violated your workplace policy

Courts will view differently Warrantless…

Remote searches of employer’s computer in employee’s office (or, presumably, at home) Physical Search of employee’s private office at workplace Remote search of employee owned PC used for VPN connection to state network

Search may violate employee’s Fourth Amendment Rights if…Search not justified at its inception because employer has no reason to suspect violation of workplace policy, even if employer has reason to suspect violation of criminal law Search not permissible in scope because employer searches places or things unrelated to the suspected violation of a workplace policy

Contact Information

Linda Hamel, ITD General CounselLinda.hamel@state.ma.us(617)-626-4404