October 21, 2009

Technology Puts Debt Collectors on Uncertain Legal Ground

According to a Government Accountability Office report (GAO-09-748) released today, modern communications technologies have blurred the former clarity of key provisions in the Fair Debt Collection Practices Act.

The first problem is that the FDCPA was written in 1977, before the advent of the commercial Internet, e-mail, voice mail, mobile phones and fax machines. (For my older readers, 1977 was the year Rocky won the Best Picture Oscar and Lindsay Wagoner won an Emmy for her work in The Bionic Woman. Days of bread and circuses for sure.)

Meanwhile, back at the Forum, Congress created the second problem. Congress designed the FDCPA to be frozen in time, by failing to give the Federal Trade Commission rulemaking authority to implement the act. What this means for debt collectors is that their ability to lawfully dun debtors via something other than a landline -- such as a fax machine, voice mail, e-mail, or mobile phone -- is substantially in doubt.

This is a big problem for debt collectors because, as we all know, the landline -- the leading communications technology of 1977 -- is the least likely place to reach anyone nowadays. One commenter to the GAO, the National Association of Retail Collection Attorneys, remarked that "conflicting court decisions have made regulatory compliance a guessing game, rather than a predictable endeavor."

Here are a few technology-related concerns mentioned in the GAO report:

Voice-mail and answering machines. Leaving a collection message on these devices is legally risky, because someone other than the debtor may overhear the message, causing an FDCPA violation.

Mobile phones. A debtor may be in a different timezone than the one suggested by the debtor's mobile phone area code. And the debtor's mobile service provider may charge for connecting the debt collector's call. This means that attempts to collect a debt via a mobile phone call could violate the FDCPA's rules on imposing telephone charges on consumers and on calling outside the lawful hours of 8 a.m. and 9 p.m.

Caller identification devices. The display of the debt collector's phone number on a caller identification device could be a violation of the FDCPA if someone other than the debtor sees the number. On the other hand, blocking caller identification information could be a violation of the FTC Act's prohibition on making a false or misleading statement.

E-mail messages and fax machines. These communications technologies are believed to create too high a risk that someone other than the debtor may read the transmission, in violation of the FDCPA's ban on disclosure to third parties.

Predictive dialers. Effective, perhaps, but these raise the risk of violating the FDCPA's prohibition on causing a phone to ring repeatedly with the intent to annoy or harass the debtor.

Another problem identified by the GAO is the post-1977 emergence of a debt collection industry where consumer debts and personal information are packaged and sold as "debt portfolios" among debt buyers and other intermediaries, creating doubt about the FDCPA's application to these new entities. Also creating business problems for debt collectors, many of whom did not directly deal with the original debtor, is the fact that they frequently lack good information about the collection history, prior consumer complaints, and the outcome of bankruptcy proceedings.

These and other problems led the GAO to call on Congress to update the FDCPA to take into account changes in the debt collection industry, to reflect changes in communications technologies, and to give the FTC rulemaking authority to implement any so-modified law. There is little good in the GAO's proposal for debtors. The clear thrust of the GAO's report is that the debt collection industry is having trouble effectively communicating with debtors, due in large part to fragmentation within the industry and due to the widespread adoption of communications technologies that have placed modern debt collection efforts on uncertain legal ground. And that Congress should do something about it. Eventual legislation might be an opportunity, however, for privacy rights advocates to insert consumer privacy protections into an area that, on the surface, seems to be rife with information processing and transfers and trade in sensitive personal information.

Posted by Thomas O'Toole on October 21, 2009 in Consumer Protection, Privacy | | Comments (1)

October 08, 2009

Jurisdiction Setback Apparently Won't Derail Privacy Action Against NebuAd

Plaintiffs in a privacy rights lawsuit against behavioral targeting technology provider NebuAd Inc. and six Internet service providers who shared their users' data with NebuAd have told the trial court they will press on even in the wake of the court's ruling that none of the ISP defendants are subject to suit in California. The court's Oct. 6 ruling left California-based NebuAd as the only defendant in the case, a complication because NebuAd liquidated its assets and went out of business in May 2009.

According to the court's opinion allowing NebuAd's current counsel to withdraw, also issued on Oct. 6, the plaintiffs believe that "NebuAd is not really going anywhere," and that NebuAd "is simply restarting with a new name," based out of the United Kingdom.

