WHAT STATE AGENCIES CAN DO
description
Transcript of WHAT STATE AGENCIES CAN DO
WHAT STATE AGENCIES CAN DO
To Protect Employee Privacy During Investigations of Workplace
Misconduct
Overview
Four Rules Relevant Cases and Statutes
Four RulesRule 1: Have an Appropriate Acceptable Use Policy and Disseminate it ProperlyRule 2: Have an Appropriate User Responsibility Policy and Disseminate it ProperlyRule 3: Where at all possible, avoid providing VPN access to users via their home computers (as opposed to state-issued computers)Rule 4: When investigating workplace misconduct make sure that searches of employee offices, and employee hard drives, disks, and other IT equipment used only by the individual employees are:
Justified in their inceptionPermissible in their scope
Rule 1
Have an Appropriate Acceptable Use Policy and Disseminate it Properly
An Appropriate Acceptable Use Policy
Scope: all Commonwealth IT ResourcesApplicability: all users of Commonwealth IT resources (don’t limit to employees, contractors, elected officials, unpaid interns, etc.)Failure to observe results in discipline
Defines acceptable and unacceptable uses of Commonwealth ITData confidentialityIP protectionComputer virusesNetwork securityEmail useNo expectation of privacyUse of system is consent to policy
All ANF Agencies are subject to the ANF AUP (Unless they adopt
a similarly protective agency policy)
ANF Policy available at http://mass.gov/portal/index.jsp?
pageID=agcc&agid=eoaf&agca=policiesinitiatives&agcc=otherpolicies
Proper Dissemination
Post it on your agency intranet and internet sitesProvide to all IT resource users Incorporate in contractsMail link to users annuallyUpdate periodicallyDocument dissemination
Rule 2
Have an Appropriate User Responsibility Policy and
Disseminate it Appropriately
A Proper User Responsibility Policy
Explains why the user has been granted Log-in IDs for systems and networksStates that user must keep Log-in ID confidentialLimits choice of passwordsNotifies that use of Log-In ID is a privilege that may be revokedSole responsibility of user
Proper User Responsibility Policy
Report to ISO if compromisedData release only consistent with lawRemote access issuesDiscipline including termination for violationReiterate acceptable useCurrent monitoring and potential screeningContact information for ISO(OER Review)
Proper Dissemination
Same as dissemination of AUP, but instead of disseminating as policy to all, at hire or first engagement with agency, require all non-union users to sign an agreement incorporating the policy, stating date on which they received it and had chance to reviewProvide hard copy of policy to all union employees
Rule 3
Avoid VPN Access for Users via their home computers
Avoid VPN access for users via their home computers
Administrators have access to home computers while VPN session is openEmployees have a higher degree of privacy rights in personally-owned home computersOthers in household who share the PC also have privacy rightsWhen investigating employee misconduct, do not under any circumstances conduct a warrantless search of a telecommuter’s personal PC through your VPN connection
Rule 4
When investigating workplace misconduct make sure that searches of employee offices, and hard
drives, disks, and other IT equipment used only by the individual, or any other areas in which the
employee may claim a privacy right:Justified in their inceptionPermissible in their scope
Justified at Their Inception means…
There are reasonable grounds for suspecting that the search will turn up evidence that the employee is guilty of work-related conduct:
Example: Technician exploring firewall capabilities enters term “sex” in firewall database and discovers that government employee user has accessed a number of sex sites using his government issued computer in his government office, in violation of agency policyExample: Technician in government employee’s office installing network connection on network computer sees pornography files on employee’s screen in violation of workplace policy
Permissible in their scope means…
Measures adopted are reasonably related to the objectives of the search and not excessively intrusive in light of the nature of the misconduct:
Example: Following agency’s discovery of sex site visit evidence on firewall log,
Supervisor remotely reviews information on user’s computer, and only after finding further evidence of visits to pornographic sites forbidden by agency policyOnly thereafter enters employee’s private office and takes hard drive and disks.
Permissible in scope, cont.
Example: Following discovery of technician installing network connection that user has pornography on government employee’s government issued computer, in violation of agency policy, employer conducts full search of employee’s computer and disks.
