Implied Security Policies Create Added Risk

The US Supreme Court has overturned a lower-court ruling and concluded that management has a right to review employee text messages on company-issued devices. If used as a precedent, this case may have far-reaching consequences for employee expectations of privacy in workplace communications. However, the ruling should also serve as a wake-up call for organizations that do not have explicit written security and privacy policies.

The case stemmed from an incident (reported here) where management at the Ontario Police Department reviewed text messages to investigate compliance with bandwidth usage policies on company-issued devices. The department had an informal policy that limited usage to a fixed amount each month. Once several employees began exceeding these limits on a regular basis, management began a review and in the process discovered that some people were sending personal messages containing explicit sexual content. Once sanctioned, the employees sued the department claiming that their privacy had been violated.

Written or Implied Security Policies

A key issue in the case is that the Ontario Police Department, while it did have a written Acceptable Use Policy, it did not cover the monitoring of text messages. Instead, there was an “implied” policy that employee messages would not be audited if they paid for their text message overage out of their own pockets. This was enough to enable the 9th U.S. Circuit Court of Appeals in San Francisco to rule that the informal policy was enough to give the officers a “reasonable expectation of privacy” in their text messages and establish that their constitutional rights had been violated.

The Supreme Court overturned this ruling, sending a clear message that organizations have a reasonable right to inspect employee communications while attempting to assess compliance with corporate policies.

The Good News

This ruling confirms a common security policy in place today in many organizations – namely that employees should not expect privacy when using company-issued equipment. However, the fact that this case went all the way to the Supreme Court illustrates an important policy-related lesson for organizations.

The Policy Lesson

All security and privacy-related policies should be in written documents, not implied in any verbal or informal communication. In this case, having an “implied” policy, rather than a written one, set up a risky environment for the Ontario Police that landed them in the news and exposed their business at the highest levels.