NebuAd's attorneys say they are owed $500,000 in legal fees by NebuAd and its insurers. The court permitted the attorneys to withdraw, but declined their additional request to stay the proceedings against NebuAd until new counsel could be retained.

The plaintiffs are alleging violations of the Electronic Communications Privacy Act, the California Computer Crime Law, the federal Computer Fraud and Abuse Act, and the California Invasion of Privacy Act.

The ISPs who were dismissed from the case are Bresnan Communications, CenturyTel Communications Inc., Embarq Inc., Knology Inc., WideOpen West Finance LLC, and Cable One. None of the ISPs is based in California. The trial court ruled that the ISPs' dealings with NebuAd was not a sufficient and constitutionally reasonable basis for a California court to assert jurisdiction over them.

The case is Valentine v. NebuAd Inc., No. 08-5113 (N.D. Cal.).

Posted by Thomas O'Toole on October 08, 2009 in Computer Crime, Consumer Protection, Privacy | | Comments (0)

October 05, 2009

Challenge to Utah Child E-Mail Registry Law Dismissed

A constitutional challenge to Utah's child e-mail protection registry statute passed away quietly in its sleep late last week. A federal district court in Utah dismissed the case Sept. 30, several days after receiving a stipulation from all parties consenting to its dismissal.

The Utah Child Protection Registry Act, Utah Code Section 13-39-101, allows parents to register their children's "contact points" with a state registry. Essentially, the Utah law is a "do not email" statute for kids. It is unlawful to send a commercial message to a contact point that has been on the registry for more than 30 days.

Way back in 2005, a group known as the Free Speech Coalition challenged the law on First Amendment, CAN-SPAM preemption, Supremacy Clause, and dormant Commerce Clause grounds. The district court ruled in 2007 that the plaintiffs were not likely to prevail on their constitutional claims, denying a request for an injunction. The plaintiffs did not appeal to the Tenth Circuit, and the case has not been actively litigated since then.

The particulars of the lawsuit are set out in defendant Unspam Registry Services Inc.'s motion to dismiss the case, filed Sept. 3.

Posted by Thomas O'Toole on October 05, 2009 in Marketing, Privacy | | Comments (0)

September 25, 2009

Selective Outrage in Rocky Mountain Bank Case

I am a little bit mystified at the expressions of shock and outrage (yes, "outrage") at the news that Judge Ware has granted Rocky Mountain Bank's request for a TRO deactivating a Gmail account to which the bank had carelessly e-mailed detailed financial information on 1,325 bank customers.

Apparently this development alarms the many people out there in cyberspace who have the same attachment to their e-mail accounts as the National Rifle Association does to firearms.

The victims here are the bank customers, whose personal information is now certainly residing on several Google servers and possibly countless other online locations. The reasoning in the bank's motion for a temporary restraining order and the declaration of its president strikes me as unassailable.  The bank has a duty to do what it can to safeguard the personal, financial information of its customers.

The bank's customers are presently at risk of identity theft. The bank's shareholders are at risk of seeing their investment wiped away by a nasty data breach incident. Inaction, not action, is what should provoke "outrage" in these circumstances.

Google is also doing the right thing, following its privacy policy and the Electronic Communications Privacy Act by insisting on a court order before turning over information about its users. Now it has just such an order. Google's lawyer, Al Gidari of Perkins Coie in Seattle, filed an appearance in the case this afternoon. In another case, Google offered only token opposition, see the "Skanks of NYC" ruling, a precedent that may be relevant here.

As for the owner of the Gmail account, who has not yet been identified and who did not respond to the bank's subsequent attempts to contact him or her via the Gmail account, it is very difficult to see what rights might have been infringed by the bank's action against the account. Speculation about whether computer users have First Amendment claims against private computer network operators is interesting but fanciful.