Relevant Statutes and Case Law
The Commonwealth Falls into Two Legal Categories
The Commonwealth as an employerThe Commonwealth as a government entity
Government as Employer
Faces the same legal landscape as all employersStatutes and Case law
As Government Entity
State is subject to Fair Information Practices ActFourth Amendment search and seizure issues.
Statutes Affecting All Employers
State Privacy Act, Mass. Gen. L. ch. 214State Wiretap Law, Mass. Gen. L. ch. 272, sec. 99Federal Wiretap Statute, 18 U.S.C. sec. 2511 et seq.Data privacy lawsFederal Stored Communications Statute, 18 U.S.C. sec. 2701
State Privacy Act
“A person shall have a right against unreasonable, substantial, or serious interference with his privacy”. M.G.L. ch. 214, sec. 1B Restuccia v. Burke Technology, Inc., 1999 WL 1329386 (Mass. Super. 1996): Genuine issue of fact regarding whether employee had reasonable expectation of privacy in email that he had sent to supervisor at the supervisor’s company email address that later resulted in termination.
Garrity v. John Hancock Mutual Life Insurance Company, 2002 WL 974676 (D. Mass. 2002)
Plaintiffs: 2 employees and husband of one employeeSexually explicit emails sent from husband to both employees at company email addressesTwo employees distribute these emails to other employees over company emailEmployee plaintiffs fired after investigation including employer review of emails contained in backup system
State Privacy Law Claim
Invasion of privacy (no citation to state privacy statute, but either state statute or tort of privacy invasion appear to be basis of claim)Holding: no privacy violation
Court quotes from Hancock’s Well-disseminated Email Policy, which Explicitly Said:
Obscene, profane, sexually oriented emails prohibitedViolators would be subject to disciplinary action up to and including terminationAll information stored, transmitted, received or contained in company email systems systems was the employer’s propertyBusiness or legal reasons might require company review of email messages and other documents
Court’s Reasoning
No reasonable expectation of privacy in the emails among the plaintiffs because
Evidence that employee’s husband, and employee plaintiffs, assumed the emails would be forwarded to others at the companyCitation to Pennsylvania District Court case to the effect that even without an email policy, no privacy expectation in emails sent over company email system (but PA case was about privacy expectations of employees, not outsiders)
Court’s Reasoning, cont.Even if there was a reasonable expectation of privacy in the emails, Hancock’s legitimate business interest in protecting its employees from harassment in workplace would “likely trump plaintiffs’ privacy interests”. Both state and Federal anti-discrimination law REQUIRE employer to take affirmative steps to maintain workplace free of harassment , investigate incidents of harassment and take prompt action
Based on State Privacy Law and Hancock…
Private sector employers whose email policy forbids use of email system for certain activities do not violate state Privacy Act when reading employee emails during investigation of employee policy violations that are also violations of state or federal law. Probable that even without an email policy, employee in a private sector company may have no privacy rights under the Privacy Law with respect to emails created or received in the workplace.
Privacy of State Employee Emails
State employees have an even weaker argument for the privacy of most of their emails because the Secretary of State has ruled that emails created or received by an employee or a government unit are public record. DSPR Bulletin 1-99 2/16/99.
Hancock leaves open the question:
Where there is no evidence that the non-employee sending email to an employee at his work email address knew that his email would be distributed to others in the company, are the sender’s rights under the State Privacy Act violated when, without the sender’s consent, the employer reads his email? Sender may not have as much reason to be aware of the public record nature of emails sent to the state.
State Wiretap Law
Prohibits secret interception of wire and oral communicationsDoesn’t apply if both parties to communication have consented to interception Doesn’t apply to possession or use of an intercommunications system which is used in the ordinary course of owner’s business
Raised by plaintiffs in Hancock because. . .
