The following is excerpted from “Information Nation: Seven Keys to Information Management Compliance.”
You’ve likely received privacy policy statements from your bank, your stockbroker and your creditors in the past year. And you have probably noticed that e-commerce Web sites publicize their privacy policies. Whether you’ve bothered to read any of them, you certainly know that privacy has become a prominent consumer issue.
The personal information that banks, brokerage firms, creditors, e-merchants and others collect about their customers is so valuable that other marketers are willing to pay tidy sums for such data. But consumers have become very protective of their private information.
One recent high-profile case to test the idea of private information as an asset was that of Toysmart.com. In 2001, this failed dot-com retailer allegedly listed the personal information of 250,000 customers as an asset that could be sold during bankruptcy proceedings. This, despite its privacy policy, which stated:
“Personal information, voluntarily submitted by visitors to our site, such as name, address, billing information and shopping preferences, is never shared with a third party. … When you register with Toysmart.com, you can rest assured that your information will never be shared with a third party.”
The customer data included details such as names, credit card information, home addresses, names and birthdays of children, and shopping preferences.
After an outcry from former customers and privacy advocates, and a great deal of embarrassing coverage, its parent company agreed to buy the list for $50,000 and destroy it.
Privacy policy revisions. Amazon.com faced a similar outcry in 2001 when it allegedly made a change to its privacy policy that would allow it to sell its customer information to a third party in the event that it was acquired or went out of business. The Federal Trade Commission began an investigation into the way Amazon’s change in its privacy policy affected consumers.
Around that time, Amazon paid up to $1.9 million to settle a class-action lawsuit launched by users of the company’s “Alexa” service who complained that personally identifiable information was being collected and retained in violation of the company’s privacy policy. The FTC said that “certain of Amazon.com’s and Alexa Internet’s practices likely were deceptive,” and Amazon agreed to pay $40 to each affected user.
Organizations must ensure that their privacy policies are comprehensive enough to address all reasonably foreseeable events, like mergers, acquisitions, new business partners and change in business direction. Also, organizations must be prepared to live by the promises made in these policies. If drastic changes are required, it may be necessary to “grandfather” existing customers under the old policy while applying the new policy only to new customers. In any case, a proactive communication plan for all customers should be a prerequisite of any privacy policy change.
Ownership of information. Your organization has a responsibility to properly manage and protect information assets as it would any other asset that it owns. The data stored on the information systems across your organization — from the largest customer relationship management databases to the smallest handheld e-mail devices — are your organization’s lifeblood, and must be protected as such.
The information that employees generate in their daily working activities is also part of your organization’s information asset collection. It is your responsibility to inform employees, through policies and training, that all such business information is the property of the organization. This will help establish the importance of the information and set expectations for how this information will be treated when an employee leaves your organization. The following is a sample policy statement that informs employees about this issue.
Ownership of Company Information:
Sample Policy Statement. All information that you create, receive and/or use while conducting company business is owned by the company, regardless of whether that information is in paper, electronic or any other tangible form. In addition, all employees must provide all business information in their possession or control to the Company upon request, at any time, for any reason.
Individuals who cease to be employees of the company must provide original and all copies of any business information to his or her supervisor prior to leaving the company. All business information located in any company facility or facilities managed by another entity on behalf of the company are presumed to be company property. All business information created or stored on or in a company computer, imaging system, communications system, telecommunications system, storage device, storage medium or any other company system, medium or device are presumed to be company property.
All business information, regardless of its location, that in any way pertains to the company or company business, is presumed to be company property. Only upon a showing that the business information in question does not in any way relate to company business will such information be deemed to be other than company property. Theft or appropriation of any business information is strictly prohibited. Giving access to another person who is not authorized to have access to, review or otherwise see company business information is also strictly prohibited.
Undertaking these prohibited acts may result in termination and/or civil or criminal penalties.
Privacy of employee information at work. You need to be clear with employees about whether they should expect that the information they create and receive on the job is private. Generally, organizations in the United States have taken the approach that such information is not private, and the organization thus reserves the right to access and review it at will.
U.S. courts have generally supported this approach. For example, in Garrity v. John Hancock Mut. Life Ins. Co., two female employees were fired for sending sexually explicit e-mail over the company e-mail system, in contravention of the company e-mail policy. The employees viewed the e-mail containing the offensive content as personal, and argued that the company invaded their privacy when it accessed and examined it. The court weighed the issues to determine whether “the expectation of privacy was reasonable.”
The court did not find that expectation reasonable, for several reasons:
· The company’s e-mail policy stated, “Company management reserves the right to access all Email files,” and “there may be business or legal situations that necessitate company review of Email messages and other documents.”
· The company “periodically reminded employees that it was their responsibility to know and understand the email policy,” and employees had been warned about “several incidents in which employees were disciplined for violations.”
· The two employees testified that they sent the e-mail messages (some of which were jokes) to other employees with the expectation that they would subsequently be forwarded.
· The employees admitted that they knew the company had the ability to examine company e-mail messages.
Legal opinions on this approach to employee privacy at work are not consistent in every jurisdiction, and companies should investigate the laws of each jurisdiction in which they do business. For example, the Social Chamber of the Supreme Court of France ruled in 2001 that an employee’s personal e-mail sent or received on company systems could not be accessed and viewed by an employer, even if the company advised employees that it would do so.
Privacy of Employee Information:
Sample Policy Statement
Company resources used by employees to create, transmit, receive and store business information, such as computers, the e-mail system and facsimile machines, should only be used for business purposes. In addition, the information in these systems should only be related to Company business. These resources, and the information contained within them, are the property of the Company. Furthermore, the company reserves the right to access and review any business information, whether it is located in company facilities or not.
Employees do not have and should not expect any right to privacy with respect to any Company business information, including e-mail transmission, electronic communication or Internet or intranet communication. The Company reserves the right to monitor the use of any company property, equipment, phone line, computer, software or any storage device.
© 2004, Randolph A. Kahn, ESQ., and Barclay T. Blair. For informational purposes only. Get the advice of counsel before adopting any Information Management policy element.