Here are three cases that say computer users have no First Amendment rights against network operators:

  • Kinderstart.com v. Google Inc., No. 06-2057 (N.D. Cal., July 13, 2006) (Google has no First Amendment duty to protect free speech rights of websites it indexes);
  • Howard v. America Online Inc., 208 F.3d 741 (9th Cir. 2000)(interactive computer network is not a common carrier under Communications Act, not a state actor for First Amendment purposes);
  • Estavillo v. Sony Computer Entertainment, No. 09-3007 (N.D. Cal., Sept. 22, 2009)(Sony Playstation 3 Network owed no First Amendment duty to user terminated for allegedly violating terms of use).

I'm not aware of any cases going the other way, or cases remotely suggesting that the owner of the Gmail account at issue in the Rocky Mountain Bank case has been denied due process or any other constitutional or statutory right. Hey, he or she has already gotten more due process than you get at Twitter.

Venkat has more to say here.

Posted by Thomas O'Toole on September 25, 2009 in Content Regulation, Online Publishing, Privacy, Social Networks | | Comments (3)

September 22, 2009

California Privacy Law Not Preempted by CAN-SPAM Act

In California, the Song-Beverly Credit Card Act forbids merchants from asking for "personal information" when a customer uses a credit card to make a purchase. Addresses and telephone numbers are clearly covered by Song-Beverly. Zip codes are not, per Party City Corp v. Superior Court, 169 Cal.App.4th 497 (Cal. Ct.App. 2008).

How about e-mail addresses? Are they "personal information" forbidden to be collected by Song-Beverly? And if e-mail addresses are regulated by Song-Beverly, then is this aspect of Song-Beverly preempted by the federal CAN-SPAM Act?

Yesterday, in the case of Powers v. Pottery Barn Inc., D054336 (Cal. Ct.App., Sept. 21, 2009), a California intermediate appellate court ruled that the CAN-SPAM Act does not preempt a cause of action alleging that Song-Beverly was violated when a merchant (Pottery Barn, in this case) asked for and received the plaintiff's e-mail address during the course of a credit card transaction. CAN-SPAM does not preempt state laws of general applicability that only incidentally regulate e-mail, the court said. "Because Song-Beverly's regulation of what may be asked of credit card customers is not a regulation of what can be sent in commercial e-mails and is not in any manner specific to e-mail, we conclude Song-Beverly is not pre-empted by CAN-SPAM."

So the plaintiff's lawsuit, which seeks class status, lives on. As for the preliminary question of whether e-mail addresses are in fact "personal information" under Song-Beverly, the court didn't make a conclusive ruling on this point. It said that the record wasn't sufficiently developed to decide the question, adding that the allegations in the complaint were sufficient to avoid summary dismissal of the case. So the parties are free to fight this one out in a future hearing.

This could be a close question. E-mail addresses are generally considered -- see HIPAA, COPPA, GLBA here and PIPEDA in Canada -- to be personal information; but ... one leading federal privacy proposal, H.R. 2221 (the DATA Act), excludes e-mail addresses from its definition of personal information. State-law definitions are all over the map. And of course Song-Beverly does not specifically include e-mail addresses within its definition of personal information because, as the court pointed out, California lawmakers did not have e-mail regulation in mind when they wrote the law.

Finally, the court turned back Pottery Barn's claim that Song-Beverly's restriction on its ability to collect customer e-mail addresses violates the First Amendment. The court acknowledged Pottery Barn's First Amendment right to collect e-mail addresses, but added that this right was overcome by the state's "well-established and substantial" interest in protecting the privacy of its citizens. Marketers have lately been asserting a First Amendment right to access commercially valuable data, though without much success so far. A recent example I blogged about was IMS Health Inc v. Ayotte, in which the First Circuit turned back a First Amendment challenge to a New Hampshire law banning the sale of prescription drug information that identifies doctors' prescribing patterns. The U.S. Supreme Court declined June 29 to review the case.

