Four Rules Rule 1: Have an Appropriate Acceptable Use Policy and Disseminate it Properly Rule 2: Have an Appropriate User Responsibility Policy and Disseminate it Properly Rule 3: Where at all possible, avoid providing VPN access to users via their home computers (as opposed to state-issued computers) Rule 4: When investigating workplace misconduct make sure that searches of employee offices, and employee hard drives, disks, and other IT equipment used only by the individual employees are: Justified in their inception Permissible in their scope
Rule 1 Have an Appropriate Acceptable Use Policy and Disseminate it Properly
An Appropriate Acceptable Use Policy Scope: all Commonwealth IT Resources Applicability: all users of Commonwealth IT resources (don’t limit to employees, contractors, elected officials, unpaid interns, etc.) Failure to observe results in discipline Defines acceptable and unacceptable uses of Commonwealth IT Data confidentiality IP protection Computer viruses Network security Email use No expectation of privacy Use of system is consent to policy
All ANF Agencies are subject to the ANF AUP (Unless they adopt a similarly protective agency policy) ANF Policy available at http://mass.gov/portal/index.jsp?page ID=agcc&agid=eoaf&agca=policiesi nitiatives&agcc=otherpolicies
Proper Dissemination Post it on your agency intranet and internet sites Provide to all IT resource users Incorporate in contracts Mail link to users annually Update periodically Document dissemination
Rule 2 Have an Appropriate User Responsibility Policy and Disseminate it Appropriately
A Proper User Responsibility Policy Explains why the user has been granted Log-in IDs for systems and networks States that user must keep Log-in ID confidential Limits choice of passwords Notifies that use of Log-In ID is a privilege that may be revoked Sole responsibility of user
Proper User Responsibility Policy Report to ISO if compromised Data release only consistent with law Remote access issues Discipline including termination for violation Reiterate acceptable use Current monitoring and potential screening Contact information for ISO (OER Review)
Proper Dissemination Same as dissemination of AUP, but instead of disseminating as policy to all, at hire or first engagement with agency, require all non-union users to sign an agreement incorporating the policy, stating date on which they received it and had chance to review Provide hard copy of policy to all union employees
Rule 3 Avoid VPN Access for Users via their home computers
Avoid VPN access for users via their home computers Administrators have access to home computers while VPN session is open Employees have a higher degree of privacy rights in personally-owned home computers Others in household who share the PC also have privacy rights When investigating employee misconduct, do not under any circumstances conduct a warrantless search of a telecommuter’s personal PC through your VPN connection
Rule 4 When investigating workplace misconduct make sure that searches of employee offices, and hard drives, disks, and other IT equipment used only by the individual, or any other areas in which the employee may claim a privacy right: Justified in their inception Permissible in their scope
Justified at Their Inception means… There are reasonable grounds for suspecting that the search will turn up evidence that the employee is guilty of work-related conduct: Example: Technician exploring firewall capabilities enters term “sex” in firewall database and discovers that government employee user has accessed a number of sex sites using his government issued computer in his government office, in violation of agency policy Example: Technician in government employee’s office installing network connection on network computer sees pornography files on employee’s screen in violation of workplace policy
Permissible in their scope means… Measures adopted are reasonably related to the objectives of the search and not excessively intrusive in light of the nature of the misconduct: Example: Following agency’s discovery of sex site visit evidence on firewall log, Supervisor remotely reviews information on user’s computer, and only after finding further evidence of visits to pornographic sites forbidden by agency policy Only thereafter enters employee’s private office and takes hard drive and disks.
Permissible in scope, cont. Example: Following discovery of technician installing network connection that user has pornography on government employee’s government issued computer, in violation of agency policy, employer conducts full search of employee’s computer and disks.
The Commonwealth Falls into Two Legal Categories The Commonwealth as an employer The Commonwealth as a government entity
Government as Employer Faces the same legal landscape as all employers Statutes and Case law
As Government Entity State is subject to Fair Information Practices Act Fourth Amendment search and seizure issues.
