Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back

Policies and Training Critical in Managing Digital Privacy

Written by: Cameron G. Shilling

Published in NH Bar News (4/14/2017)

The digital age has heralded an explosive growth in the volume of information created, stored and transmitted on computers and mobile devices, over the Internet and broadband, and on social media sites.  The same technologies that have defined the times simultaneously pose serious issues for privacy and information security.

Despite the importance of the interests at stake, no comprehensive or consistent set of rules currently govern data privacy in the Unites States.  A patchwork of federal and state statutes and cases govern different industries, various types of conduct, and different kinds of information.  These rules are frequently complex and confusing, and oftentimes fail to provide clear answers to the most pressing questions.

Though daunting, the challenges can be managed.  To effectively address data privacy concerns, a business must adopt and adhere to an effective information use policy, and then train employee about the policy and managers about the rules governing digital privacy.

While a myriad of federal and state laws touch on digital privacy, the most significant rules for New Hampshire arise out of the federal Electronic Communications Privacy Act (ECPA) and Stored Communications Act (SCA), and the state statute governing employer access to personal social media accounts, RSA 275:73-74.

The ECPA prohibits the interception of electronic communications, and the use and disclose of unlawfully intercepted data.  The statute contains two exceptions vital to businesses.  First, a business may intercept an electronic communication if at least one party consents.  Such consent can be express or implied, and an employer may establish consent with an effective information use policy.  Second, a business that hosts the electronic communications service may intercept, use and disclose communications in the course of providing the service or to protect the interests of the business.  The SCA prohibits the accessing of stored electronic communications without authorization or beyond the scope of authorization.  Like the ECPA, the SCA permits the person or entity providing the electronic communications service, including a business, to access, use and disclose stored electronic communications on its own systems.

Technological developments in the digital age have pushed the limits of the ECPA and SCA, which were enacted in 1986 – long before many such technologies existed or even could have been contemplated by Congress.  Thus, while it is clear that businesses can access email and other data created, sent, received and stored in their own systems, the proliferation of Net 2.0 technologies – like text and instant messaging, webmail (Gmail, Yahoo!, etc.), social media (Facebook, Instagram, Snapchat, etc.), Twitter and blogs – has created complicated and confusing questions for which there often are no clear answers.

For example, while a business has the right to extract from company-owned electronic devices (servers, computers, laptops, tablets, smartphones, etc.) data in the residual or deleted spaces of the devices – like screen shots of an employee’s Gmail or Facebook posts – the business cannot under the SCA use the passwords for the employee’s Gmail and Facebook accounts (which also commonly can be retrieved from residual space) to access those accounts directly.  Similarly, while a business has the right to confiscate a company owned computer or mobile device and then review data stored on the hard drive of the device, the business cannot under the SCA use the Gmail or Facebook application on the device to access data on the employee’s online Gmail or Facebook account that is not already stored on the device’s hard drive.

Though many issues under the ECPA and SCA remain unclear or unresolved, the United States Supreme Court in City of Ontario v. Quon gave businesses the following sage advice (and maybe even reliable precedent) when it comes to managing digital privacy.  It said,

“[a]n employer’s policies concerning electronic communications in the workplace will shape the reasonable expectations of its employees, especially to the extent that such policies are clearly communicated.”

New Hampshire entered the fray of digital privacy in 2014 with a state statute prohibiting employers from requesting or requiring an existing or prospective employee to give the employer the password or other access to the individual’s personal social networking accounts.  The statute simultaneously preserved an employer’s right to adopt and enforce an information use policy governing company-owned electronic devices, and to access and control social media accounts created or used for the employer’s business purposes.

Each company’s information use policy should be unique to its operations and tailored to its policy choices.  However, all such policies also should at least inform employees as follows:

  • whether personal use of the company’s information systems is permitted and, if so, the scope of permitted personal use;
  • that an employee’s use of the company’s information systems is not private, and the employee should have no expectation of privacy; and
  • that the company has the right to, and does, monitor and review data created, stored, or transmitted on the company’s information systems.

 

While digital privacy is a daunting, complicated and often confusing, a company best manages this risk by adopting and adhering to an effective information use policy, training employees about the policy and the company’s technology practices, and educating managers about how to avoid infringing on the various privacy rights that exist under state and federal law.

Cameron Shilling is a shareholder and director at McLane Middleton, Professional Assocaition, and chair of the firm's Privacy and Data Security practice group. He can be reached at 603-628-1351 or cameron.shilling@mclane.com.

Integrity and trust

At McLane Middleton we establish and maintain long-standing relationships with our clients to help us better achieve their unique goals over time. This approach to building trust requires that our esteemed lawyers and professionals use their broad, in-depth knowledge and work together with integrity to ascertain sound resolutions to legal matters for their clients.

Strength in numbers

McLane Middleton is made up of more than 90 attorneys who represent a broad range of clients throughout the region, delivering customized solutions. As a firm we are recognized as having the highest legal ability rating. The firm is rated Preeminent by Martindale Hubbell and is recognized as one of the nation's leading law firms in Chambers USA. Our attorneys are distinguished leaders in their respective practice areas.

Meet Our People

Commitment and collaboration

McLane Middleton's versatile group of attorneys and paralegals become trusted authorities on each case through collaboration. We work with our clients to learn their individual needs first and foremost and, together, we develop comprehensive solutions to their specific legal matters. This approach helps us exceed our clients' expectations efficiently and effectively, client by client, case by case.

Practice Areas

A history of excellence

McLane Middleton was established in 1919 in New Hampshire, and has five offices across two states. However, deep historical roots don't allow you to become innate. Our firm is organized, technological, and knowledgeable. Our history means we are recognized. But our reputation is built on the highest quality of service and experience in very specific areas of law.

The Firm

Intelligence paired with action

Our team continuously seeks opportunities to enhance their professional development and put key learnings to action. The pursuit of further insight guides us to volunteer service opportunities, speaking engagements, and teaching roles. Our lawyers are sought after thought leaders across their industries, and recipients of leadership awards throughout the region.