Tuesday, June 22, 2010

Workplace Privacy: Ontario Prevails on Data Audit...

Operational Risk Management professionals in corporate America have been following the Quon vs. City of Ontario case for five plus years. Now the Supreme Court of the United States has ruled 9-0 to increase the clarity on the new age of electronic privacy in the workplace. The LA Times explains:

Washington…In its first ruling on the rights of employees who send messages on the job, the Supreme Court rejected a broad right of privacy for workers Thursday and said supervisors may read through an employee's text messages if they suspect the work rules are being violated.

In a 9-0 ruling, the justices said a police chief in southern California did not violate the constitutional rights of an officer when he read the transcripts of sexually explicit text messages sent from the officer's pager.

In this case, the high court said the police chief's reading of the officer's text messages was a search, but it was also reasonable.

Police Sgt. Jeff Quon had sued the chief and the city of Ontario, California after he learned the chief had read through thousands of text messages he had sent to his wife and a girl friend. Quon won in the 9th Circuit Court of Appeals, but lost in the Supreme Court Thursday.


The scope of the investigation by the employer was not unreasonable and within the scope of determining whether the large amount of text messages was work related. What kind of corporate risk initiatives will be impacted by this ruling?

As corporations continue to battle the "Insider" risk associated with occupational fraud, workplace violence related stalking or sexting, industrial espionage, corruption and violations of acceptable use policies this case will become an example. What will continue to be the challenge for OPS Risk professionals who are responsible for internal monitoring, digital asset audits and insider investigations of potential malfeasance is the scope and reasonable nature of the case.

Get ready for a rush to the local Verizon Wireless or AT&T store for your own personal PDA or iPhone due to Justice Kennedy's ruling:

What’s more, Kennedy suggested that privacy in the modern age has more than one meaning.

“Cell phone and text message communications are so pervasive that some persons may consider them to be essential means or necessary instruments for self-expression, even self identification. That might strengthen the case for an expectation of privacy. On the other hand, the ubiquity of those devices has made them generally affordable, so one could counter that employees who need cell phones or similar devices for personal matters can purchase and pay for their own. And employer policies concerning communications will of course shape the reasonable expectations of their employees, especially to the extent that such policies are clearly communicated. “


If you are the CxO responsible for the auditing of digital assets within the enterprise, or the responsible party for insuring privacy in the workplace it's time to convene a two day workshop to review. Take a few days to bring the legal, privacy, IT and business unit deal makers to the same hotel resort country club to converge on this vital issue. The Operational Risks associated with executive communications that were previously thought to be private may be monitored and audited anytime when company assets are being utilized.

The opportunity to work through different workplace related scenarios, highlight the legal rulings and discuss the "What if's" could mean the difference between adversarial litigation and "Achieving a Defensible Standard of Care."

This is also a good time to establish the foundation for the "Corporate Intelligence Unit" within the enterprise:

Beyond the utilization of threat assessment or management teams, enterprises are going to the next level in creating a "Corporate Intelligence Unit" (CIU). The CIU is providing the "Strategic Insight" framework and assisting the organization in "Achieving a Defensible Standard of Care."

The framework elements that encompass policy, legal, privacy, governance, litigation, security, incidents and safety surround the CIU with effective processes and procedures that provides a push / pull of information flow. Application of the correct tools, software systems and controls adds to the overall milestone of what many corporate risk managers already understand.

The best way in most cases to defend against an insider attack and prevent an insider incident is to continuously help identify the source of the incident, the person(s) responsible and to correlate information on other peers that may have been impacted by the same incident or modus operandi of the subject.