Statutes Affecting All Employers State Privacy Act, Mass. Gen. L. ch. 214 State Wiretap Law, Mass. Gen. L. ch. 272, sec. 99 Federal Wiretap Statute, 18 U.S.C. sec. 2511 et seq. Data privacy laws Federal Stored Communications Statute, 18 U.S.C. sec. 2701
State Privacy Act “A person shall have a right against unreasonable, substantial, or serious interference with his privacy”. M.G.L. ch. 214, sec. 1B Restuccia v. Burke Technology, Inc., 1999 WL 1329386 (Mass. Super. 1996): Genuine issue of fact regarding whether employee had reasonable expectation of privacy in email that he had sent to supervisor at the supervisor’s company email address that later resulted in termination.
Garrity v. John Hancock Mutual Life Insurance Company, 2002 WL 974676 (D. Mass. 2002) Plaintiffs: 2 employees and husband of one employee Sexually explicit emails sent from husband to both employees at company email addresses Two employees distribute these emails to other employees over company email Employee plaintiffs fired after investigation including employer review of emails contained in backup system
State Privacy Law Claim Invasion of privacy (no citation to state privacy statute, but either state statute or tort of privacy invasion appear to be basis of claim) Holding: no privacy violation
Court quotes from Hancock’s Well-disseminated Email Policy, which Explicitly Said: Obscene, profane, sexually oriented emails prohibited Violators would be subject to disciplinary action up to and including termination All information stored, transmitted, received or contained in company email systems systems was the employer’s property Business or legal reasons might require company review of email messages and other documents
Court’s Reasoning No reasonable expectation of privacy in the emails among the plaintiffs because Evidence that employee’s husband, and employee plaintiffs, assumed the emails would be forwarded to others at the company Citation to Pennsylvania District Court case to the effect that even without an email policy, no privacy expectation in emails sent over company email system (but PA case was about privacy expectations of employees, not outsiders)
Court’s Reasoning, cont. Even if there was a reasonable expectation of privacy in the emails, Hancock’s legitimate business interest in protecting its employees from harassment in workplace would “likely trump plaintiffs’ privacy interests”. Both state and Federal anti-discrimination law REQUIRE employer to take affirmative steps to maintain workplace free of harassment, investigate incidents of harassment and take prompt action
Based on State Privacy Law and Hancock… Private sector employers whose email policy forbids use of email system for certain activities do not violate state Privacy Act when reading employee emails during investigation of employee policy violations that are also violations of state or federal law. Probable that even without an email policy, employee in a private sector company may have no privacy rights under the Privacy Law with respect to emails created or received in the workplace.
Privacy of State Employee Emails State employees have an even weaker argument for the privacy of most of their emails because the Secretary of State has ruled that emails created or received by an employee or a government unit are public record. DSPR Bulletin 1-99 2/16/99.
Hancock leaves open the question: Where there is no evidence that the non-employee sending email to an employee at his work email address knew that his email would be distributed to others in the company, are the sender’s rights under the State Privacy Act violated when, without the sender’s consent, the employer reads his email? Sender may not have as much reason to be aware of the public record nature of emails sent to the state.
State Wiretap Law Prohibits secret interception of wire and oral communications Doesn’t apply if both parties to communication have consented to interception Doesn’t apply to possession or use of an intercommunications system which is used in the ordinary course of owner’s business
Raised by plaintiffs in Hancock because... Hancock, following complaint by fellow employee regarding sexually explicit email transmitted by plaintiffs over company email system, commenced investigation Investigation included reading backed up emails created, received or transmitted by plaintiffs. Plaintiffs claim the reading of such emails was an “interception” that violated the state wiretap law
Court: No violation of State Wiretap Because: State wiretap law applies only to interception of communications in transit; Hancock read only stored email Even if the reading itself were a form of interception, the backup system was not an interception because fell under “ordinary business exemption “ of wiretap statute. (See also Restuccia).
