Privacy of communications - a common myth

Wes Bucey

Quite Involved in Discussions
#1
Over the last six or seven years, a common myth about expectations of privacy in an employee's electronic communications has put a lot of folks out of a happy mood [and often out of employment.]

The fact of the matter is that if you use an employer's device or facilities to make or receive an electronic communication, odds are it can be read or heard and recorded by any number of people ranging from bosses to IT people to casual coworkers. The employer (in the USA) is not legally required to give employees notice of this possibility (in some companies, it is an absolute certainty that communications are monitored.)

Here is a sample of what some enlightened, reasonable organizations are including in employee handbooks as a heads up alert
  • Privacy. The director of information services can override any individual password and thus has access to all electronic mail messages in order to ensure compliance with company policy. This means that employees do not have an expectation of privacy in their company e-mail or any other information stored or accessed on company computers.
  • E-Mail review. All e-mail is subject to review by management. Your use of the e-mail system grants consent to the review of any of the messages to or from you in the system, in printed form or in any other medium.
  • Solicitation. In line with our general nonsolicitation policy, e-mail must not be used to solicit for outside business ventures, personal parties, social meetings, charities, membership in any organization, political causes, religious causes, or other matters not connected to the company’s business.
I want to stress, though, that it is not legally necessary for an organization to provide such notice, only a "courtesy." I won't go through the legal arguments and decisions which have confirmed this power for organizations, but suffice to say "few employees have ever won an invasion of privacy case involving a company-owned or provided electronic device and those have included very extraordinary circumstances involving the company's action upon reading the communication, not about the snooping itself."

So what!?
About now, many of you are saying, "So what!?"

Here's the deal: Based on the time stamps of most posts here in the Cove, it's a good bet most of them are made while the poster is on the job in his/her time zone, especially when we observe the huge drop-off in participation on weekends.

If your posts are job or professionally related, there will rarely be any repercussions for taking time away from the job and, for the most part, (based on the thousands of posts I've read in the past six or seven years) no reprisals for giving away company information, which may or may not include trade secrets.

In a small number of cases, though, posters have put up comments thinking they were protected from reprisal because they use an anonymous screen name. Even if they make those comments while using a home computer or public access at a cyber cafe or library, they are subject to discovery (and subsequent reprisal) if they have also used the same anonymous screen name to access the Cove from a company device.

What kind of comments?
Amazingly, many otherwise innocuous comments can be taken out of context and used as a weapon against an employee when the company is gathering ammunition against that employee. Lawyers for employees suing a company for some sort of harassment or job discrimination may come across a company treasure trove of communications by Cove members who are supervisors of that employee, including some ill-chosen comments about employees abusing family leave or disabled worker policies.

I recall a thread in the last year where a self-described "manager" went on a rant about an employee who was taking sick leave for depression. If that employee were in the USA and had an attorney, that attorney would consider a copy of that thread with the comments by the easily identified poster as a license to print money in a lawsuit.

Similarly, comments in our "controversial" forum may also attract sharks. Folks posting in the controversial forums may consider their posts "free speech," but that only applies as far as the USA government is concerned. Google is currently listing over 20 countries that engage in active censorship of communications via the web which may affect posters who either reside there or whose companies do business there. Nothing in "freedom of speech" protects a person in most countries from libel laws and subsequent lawsuits for damages. If the offending individual does not have resources, attorneys reason, the corporations which employ them and allow them to use company devices to make libelous comments DO have money and make a juicy target for attorneys. (What do you suppose happens to the employee whose communication fomented a lawsuit?)

Bottom line:
Put brain in gear before posting a comment which might reflect badly on yourself, your company, or injure or harm an individual, organization, or government. There is no privacy on the internet!
 
Elsmar Forum Sponsor

Wes Bucey

Quite Involved in Discussions
#3
Lest you think snooping into communications and subsequent reprisal is something new, I'd like to acquaint you with a quote from Cardinal Richelieu (The French Cardinal who was the villain in all the Three Musketeers stories):
“If you give me six lines written by the hand of the most honest of men, I will find something in them which will hang him”

Cardinal Richelieu quotes (French Minister and Cardinal. 1585-1642)
In my 40+ year career, I've run into a number of venal and despicable bosses, henchmen, and their attorneys who eagerly adopted the Cardinal's attitude as their standard operating procedure.
 

Wes Bucey

Quite Involved in Discussions
#4
Just a few more things to consider when filling out Facebook or other social media Profiles. This information was part of an address by an attorney looking to cover the rear ends of employers, instructing HR departments what they can and can't do, but it contains clear warnings of the reasons organization bosses may land hard on employees whose internet activities can bring unwanted heat on the organization and, hence, why the employee should be very careful to :ca:
Social Media—You Can't Unring the Bell

"Social media networks and blogs are now the fourth most popular online activity, ahead of personal e-mail," says Attorney Cynthia L. Gibson. And they are getting more popular with HR for background checks. Unfortunately, she says, once you turn up information you don't want, "you can't unring the bell."