Posted by Thomas O'Toole on September 22, 2009 in Marketing, Privacy | | Comments (0)

August 28, 2009

Ten Interesting Things I Read This Week

This post is a collection of links to materials I've been reading this week, really just trying to catch up on old news and re-engage myself in subjects that I spent most of my summer trying to forget while on vacation. I made supplications to the Muse all morning in the hope she would favor me with a catchy title, something that might yield one of those tragically sardonic acronyms like CAN-SPAM or SPY Act, but no, nothing, and now it's time to get back to work and all I have is Ten Interesting Things I Read This Week (TITIRTW):

1. Cleveland Plain Dealer: Idea for protecting newspapers draws national spotlight, bloggers' ire

2. Media & Communications Policy: More on Newspapers and Aggregators

At this point management at most of the leading newspapers have let go of the notion that "parasitic aggregators" are a significant source of their business problems. Yet here is a respected attorney (and counsel to the Cleveland Plain Dealer) making an argument that parasitic aggregators who are free-riding on newspaper content should be stopped. Stopped by reviving the common law doctrine of "hot news" misappropriation. He believes that the Copyright Act should be amended so that it no longer preempts state-law misappropriation claims. The attorney writes: "If the legal principles that we advocate in this analysis were the law, the newspaper publisher would have a legal right to enjoin temporarily or otherwise impede the business of an aggregator that commercially exploits the publisher's news reports in direct competition with the publisher." I don't want to "Go Pundit" here, but this is a solution to a problem that just does not exist.

Plaindealer

3. Citizen Media Law Blog: Southeastern Conference Sacks Social Media, Then Recovers

A nice account of the Southeastern Conference's attempt to protect the interests of its television broadcast partners by prohibiting fans from blogging, twittering et cetera during football games that reminded me we are still very much at the beginning of the user-generated media era. The article summarizes the state of the law on the "hot news" doctrine, making a nice counterpoint to the "save the newspapers" discussions above. 

4. U.S. Department of Homeland Security: Secretary Napolitano Announces New Directives on Border Searches of Electronic Media

Modest privacy-enhancing protections announced here, though DHS is not giving back an ounce of their authority to search anyone, anything, any time, at the border. Which still includes laptops: "In the course of a border search, with or without individualized suspicion, an Officer may examine electronic devices and may review and analyze the information encountered at the border."

The American Civil Liberties Union filed a lawsuit this week seeking records relating to searches of electronic devices at the border.

5. The Volokh Conspiracy: How the Ninth Circuit Tried To End Plain View for Computer Searches Without Ending Plain View for Computer Searches

Prof. Orin Kerr ruefully labels the en banc Ninth Circuit's decision in United States v. Comprehensive Drug Testing Inc. as Miranda for computer searches. He writes: "I think the best way to understand today's remarkable Ninth Circuit Fourth Amendment decision in United States v. Comprehensive Drug Testing is that the Ninth Circuit did its best to end the plain view exception for computer searches without formally ending plain view for computer searches. Chief Judge Kozinski's opinion created an elaborate statute-like new regime to make sure the government acts like there is no plain view exception. The decision is a workaround that effectively ends plain view for computer searches by making sure the government will never collect electronic evidence in plain view in the first place."

Sounds a little bitter to me. Judge Kozinski's opinion is a sensational read. And if it really is like Miranda, read it, because it's going to be around for a long time.

6 & 7. Gregg Easterbrook (ESPN): Tuesday Morning Quarterback's AFC preview and TMQ travels back in time to August 2009

A personal favorite, a guilty pleasure, one of the best writers on the Web, reminds me of Tom Wolfe way back when. More than football in here too: smart ruminations on Twitter, the British Humanist Association, and deadly objects from space.

8. Consumer Law & Policy Blog: Official Word from US Courts -- Feel Free to Use RECAP With Our Blessing

The implication here is that the AO's office would naturally have disapproved of RECAP, a Firefox addon that uploads PACER documents to a free repository. But surprise surprise it appears they don't mind at all. Am I the only one who believes the judiciary is the most -- not the least -- open branch of the federal government?

9. Spam Notes: Electronic Communications, Privacy, Data Protection, and More: Gordon v. Virtumundo: 9th Cir Smacks Down Anti-Spammers in Trifecta Defense Win

Ah, August 6, 10 a.m. PST. I was fly-fishing a gentlemanly stretch of the Gallatin River in Yellowstone National Park. Wretched souls like Venkat were slogging through Gordon v. Virtumundo's discussion of CAN-SPAM preemption. He writes: "As far as opinions go, this is as good as it gets." I couldn't agree more. About the fishing, of course.

10. Techdirt: Interview With William Patry: Understanding How The Copyright Debate Got Twisted

Prof. William Patry is coming out with a new book, Moral Panics and the Copyright Wars. Here, a very interesting discussion with Techdirt's Mike Masnick draws out Patry's views on fair use, the file-sharing wars, and copyright politics.