Application of State Wiretap Act to State Agencies: Reading backed up employee emails not a violation Screening incoming emails for viruses and spam, and screening outgoing emails is not a violation because it is “ordinary course of business” for state agencies because of data privacy laws Intercepting incoming emails from a known source of harassing emails is not a violation
State Wiretap Act Summary: Screening Incoming Emails State agency intercepting all incoming emails on shakier legal ground: No legal requirement under data privacy laws or discrimination laws imposed on employers to screen incoming email. Screening all incoming email may not constitute acting in the ordinary course of business
State Wiretap Act Summary: Screening incoming email Unlike most businesses that receive email from customers, Commonwealth citizens have legitimate reasons for emailing messages to state agencies that contain words that may be picked up by screening software Example: Citizens seeking health information may use slang terms for body parts Citizens reporting discrimination to state agencies, quoting offensive language. Citizens using strong language to criticize state officials
Federal Wiretap Statute Similar to state statute; does not apply to stored email communications But only one party to communications needs to consent. 18 U.S.C. sec. 2511(2)(d). AUP that states that users of IT resources consent to monitoring probably creates requisite consent And provider of electronic communications service can intercept to protect the rights or property of the provider. Screening all emails for harassing content would appear to be a means of protecting the employer’s rights to maintain a non-discriminatory workplace
Under Federal Wiretap Statute Agencies that have and disseminate an acceptable use policy stating that use of IT system is consent to monitoring and viewing of messages are not in violation of Federal Wiretap Law if they monitor both incoming and outgoing email for any purpose. Even without an AUP, agencies monitoring all incoming and outgoing email for purposes of preventing violations of Federal or state law, reducing spam or maintaining network security are probably not in violation of the Federal Wiretap Act.
Data Privacy Laws Health Insurance Portability and Accountability Act Gramm-Leach-Bliley
Federal Stored Communications Act Prohibits unauthorized access to electronic communication while it is in electronic storage. 18 U.S.C. sec. 2701 An employer’s accessing of backed up emails on its own email system does not violate this act because it is not “unauthorized”.
Query, however… When employee has VPN access through home computer, absent a written agreement with employee, systems administrator’s viewing of non-work related files on the computer during a VPN session may not be “authorized” and may therefore be a violation of the SCA. Administrator’s viewing of files of household members of employees during VPN session probably violates the SCA because such intrusions are certainly not authorized.
GOVERNMENT AS GOVERNMENT EMPLOYER Fair Information Practices Act Fourth Amendment
Fair Information Practices Act State Fair Information Practices Act Protects personal data (data clearly linked to an individual that is not public record) held by a “holder” agency Most information about employees held by state agency employers is public record. Personal data about employees (evaluations, paternity information) can be accessed by the agency’s employees during a legitimate workplace misconduct investigation without violating FIPA but dissemination outside the agency restricted by FIPA.
Fourth Amendment Fourth Amendment to U.S. Constitution, made applicable to states via 14 th Amendment Parallel rights under State Constitution Where state employee has an objectively reasonable privacy expectation in a place, the state cannot search that place while investigating a workplace policy violation unless it obtains a warrant or an exception to the warrantless search rule applies.
What happens if state violates this rule when investigating employee misconduct? If the employee is later tried for violation of criminal law, evidence collected in violation of the Fourth Amendment can be suppressed. “Bivens” action against state actors for civil money damages
Scope of our discussion NOT a discussion about legal or illegal use of warrants the state obtains during a criminal investigation by state police; RATHER Non-criminal, warrantless searches a state agency might conduct for the purpose (but not necessarily the sole purpose) of investigating an instance of employee workplace misconduct that may also constitute a crime.
