Policies and Training Critical in Managing Digital Privacy

Cameron G. Shilling
Director, Litigation Department & Chair of Cybersecurity and Privacy Group
Published: New Hampshire Bar News
April 14, 2017

The digital age has heralded an explosive growth in the volume of information created, stored and transmitted on computers and mobile devices, over the Internet and broadband, and on social media sites.  The same technologies that have defined the times simultaneously pose serious issues for privacy and information security.

Despite the importance of the interests at stake, no comprehensive or consistent set of rules currently govern data privacy in the Unites States.  A patchwork of federal and state statutes and cases govern different industries, various types of conduct, and different kinds of information.  These rules are frequently complex and confusing, and oftentimes fail to provide clear answers to the most pressing questions.

Though daunting, the challenges can be managed.  To effectively address data privacy concerns, a business must adopt and adhere to an effective information use policy, and then train employee about the policy and managers about the rules governing digital privacy.

While a myriad of federal and state laws touch on digital privacy, the most significant rules for New Hampshire arise out of the federal Electronic Communications Privacy Act (ECPA) and Stored Communications Act (SCA), and the state statute governing employer access to personal social media accounts, RSA 275:73-74.

The ECPA prohibits the interception of electronic communications, and the use and disclose of unlawfully intercepted data.  The statute contains two exceptions vital to businesses.  First, a business may intercept an electronic communication if at least one party consents.  Such consent can be express or implied, and an employer may establish consent with an effective information use policy.  Second, a business that hosts the electronic communications service may intercept, use and disclose communications in the course of providing the service or to protect the interests of the business.  The SCA prohibits the accessing of stored electronic communications without authorization or beyond the scope of authorization.  Like the ECPA, the SCA permits the person or entity providing the electronic communications service, including a business, to access, use and disclose stored electronic communications on its own systems.

Technological developments in the digital age have pushed the limits of the ECPA and SCA, which were enacted in 1986 – long before many such technologies existed or even could have been contemplated by Congress.  Thus, while it is clear that businesses can access email and other data created, sent, received and stored in their own systems, the proliferation of Net 2.0 technologies – like text and instant messaging, webmail (Gmail, Yahoo!, etc.), social media (Facebook, Instagram, Snapchat, etc.), Twitter and blogs – has created complicated and confusing questions for which there often are no clear answers.

For example, while a business has the right to extract from company-owned electronic devices (servers, computers, laptops, tablets, smartphones, etc.) data in the residual or deleted spaces of the devices – like screen shots of an employee’s Gmail or Facebook posts – the business cannot under the SCA use the passwords for the employee’s Gmail and Facebook accounts (which also commonly can be retrieved from residual space) to access those accounts directly.  Similarly, while a business has the right to confiscate a company owned computer or mobile device and then review data stored on the hard drive of the device, the business cannot under the SCA use the Gmail or Facebook application on the device to access data on the employee’s online Gmail or Facebook account that is not already stored on the device’s hard drive.

Though many issues under the ECPA and SCA remain unclear or unresolved, the United States Supreme Court in City of Ontario v. Quon gave businesses the following sage advice (and maybe even reliable precedent) when it comes to managing digital privacy.  It said,

“[a]n employer’s policies concerning electronic communications in the workplace will shape the reasonable expectations of its employees, especially to the extent that such policies are clearly communicated.”

New Hampshire entered the fray of digital privacy in 2014 with a state statute prohibiting employers from requesting or requiring an existing or prospective employee to give the employer the password or other access to the individual’s personal social networking accounts.  The statute simultaneously preserved an employer’s right to adopt and enforce an information use policy governing company-owned electronic devices, and to access and control social media accounts created or used for the employer’s business purposes.

Each company’s information use policy should be unique to its operations and tailored to its policy choices.  However, all such policies also should at least inform employees as follows:

  • whether personal use of the company’s information systems is permitted and, if so, the scope of permitted personal use;
  • that an employee’s use of the company’s information systems is not private, and the employee should have no expectation of privacy; and
  • that the company has the right to, and does, monitor and review data created, stored, or transmitted on the company’s information systems.

While digital privacy is a daunting, complicated and often confusing, a company best manages this risk by adopting and adhering to an effective information use policy, training employees about the policy and the company’s technology practices, and educating managers about how to avoid infringing on the various privacy rights that exist under state and federal law.