Posted by Thomas O'Toole on August 28, 2009 in Broadband, Computer Crime, Consumer Protection, Contracts, Copyrights, Domain Names, Electronic Discovery, Information Security, Intellectual Property, Net Neutrality, Online Publishing, Privacy | | Comments (0)

August 27, 2009

Marketers Make Good on Threat to Challenge Maine Privacy Law

The Progress and Freedom Foundation is reporting that a group of marketers and publishers filed a lawsuit yesterday challenging the constitutionality of Maine's Act to Prevent Predatory Marketing Practices Against Minors, a law that prohibits companies from collecting "health-related information or personal information for marketing purposes from a minor without first obtaining verifiable parental consent of that minor's parent or legal guardian." That's a tall order for marketers, requiring fundamental changes in their operations.

The listed plaintiffs are the Maine Independent Colleges Association, Maine Press Association, NetChoice, and Reed Elsevier Inc.

The law becomes effective Sept. 12.

The lawsuit was reportedly filed in the U.S. District Court for the District of Maine, though it is not yet available on the court's PACER/ECF site. A copy of the plaintiffs' motion for a preliminary injunction distributed by PFF is available here.

Plaintiff's allege that the Maine law violates the First Amendment (they allege it should be tested under the rigorous standards applicable to non-commercial speech), the dormant Commerce Clause, and state preemption provisions in the Children's Online Privacy Protection Act, a federal measure applicable to children under age 13.

Posted by Thomas O'Toole on August 27, 2009 in Computer Crime, Marketing, Privacy | | Comments (1)

June 29, 2009

Supreme Court Declines to Review IMS Health, Cable News Network Cases

The Supreme Court, on its final day of the term, declined to review a pair of high-profile cases of interest to cyberlaw attorneys -- one involving the interplay between commercial speech rights and a privacy-protective state law, the other involving copyright infringement by a cable provider's digital recording service.

The first case, Cable News Network Inc. v. CSC Holdings Inc., No 08-448 (link to lower court opinion), involved a copyright infringement challenge by a large group of television content providers against cable television service Cablevision. The Second Circuit, in proceedings below, held that Cablevision's proposed remote video recording system would not directly infringe the plaintiffs' exclusive rights in copyrighted television programming. First, the court held that each buffer copy made as data flowed through the system was transitory—stored in the DVR system for 1.2 seconds, at most—and so was not directly infringing. Second, the court held that the copies created by the Cablevision DVR service were also not directly infringing, because they were created at the direction of subscribers not Cablevision itself, which merely provided the instrumentality for making the copies.

The U.S. Solicitor General filed a brief May 29 urging the court to decline review of the case.

The second case, IMS Health Inc v. Ayotte, No. 08-1202 (link to lower court opinion), involved a First Amendment challenge to a New Hampshire law banning the sale of prescription drug information that identifies doctors' prescribing patterns. The information is useful to brand-name prescription drug marketers who want to steer doctors away from lower-cost, generic drugs. The First Circuit upheld the law. The court remarked that the New Hampshire state law regulates data transfers whose societal benefits “pale in comparison to the negative externalities produced.”

Even if the regulation does constrain protected speech, the court said, it does not violate the Constitution because it serves a substantial state interest in containing health care costs and is no more restrictive than necessary to accomplish its goals. “[W]e are not persuaded that the regulated data transfers embody restrictions on protected speech,” First Circuit Judge Bruce Selya wrote. “In our view the portions of the law at issue here regulate conduct, not speech,” he added.

The significance of the Supreme Court's denial of certiorari in any particular case is difficult to assess, well above my pay grade. Both of these cert petitions were brought by influential, well-financed businesses who predicted that dire consequences would ensue if the high court let stand the lower court's ruling. If the television content providers who brought suit in Cable News Network Inc. v. CSC Holdings Inc. really do feel they can't live with the Second Circuit's interpretation of the Copyright Act, they can get relief on Capitol Hill, and that may indeed occur.