O’Connor v. Ortega, 480 U.S. 709 (1987) Fourth Amendment prohibits unreasonable searches and seizures by government employers or supervisors
Government employees Have a reasonable expectation of privacy in their offices or in parts of their offices, such as their desks or file cabinets. O’Connor. But office procedures, policies or regulations may reduce legitimate privacy expectations. O’Connor.
Even if state employee establishes a privacy interest in the area that you search, your search may be covered by an exception to warrantless search requirement for government employers Government employer’s interest in the efficient and proper operation of the workplace may justify warrantless work-related searches. Government agency investigations of violations of workplace misconduct fall under this rule. This exception can apply even if the employer is a law enforcement agency and the agent conducting the search is aware that the information collected could later be used for criminal prosecution
Rules for Government Employer Warrantless Search Reasonable in its inception Permissible in its scope
Reasonable in its inception There are reasonable grounds for suspecting that the search will turn up evidence that the employee is guilty of work-related conduct
Permissible in its scope Investigatory measures adopted are reasonably related to the objectives of the search and not excessively intrusive in light of the nature of the misconduct
U. S. v. Simons, 206 F.3d 392 (4 th. Cir. 2000) Motion to suppress Mark L. Simons CIA Employee Convicted of receiving and downloading child pornography Used workplace Internet access to do so
Court Notes that CIA: Had an Internet usage policy Use for official government business only Accessing unlawful material specifically prohibited CIA will conduct electronic audits to ensure compliance Great detail about how audits would look at sent and received email and web sites visited
Events leading to conviction Simons has an agency office that he locks and a computer provided by CIA with access to internet Technician exploring firewall capabilities enters keyword “sex” into firewall database Technician notes large number of Internet hits originating from Simons computer. Names of sites obviously not for official purposes. Reports to supervisors. Another CIA employee remotely examines Simons computer, finds downloaded pornographic files, and copies files
Later, in Simon’s office, Employer physically entered Simons office Removed original hard drive
Subsequently Evidence from both remote and office searches used to convict Simons
Simons raises fourth amendment claim regarding The remote search The office search
Remote search: Court holds No violation because Simons had no expectation of privacy with respect to “fruits of his internet search” because of employer policy Policy placed employees on notice No objectively reasonable belief
Office Search Private office Simons did not share No office policies or procedures reducing his privacy interest He had a privacy interest in office But requirements of government agency exception to warrantless search rule met
Government agency exception applied Although dominant purpose of search was to acquire information about criminal activity, CIA did not lose its special need for efficient and proper operation of workplace Criminal acts related to employment, in that employer workplace policy violated Compare to situation where criminal acts are unrelated to employment-related misconduct. Here, conjunction of conduct that violated workplace rules and conduct that violated criminal law did not prohibit application of exemption
CIA Met requirements for special needs search Reasonable at its inception because based on technician’s work, grounds to suspect child porn violation Permissible in scope because entering Simon’s office was reasonably related to objective of the search, retrieval of the hard drive. And search not excessively intrusive. No search of desk, any other items in office.
See U.S. v. Slanina, 283 F.3d 670 (5 th Cir. 2002) (appeal from conviction of municipal employee for child pornography).
Search and Seizure Rules and State Agencies Reduce the employee’s expectation of privacy in electronic communications and activities related to state information technology resources Make sure your search is justified in its inception-- -no fishing expeditions.Must have some reason to suspect violation of a workplace policy, not just a crime. Limit scope of your search to places likely to answer your question as to whether the employee violated your workplace policy
Courts will view differently Warrantless… Remote searches of employer’s computer in employee’s office (or, presumably, at home) Physical Search of employee’s private office at workplace Remote search of employee owned PC used for VPN connection to state network
Search may violate employee’s Fourth Amendment Rights if… Search not justified at its inception because employer has no reason to suspect violation of workplace policy, even if employer has reason to suspect violation of criminal law Search not permissible in scope because employer searches places or things unrelated to the suspected violation of a workplace policy
Contact Information Linda Hamel, ITD General Counsel Linda.firstname.lastname@example.org (617)-626-4404