Hancock, following complaint by fellow employee regarding sexually explicit email transmitted by plaintiffs over company email system, commenced investigationInvestigation included reading backed up emails created, received or transmitted by plaintiffs. Plaintiffs claim the reading of such emails was an “interception” that violated the state wiretap law
Court: No violation of State Wiretap Because:
State wiretap law applies only to interception of communications in transit; Hancock read only stored emailEven if the reading itself were a form of interception, the backup system was not an interception because fell under “ordinary business exemption “ of wiretap statute. (See also Restuccia).
Application of State Wiretap Act to State Agencies:
Reading backed up employee emails not a violationScreening incoming emails for viruses and spam, and screening outgoing emails is not a violation because it is “ordinary course of business” for state agencies because of data privacy lawsIntercepting incoming emails from a known source of harassing emails is not a violation
State Wiretap Act Summary: Screening Incoming Emails
State agency intercepting all incoming emails on shakier legal ground:
No legal requirement under data privacy laws or discrimination laws imposed on employers to screen incoming email. Screening all incoming email may not constitute acting in the ordinary course of business
State Wiretap Act Summary: Screening incoming email
Unlike most businesses that receive email from customers, Commonwealth citizens have legitimate reasons for emailing messages to state agencies that contain words that may be picked up by screening software
Example: Citizens seeking health information may use slang terms for body partsCitizens reporting discrimination to state agencies, quoting offensive language.Citizens using strong language to criticize state officials
Federal Wiretap StatuteSimilar to state statute; does not apply to stored email communicationsBut only one party to communications needs to consent. 18 U.S.C. sec. 2511(2)(d).
AUP that states that users of IT resources consent to monitoring probably creates requisite consent
And provider of electronic communications service can intercept to protect the rights or property of the provider.
Screening all emails for harassing content would appear to be a means of protecting the employer’s rights to maintain a non-discriminatory workplace
Under Federal Wiretap StatuteAgencies that have and disseminate an acceptable use policy stating that use of IT system is consent to monitoring and viewing of messages are not in violation of Federal Wiretap Law if they monitor both incoming and outgoing email for any purpose. Even without an AUP, agencies monitoring all incoming and outgoing email for purposes of preventing violations of Federal or state law, reducing spam or maintaining network security are probably not in violation of the Federal Wiretap Act.
Data Privacy Laws
Health Insurance Portability and Accountability ActGramm-Leach-Bliley
Federal Stored Communications Act
Prohibits unauthorized access to electronic communication while it is in electronic storage. 18 U.S.C. sec. 2701An employer’s accessing of backed up emails on its own email system does not violate this act because it is not “unauthorized”.
Query, however…When employee has VPN access through home computer , absent a written agreement with employee, systems administrator’s viewing of non-work related files on the computer during a VPN session may not be “authorized” and may therefore be a violation of the SCA.Administrator’s viewing of files of household members of employees during VPN session probably violates the SCA because such intrusions are certainly not authorized.
GOVERNMENT AS GOVERNMENT EMPLOYER
Fair Information Practices ActFourth Amendment
Fair Information Practices ActState Fair Information Practices ActProtects personal data (data clearly linked to an individual that is not public record) held by a “holder” agencyMost information about employees held by state agency employers is public record.Personal data about employees (evaluations, paternity information) can be accessed by the agency’s employees during a legitimate workplace misconduct investigation without violating FIPA but dissemination outside the agency restricted by FIPA.
Fourth Amendment
Fourth Amendment to U.S. Constitution, made applicable to states via 14th AmendmentParallel rights under State ConstitutionWhere state employee has an objectively reasonable privacy expectation in a place, the state cannot search that place while investigating a workplace policy violation unless it obtains a warrant or an exception to the warrantless search rule applies.
What happens if state violates this rule when investigating employee misconduct?
If the employee is later tried for violation of criminal law, evidence collected in violation of the Fourth Amendment can be suppressed. “Bivens” action against state actors for civil money damages
Scope of our discussion
NOT a discussion about legal or illegal use of warrants the state obtains during a criminal investigation by state police;RATHER Non-criminal, warrantless searches a state agency might conduct for the purpose (but not necessarily the sole purpose) of investigating an instance of employee workplace misconduct that may also constitute a crime.