The situation is slightly different with IMS Health Inc v. Ayotte, because that ruling has a constitutional basis. Other states may, upon seeing New Hampshire's success in turning back the drug marketers' First Amendment objections, be encouraged to enact similar laws. Drug marketers might be able to persuade Congress to preempt state laws like the one at issue in IMS Health v. Ayotte. Short of this, however, the only place for drug marketers to get relief on the First Amendment question is in the federal courts, perhaps the Supreme Court, at some later date.

Posted by Thomas O'Toole on June 29, 2009 in Copyrights, Privacy | | Comments (0)

Technorati Tags: , , ,

June 26, 2009

Perils and Promise of the New Jersey Workplace Privacy Ruling

Every attorney who deals in privacy issues, every attorney who advises companies on drafting acceptable use policies for computers and Internet use, every attorney who counsels companies on creating and enforcing workplace rules ought to stop what he or she is doing and read the court's opinion in Stengart v. Loving Care Agency Inc., No. A-3506-08T1 (N.J. Super.Ct., App. Div., June 26, 2009). There might be some money in it for you.

This case involved workplace computer use rules that the employer claimed gave it the right to search through and retain e-mail messages a former employee had sent to her attorney. The messages were transmitted through the employee's personal e-mail account, but on an employer-issued laptop computer. After the employee left the employer and became a plaintiff, the employer made a copy of the plaintiff's laptop's hard drive, turning up e-mail messages she had sent to her attorney with the laptop.

The appellate court held that the employer had no right to retain the former employee's e-mail messages to her attorney, finding that attorney-client privilege substantially outweighed the employer's interest in enforcement of its computer use rules.

It is getting late in the day here on the East Coast, so I'm going to take what might charitably be called an impressionistic go at this decision. Here goes.

Acceptable Use Policy Was Ambiguous

The court was very critical of the way the acceptable use policy was drafted. Acceptable use policies should convey a "clear and unambiguous understanding" about their scope. This one failed that test. The policy claimed the company had a right to intercept "matters on the company's media systems and services," however, the policy never defined "media systems and services." The policy also permitted "occasional personal use" of company computers, but it made no attempt to define when personal use was permitted. Also, the policy's use of the term "e-mail system" created an ambiguity on the question of whether or not the policy covered an employee's personal e-mail account accessed via the employer's computer.

My impression is that the loose language picked apart by the court here is commonplace. Companies are on notice now that loose language might not survive a court challenge. Ambiguities in the employer's computer use policy made it tough for the employer to defend its conduct in this appeal. This wasn't the employer's only problem, though.

Employer Doesn't Own All Personal Communications

The court was not willing to accept at face value the employer's claim that it was entitled to the employee's e-mail messages merely because they were created with company property. The court believed that the employer was required to assert a plausible justification for intruding into the employee's personal communications. The court flatly rejected the employer's argument that it had a right to access the employee's communications merely because they were created with company property. In the process, the court served up some lofty rhetoric about the right of privacy in electronic communications in the workplace.

[Provisions in the acceptable use policy] reflect the entirely proper imposition of the company's right to own and possess communications made by the employee in furtherance of the company's business. As interpreted by the company, however, those provisions purport to reach into the employee's personal life without a sufficient nexus to the employer's legitimate interests. This claimed right seems to be based principally on the fact that the computer used to make personal communications is owned by the company, although the company provides no plausible explanation for the policy's expressed acknowledgment that "[o]ccasional personal use is permitted." No rationale is offered to explain how one aspect of the policy creates the company's absolute right to retain, as its own property, all emails whether business-related or personal, with the provision that "[o]ccasional personal use is permitted."

Ignoring the significance of its express permission for "[o]ccasional personal use," the company's argument appears to rely chiefly on the fact that plaintiff utilized the company's computer and that anything flowing from that use becomes subject to the company's claimed ownership right. We reject the company's ownership of the computer as the sole determinative fact in determining whether an employee's personal emails may become the company's property.

...

Certainly, the electronic age -- and the speed and ease with which many communications may now be made -- has created numerous difficulties in segregating personal business from company business. Today, many highly personal and confidential transactions are commonly conducted via the Internet, and may be performed in a moment's time. With the touch of a keyboard or click of a mouse, individuals may access their medical records, examine activities in their bank accounts and phone records, file income tax returns, and engage in a host of other private activities, including, as here, emailing an attorney regarding confidential matters. Regardless of where or how those communications occur, individuals possess a reasonable expectation that those communications will remain private. ...

