This article is published courtesy of the July 2009 State Bar Business Law Section newsletter.

Aug. 5, 2009 – The Ninth Circuit, in Quon v. Arch Wireless Operating Co., recently found that a public employee had a reasonable expectation of privacy in text messages sent and received on his employer-owned pager. Deborah Spanic advises businesses to review their computer usage policies after Quon.

The Ninth Circuit, in Quon v. Arch Wireless Operating Co., 529 F.3d 892 (9th Cir. 2008), recently found that a public employee had a reasonable expectation of privacy in text messages sent and received on his employer-owned pager. However, the widespread news commentary stating that this case means that all text messages are considered private is overstating the court’s actual holding and its real-world implications for private businesses.

The court’s holding is really much narrower. Much of the court’s analysis centered on the Fourth Amendment, which effectively means that the holding primarily applies to public employers, not private businesses. However, a de facto “informal” computer use policy was key in the court’s decision and provides some guidance for private businesses as well.

In this case, Arch Wireless provided text messaging services through pagers to the City of Ontario for use by its employees, one of whom was Jeff Quon. The City had no official policy specifically related to the use of the pagers, but it did have a general “Computer Usage, Internet and Email Policy,” which stated that “[t]he use of City-owned … equipment … is limited to City of Ontario related business.” The policy also stated that the City “reserves the right to monitor and log all network activity … without notice. Users should have no expectation of privacy when using these resources.”

Each pager was allotted 25,000 characters, and any amount over that was charged to the individual employee. When Quon went over the allotted amount, Lt. Duke, the supervisor in charge of the pager program, told Quon that as long as he reimbursed the City for the overages he would not have to audit the records to determine how many messages were not work-related. After Quon went over the allotted amount several more times, Duke complained to his superior about being a “bill collector,” which caused the superior to order the transcript of the pagers to determine if the messages were truly work-related. The City reviewed the transcripts from Arch Wireless and determined that a number of Quon’s messages were personal and often sexually explicit in nature.

On appeal was the district court’s finding that Arch Wireless was not in violation of the Stored Communications Act (SCA), and that the City and other co-defendants did not violate Quon’s Fourth Amendment right to be free from unreasonable search and seizure.

The Stored Communications Act

To decide whether or not Arch Wireless violated the SCA by turning over the transcripts to the City, the court needed to determine whether Arch Wireless is a “remote computing service” (RCS) or an “electronic communication service” (ECS). Under the SCA, an RCS can release private information to the subscriber of the service, while an ECS cannot. The SCA defines an ECS as a “service which provides users … the ability to send or receive … electronic communications.” An RCS is defined as “the provision to the public of computer storage or processing services by means of an electronic communications system.”

Given that the service Arch Wireless was providing was the actual electronic communications themselves, not storage or processing services by means of electronic communications, the court found that Arch Wireless was an ECS and therefore was prohibited from providing the contents of the electronic communications to anyone other than the addressee or intended recipient of such information. Since the City was not the addressee or intended recipient, but was rather the subscriber, it was a violation of the SCA for Arch Wireless to provide the transcripts to the City.

Fourth Amendment and the computer use policy

The court’s Fourth Amendment analysis focused on the reasonable expectation of privacy in electronic communications, and applies to unreasonable search and seizures by the government. For the purposes of private businesses, the Fourth Amendment does not apply, although the court’s reasoning does shed light on how it may rule in the future.

The court answered the threshold question regarding whether or not users of text messaging services have a reasonable expectation of privacy in those messages stored on the service provider’s network in the affirmative. The court clarifies, however, in that it makes a distinction between the address or header function of the message (the TO: and FROM: line), and the content of the message. Under the Fourth Amendment, there is not a reasonable expectation of privacy in the header of a message, but there is a reasonable expectation of privacy in the message content.

Next the court turned to the City’s policy, and found that Lt. Duke’s oral assurance that as long as Quon paid for the overages his messages would not be audited became the City’s “informal” policy regarding the text message usage, and that this informal policy effectively created Quon’s reasonable expectation of privacy in those messages. Key in that analysis was the fact that Lt. Duke was the one in charge of administering the pagers and therefore his statements carried a great deal of weight.

Recommendations for businesses

Even when considering the narrower scope of the Ninth Circuit’s ruling in Quon as it applies to private businesses that would not be subject to Fourth Amendment claims, there are still instructive lessons to be learned regarding computer usage policies. Following are several recommendations:

1. Be mindful of what employees say that could modify the written policy and create a de facto “informal” policy. It may be prudent to add a disclaimer to a formal written policy that the policy may not be amended or modified other than by written approval of a senior officer of the company.

2. A company’s written computer or electronic policy should accurately reflect actual practice, because in the event of a dispute, it’s the company’s actual practice that will likely win the day.

3. A company’s written policy should encompass any third-party providers of service, and/or the messages should be routed through the company’s own network to ensure the messages are covered under the written policy.

For more information, please contact Deborah Spanic at (414) 978-5318.

This article is published courtesy of the July 2009 edition of Business Law News, published by the State Bar Business Law Section. The State Bar offers its members the opportunity to network with other lawyers who share a common interest through its 26 sections. Section membership includes access to newsletters, email lists to facilitate information sharing, and other resources.