O’Connor v. Ortega, 480 U.S. 709 (1987)
Fourth Amendment prohibits unreasonable searches and seizures by government employers or supervisors
Government employees
Have a reasonable expectation of privacy in their offices or in parts of their offices, such as their desks or file cabinets. O’Connor. But office procedures, policies or regulations may reduce legitimate privacy expectations. O’Connor.
Even if state employee establishes a privacy interest in the area that you search, your search may be covered by an
exception to warrantless search requirement for government employers
Government employer’s interest in the efficient and proper operation of the workplace may justify warrantless work-related searches.Government agency investigations of violations of workplace misconduct fall under this rule. This exception can apply even if the employer is a law enforcement agency and the agent conducting the search is aware that the information collected could later be used for criminal prosecution
Rules for Government Employer Warrantless Search
Reasonable in its inceptionPermissible in its scope
Reasonable in its inception
There are reasonable grounds for suspecting that the search will turn up evidence that the employee is guilty of work-related conduct
Permissible in its scope
Investigatory measures adopted are reasonably related to the objectives of the search and not excessively intrusive in light of the nature of the misconduct
U. S. v. Simons, 206 F.3d 392 (4th. Cir. 2000)
Motion to suppressMark L. SimonsCIA EmployeeConvicted of receiving and downloading child pornography Used workplace Internet access to do so
Court Notes that CIA:
Had an Internet usage policyUse for official government business onlyAccessing unlawful material specifically prohibitedCIA will conduct electronic audits to ensure complianceGreat detail about how audits would look at sent and received email and web sites visited
Events leading to convictionSimons has an agency office that he locks and a computer provided by CIA with access to internetTechnician exploring firewall capabilities enters keyword “sex” into firewall databaseTechnician notes large number of Internet hits originating from Simons computer. Names of sites obviously not for official purposes. Reports to supervisors. Another CIA employee remotely examines Simons computer, finds downloaded pornographic files, and copies files
Later, in Simon’s office,
Employer physically entered Simons officeRemoved original hard drive
Subsequently
Evidence from both remote and office searches used to convict Simons
Simons raises fourth amendment claim regarding
The remote searchThe office search
Remote search: Court holds
No violation because Simons had no expectation of privacy with respect to “fruits of his internet search” because of employer policyPolicy placed employees on noticeNo objectively reasonable belief
Office Search
Private office Simons did not shareNo office policies or procedures reducing his privacy interestHe had a privacy interest in officeBut requirements of government agency exception to warrantless search rule met
Government agency exception applied
Although dominant purpose of search was to acquire information about criminal activity, CIA did not lose its special need for efficient and proper operation of workplaceCriminal acts related to employment, in that employer workplace policy violatedCompare to situation where criminal acts are unrelated to employment-related misconduct. Here, conjunction of conduct that violated workplace rules and conduct that violated criminal law did not prohibit application of exemption
CIA Met requirements for special needs search
Reasonable at its inception because based on technician’s work, grounds to suspect child porn violationPermissible in scope because entering Simon’s office was reasonably related to objective of the search, retrieval of the hard drive. And search not excessively intrusive. No search of desk, any other items in office.
See U.S. v. Slanina, 283 F.3d 670 (5th Cir. 2002)
(appeal from conviction of municipal employee for child pornography).
Search and Seizure Rules and State Agencies
Reduce the employee’s expectation of privacy in electronic communications and activities related to state information technology resourcesMake sure your search is justified in its inception---no fishing expeditions.Must have some reason to suspect violation of a workplace policy, not just a crime.Limit scope of your search to places likely to answer your question as to whether the employee violated your workplace policy
Courts will view differently Warrantless…
Remote searches of employer’s computer in employee’s office (or, presumably, at home) Physical Search of employee’s private office at workplace Remote search of employee owned PC used for VPN connection to state network
Search may violate employee’s Fourth Amendment Rights if…Search not justified at its inception because employer has no reason to suspect violation of workplace policy, even if employer has reason to suspect violation of criminal law Search not permissible in scope because employer searches places or things unrelated to the suspected violation of a workplace policy
Contact Information
Linda Hamel, ITD General [email protected](617)-626-4404