A policy imposed by an employer, purporting to transform all private communications into company property -- merely because the company owned the computer used to make private communications or used to access such private information during work hours -- furthers no legitimate business interest.

Employers out there, you're on notice now that you should have a more nuanced and situation-specific justification for snooping in personal e-mail accounts than the "We own it, we own it all" strategy adopted by the employer in this case.

Policy Not Enforceable as Contract

The court was unwilling to treat the acceptable use policy as a contract, preferring instead to characterize acceptable use polices as "regulations unilaterally imposed by employees." Instead, the court's deference to the terms of the policy was commensurate with what the court called its "moral force." A company regulation loses "moral force" when it is "based on no good reason other than the employer's desire to rummage among information having no bearing upon its legitimate business interests."

Here's another bit of rhetoric, from a judge who has clearly lost all patience with the employer's legal arguments:

We thus reject the philosophy buttressing the trial judge's ruling that, because the employer buys the employee's energies and talents during a certain portion of each workday, anything that the employee does during those hours becomes company property. Although we recognize the considerable scope of an employer's right to govern conduct and communications in the workplace, the employer's interest in enforcing its unilateral regulations wanes when the employer attempts to reach into purely private matters that have no bearing on the employer's legitimate interests.

Ouch.

Trial Court Should Have Required Employer to Prove Case

Speaking of the trial judge, the appellate court was openly disappointed in her failure to make the employer adequately prove the existence of a computer use policy, and its terms, and the extent to which the policy was applied and enforced within the company. For example, the appellate court counted five separate versions of the policy in the record, none of which contained a signed acknowledgement by the employee that she had read and understood the policy. It was error for the trial court to decide disputed fact issues without a hearing, the court said.

Employer's Law Firm Could Be Disqualified

The employer's law firm may very well have gotten itself removed from this case. Attorneys for the employer read the employee's personal e-mail messages -- which obviously contained communications between the employee and her attorney -- without first affording the employee an opportunity to assert attorney-client privilege over them. The court said that it was unreasonable for the attorneys to assume that the employer's acceptable use policy had turned the employee's privileged e-mail messages into company property. These attorneys were ethically obligated, the court said, "to cease reading or examining the document, protect it from further revelations, and notify the adverse party of its possession so that the attorney's right to retain or make use of the document may thereafter be adjudicated by the court."

The court ordered the trial court to conduct a hearing to determine whether the employer's law firm should be disqualified from representing the employer for the remainder of this litigation.

All in all, a lot to chew on late on a Friday afternoon. I prefer to look on the bright side. The case is a strong win for workplace privacy proponents. And every acceptable use policy called into question by this opinion is an opportunity for some attorney to get paid to write a better one.

Posted by Thomas O'Toole on June 26, 2009 in Privacy | | Comments (0)

Technorati Tags: , , ,

June 18, 2009

City of Bozeman: Surveillance Ensures High Moral Character

There is an arresting story over at ReadWriteWeb about the City of Bozeman, Mt., and its demand that prospective employees supply the city with the usernames and passwords for any Web sites they might belong to. Including, but not limited to Facebook, MySpace, Yahoo, Google, and YouTube -- that sort of thing. The city is justifying this invasion of privacy as necessary to ensure that employees "have the highest moral character and are a good fit for the City." It is easy to see that what the City of Bozeman is doing is about power, not good government. Why else would its snooping apply only to prospective employees and not current employees? Why policemen, firemen, and lifeguards? Why not the mayor and the city council? Those are the city jobs where a city really need persons of "the highest moral character." And why stop at reading through their Facebook messages? I say tap the mayor's phone, install a keylogger on her computer (at work and at home), and read through all her e-mail. That's how you ensure that local government officials have the highest moral character.

Update: The City of Bozeman rescinded this policy a day after this post was written.

Posted by Thomas O'Toole on June 18, 2009 in Privacy | | Comments (0)

Technorati Tags: ,

Next »
Subscribe to this blog's feed

Twitter Updates

    follow me on Twitter

    Recent Posts

    Recent Comments

    Notice to Subscribers

    Categories

    Archives

    More...

    Copyright

    About