Gibson is senior vice president, Legal, for Scripps Networks Interactive, Inc. She offered her suggestions at the recent Society for Human Resource Management Legal and Legislative Conference in Washington, DC.

Social Media Challenges
Gibson suggests that HR managers consider the following issues that typically come along with social media.

Background Checks
According to surveys, 44 percent of employers use social networking sites to examine the profiles of job candidates, and 39 percent have looked up the profile of a current employee, Gibson notes. Some say they find negative information such as provocative or revealing photos or information, while others find good information regarding a candidate"s personality and fit.

"Some experts say, 'Don't do these checks,' but in the real world you have to do the best background checks you can," says Gibson.

She cites one case where, ironically, a company was looking for a new "Head of Ethics." A full background check revealed nothing untoward. However, the company's own Google search revealed a job that the candidate hadn't mentioned on his résumé, a job which he had left under questionable circumstances.

You Can't Unring the Bell
During a social media search, you may discover information that could lead to a claim of discrimination, Gibson says. For example, you might find out about protected class status, race, age, national origin, veteran status, gender, REDACTED orientation, legal off-duty activity, political affiliation, or disability, or you might see that the person is a member of the Cancer Survivors Club.

Unfortunately, says Gibson, once you find out the information, you can't unring the bell and pretend that you never saw it.

Be Aware of "Use Policies"
If you ignore websites' “use policies,” you may further a claim, Gibson says. For example, the Facebook use policy says “If you collect information from users, you will: obtain their consent, make it clear you (and not Facebook) are the one collecting their information, and post a privacy policy explaining what information you collect and how you will use it.”

Reliability of Information
There are always issues of reliability with Web searches, says Gibson. For example:

Identity confusion. Is the person you found the same person you are looking for?

Posting confusion. Who posted the information? Was it the person you are looking for or someone else with, perhaps, malicious intent?

Online cleanup. Numerous third-party vendors are available to monitor and “clean up” individuals" online reputations. They can flood the Internet with positive information that pushes the negative information down to the 20th page of Google results. Examples are:
Naymz.com
Brandtitan.com
Defendmyname.com

Managers, friends, and connections. Are managers "friending" some employees and not others? Is pressure applied to "join my group" (Christians, women, etc.)? This could be potential trouble, Gibson says.

Evidence in litigation. "Social media provide a potential 'treasure trove' of information—for you, your employees, and your competitors," says Gibson, which can show up in court when you least want to see it.

Disclosure of confidential information and trade secrets. Employees need to be carefully instructed concerning proprietary information, Gibson says. In DVD Copy Control Assoc. v. Bunner, the Supreme Court of California held that widespread dissemination of a trade secret—even if through an inadvertent or illegal leak—could lead to the loss of trade secret protected status.

Copyright violations. An employee who publishes a misappropriated third-party trade secret or copyrighted material on the Internet may be liable. If the employer's computer system was used, a potential claim could be made against the employer.

Negligent hiring and retention. Claims may be made against employers that ignore expressions or a record of violence.

"The overriding point is that you want your people educated that accessing social media for business purposes is not risk-free," Gibson says.
Although I am quoting Gibson here, the comments she made are very similar to those my colleagues in business, law, and academia and I have been making in our public presentations for several years now. At one of my own presentations at Kent College of Law, I spoke on the twin topics of copyright and trade secrets, especially relating to how corporate and government spies use social engineering to flatter and cajole employees into disclosing much more over the internet than they realize, especially when organized teams of spies can assemble a large database of seemingly unconnected facts, rumors, and gossip, then apply data mining techniques to come up with gems allowing the folks who employ the spies to use the filtered info for some sort of gain. I was particularly emphatic about the potential for abuse of such info for positive or negative stock market trades by effectively sidestepping SEC sanctions against insider trading, even though the information used was "insider info."
 
Thread starter Similar threads Forum Replies Date
S Procedure on Privacy Policy in the ISO 13485 quality management system ISO 13485:2016 - Medical Device Quality Management Systems 3
M Automatic Data Gathering Requirements and Privacy Implications Medical Information Technology, Medical Software and Health Informatics 0
S Mobile app data privacy - Length of record retention in a software app Medical Information Technology, Medical Software and Health Informatics 1
Marc Privacy Policy - EU GDPR Compliance - 1 December 2018 Elsmar Cove Forum ToS and Forum Policies 0
K GDPR - Is it really necessary for the DPO(s) to be knowledgeable to Data Privacy Law? IEC 27001 - Information Security Management Systems (ISMS) 3
Raffy What is the first step in doing PIA (Privacy Impact Assessment)? IEC 27001 - Information Security Management Systems (ISMS) 3
Q Regulations around Data Privacy 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 3
Marc Google - New Privacy Info - July 2016 World News 3
P HIPAA Privacy - Login password or USB Access key? Other US Medical Device Regulations 3
Marc Reality Privacy Policy Funny Stuff - Jokes and Humour 0
Marc Facebook and Privacy - Food for Thought After Work and Weekend Discussion Topics 8
Marc Facebook Privacy Settings as of 20100513 After Work and Weekend Discussion Topics 0
Marc Privacy issues? Facebook Aspects to Think About After Work and Weekend Discussion Topics 2
Marc Privacy - Elsmar Cove Privacy Policy and Statement Elsmar Cove Forum ToS and Forum Policies 0
Marc Privacy Policy - Elsmar Cove Privacy (and Cookie) Policy - 090405 Elsmar Cove Forum ToS and Forum Policies 4
Icy Mountain Spyware, (key)loggers, verification, and privacy - Protecting Children After Work and Weekend Discussion Topics 12
Marc Laptops at U.S. border: No privacy rights Travel - Hotels, Motels, Planes and Trains 6
Marc Thinking Privacy and Security? Microsoft's Passport Program After Work and Weekend Discussion Topics 0
Q Thoughts on Communications relevant to the Quality Management System ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 3
M How to Document Internal & External Communications - Suggestions/examples pls IATF 16949 - Automotive Quality Systems Standard 3
A FDA guidance for MDDS, Medical Images Storage, Medical Image Communications 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 13
A Quality Awareness Communications through Internal TVs Misc. Quality Assurance and Business Systems Related Topics 2
L Use of TV (CCTV) for Internal Communications ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 5
T External Communications - Should this have been raised as a Minor Non-Conformance? Miscellaneous Environmental Standards and EMS Related Discussions 12
J Supporting Processes - Legal and Communications Department ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 8
Marc New communications technology disrupts America?s newspaper industry After Work and Weekend Discussion Topics 0
Icy Mountain Customer Service: AIAG vs. ASQ - Communications and Responses Coffee Break and Water Cooler Discussions 3
A Overcoming Obstacles to Effective Communications in the Workplace Misc. Quality Assurance and Business Systems Related Topics 17
E Communications to/from the Customer Document Control Systems, Procedures, Forms and Templates 11
C ISO 9001:2000 - Main goal of a communications process in any organization? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 8
SteelMaiden Internal Communications - Quality Systems vs. Six Sigma Training Six Sigma 6
A Project Management and Communications - Any Advice? Misc. Quality Assurance and Business Systems Related Topics 10
WALLACE NLP (neuro linguistic programing) - Communications skills Misc. Quality Assurance and Business Systems Related Topics 2
M MDR "Common Specifications" (CS) - If not standards, then what? EU Medical Device Regulations 3
G Is it common to do a repeatability check during calibration of an instrument? General Measurement Device and Calibration Topics 5
M Medical Device Directive - Seeking common nonconformance write up scenarios CE Marking (Conformité Européene) / CB Scheme 2
K PFMEA (Process FMEA) - Can be common for 3000 products? FMEA and Control Plans 2
Sidney Vianna What do these things have in common? Surge in new ISO Committees & Standards Other ISO and International Standards and European Regulations 7
A CTD (Common Technical Document) for a Topical Preparation Pharmaceuticals (21 CFR Part 210, 21 CFR Part 211 and related Regulations) 2
W IMDS - Help (Common Warning and Error Fixes) RoHS, REACH, ELV, IMDS and Restricted Substances 9
M CB and Internal auditors most common nonconformities against AS9100D AS9100, IAQG 9100, Nadcap and related Aerospace Standards and Requirements 16
W Can 2 different sites under different Quality System have a common management review? ISO 13485:2016 - Medical Device Quality Management Systems 4
G ISO 17025 Calibration Laboratory Assessor's Common Questions and Procedures ISO 17025 related Discussions 11
M IATF:16949 Common Quality Manual - Company is in Country A and Country B Quality Management System (QMS) Manuals 5
I Is it common practice for a bake oven to require a CQI-9? AS9100, IAQG 9100, Nadcap and related Aerospace Standards and Requirements 1
P Converting DMF III into eCTD (Electronic Common Technical Document) Medical Information Technology, Medical Software and Health Informatics 4
R Common Statistical Errors Using Minitab Software 1
cscalise Separate Forms or Procedure Attachments - What's more common? Document Control Systems, Procedures, Forms and Templates 2
J What is the most common industry requesting ISO 9001 Certification ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 1
2 Is it common to employ part time dental assistants ? Coffee Break and Water Cooler Discussions 3
Similar threads


















































Top Bottom