E-mail surveillance and constructive knowledge (Part 2)

In my post yesterday I suggested that employers in some circumstances may be presumed to have constructive knowledge of employee e-mails and that this may justify routine e-mail monitoring.

Let’s push the idea of constructive knowledge a little further.

Consider the Virginia Tech shooting. Let’s say Cho Seung-Hui, the troubled 23-year-old shooter, had an accomplice and let’s say Cho and the acomplice planned the shooting by way of e-mail exchange. Could the University be liable for failing to take reasonable steps in response to the e-mail exchange? In other words, would it have breached a duty (either a civil duty or perhaps one based in occupational health and safety legislation) to monitor its e-mail system to identify threatening e-mails and respond appropriately?

I’ve been thinking lots about the privacy-related implications of Virginia Tech and wrote about it with my colleague Catherine Peters several months ago. As universities and colleges across North America are thinking through their security-related policy, I wouldn’t be surprised if routine, software-aided e-mail surveillance is under consideration at one or more institutions.

Could it be justified on the basis of a competing legal duty? The most directly-applicable case law is American, and tends to suggest the answer is “no.”

In Shin v. MIT the Commonwealth of Massachusetts Superior Court allowed a wrongful death action to proceed against a suicidal student’s residence don and MIT’s dean of student affairs – finding they did have a duty to take reasonable steps to secure the student’s short term safety. The case caught the attention of colleges and universities who would argue (as MIT did) that the relationship between a student and a post-secondary educational institution is not close enough to warrant a duty to protect students from harming themselves and others. The duty endorsed by the court is seemingly triggered by the formation of a quasi-custodial relationship marked, in its words, by the “imminent probability of harm.” On this reasoning, at some point after a student is designated “at risk” (voluntarily or otherwise) a school’s duty crystallizes. At the same time, the student’s right to privacy becomes diminished.

As for the duty to protect the campus community at large (where the risk is generalized rather than specific), the duty is more likely to conflict with privacy rights. This is well-illustrated by another Commonwealth of Massachusetts Superior Court decision – Bash v. Clark University from last November. The student who attended at Clark and died from a heroin overdose at the end of her freshman year was far from trouble-free. In her one year at the university she had been noted a number of times for alcohol related misconduct, placed on academic probation, referred to counseling and questioned about drug use (where she admitted trying heroin). The Court held the University and its administrators did not owe the student a duty of care. It made the point that the standard for the imposition of a duty is high because of competing “social values,” including privacy values:

Third, recognition of the existence of a legal duty on the part of university officials and staff in this case would conflict with the expanded right of privacy that society has come to regard as the norm in connection with the activities of college students. The incursion upon a student’s privacy and freedom that would be necessary to enable a university to monitor students during virtually every moment of their day and night to guard against the risks of harm from the voluntary ingestion of drugs is unacceptable and would not be tolerated.

So short of some threshold – which is high according to this Court’s reasoning – a school’s duty is limited and student privacy rights remain undiminished. This certainly weighs against a duty and corresponding right to conduct routine e-mail surveillance as a means of managing the risk of catastrophic on-campus violence. It also supports an argument that a university or college will not likely be held to have constructive knowledge of e-mails sent over its system in the same manner as would other organizations.

While this reasoning may not give university and college administrators comfort when contemplating the Cho Seung-Hui scenario presented above, they can and should take other steps to assess and monitor potential threats (including reasonable grounds e-mail searches). If they are confident that these means will not be effective, depending on local laws, routine e-mail monitoring may still be an option. My only point, and I hope it’s a useful one, is that privacy rights must fit with (and be limited by) competing legal duties.

E-mail surveillance and constructive knowledge (Part 1)

Just when is an organization’s e-mail system a record of its conscience?  And if it is, does this justify routine e-mail surveillance?

People haven’t been talking about e-mail surveillance in the workplace for some time now.  Even video surveillance is a little passe, with far sexier monitoring technologies like GPS, biometrics, keystroke monitoring and RFID implants taking centre-stage.

The reality is that there’s never been a business case for routine monitoring of employee e-mails.  Who’s got the time to read through employee e-mails?  With broad “no expectation of privacy” statements in almost every employer’s computer use policy backed by a practical restraint on doing anything more than reasonable grounds searches, the law on e-mail monitoring has seemed in balance for the last half-decade.

Is this about to change?  Here is some evidence that the answer is “yes.”  First, we heard about the aggressiveness of the United States domestic security program since 9/11.   Professor Daniel Solove’s recent article does a fine job of describing its “Total Information Awareness” project, a data-mining initiative.  Then back in April, Fortune 500 retailer came under some heat when a fired security worker exposed the extent of the company’s surveillance activity, which apparently includes (or included) software-supported monitoring of its computer systems.  My last piece of evidence in anecdotal.  A forensic accountant friend of mine suggested to me a few week’s back that data-mining software is in use in at least some organizations as part of their corporate governance initiatives.

Assuming that routine e-mail monitoring is coming into its time, when is it likely to be justified?

To start, Canadian labour arbitrators (the only Canadian decision-makers who have regularly had the opportunity to address the validity of e-mail surveillance) have taken a different approach to computer systems surveillance than other forms of surveillance.  Rather, than balance business interests against employee privacy rights, they’ve arguably applied a more employer-friendly approach that has centred on the property rights of a system owner:  “It’s your property so you can assert absolute control over users’ expectation of privacy.”  This approach may seem offensive to privacy advocates, but it’s consistent with the balancing approach when one considers competing legal duties and whether the employer will be deemed (in an assessment of whether it has discharged such duties) to have constructive knowledge of the transitory and non-business communications made through its system.

Take the duty to provide a harassment-free workplace for example.  Starting with the Supreme Court of Canada’s Robichaud case, courts and tribunals have placed a very high standard of due dilligence on employers to root out and stop workplace harassment.  The premise is that employees are vulnerable and only the employer (who controls the workplace) has the ability to protect.  Although the standard is not one of strict liability, any employer that receives a harassment complaint, searches for responsive e-mails and only then discovers a harmful and longstanding dialogue should be very concerned.  Is it any coincidence that some of the hardest-fought e-discovery cases in the United States – including the Zubulake case – are harassment cases?

As offensive as routine e-mail monitoring seems, I wouldn’t rule it out.  Your average corporate counsel today will squirm if you ask her what she thinks is being sent over her company’s computer system.  At least under Canadian harassment law, the corporate computer system is treated as a record of the corporate conscience.  Constructive knowledge is presumed and, in my view, very difficult to rebut.  The ideal e-mail system would file all business e-mails into a logical structure and immediately obliterate everything else, but the greatest document management system in the world won’t achieve this ideal.  Does this make routine monitoring a justifiable alternative?

I plan on following this post with another on college and university computer systems, constructive knowledge and the duty of care to prevent incidents of catastrophic violence like what happened at Virginia Tech.  I feel very cool about the use of routine surveillance in this context.  Please come back to hear why.

Finding my own voice

Hello?  Is anyone there?

I’m Dan Michaluk, and this is my blog.  In the last few years I’ve spent a lot of time on the internet reading other people’s blogs.  The medium is amazing and I’ve learned lots from other’s generosity in sharing their information and knowledge.  Now that I’m writing this, part of me’s wondering what I’ve been waiting for.

I am a lawyer at a firm in Toronto, Canada called Hicks Morley.  We’re the biggest management-side labour and employment law boutique in Canada, but my practice is a little anomalous for the firm because I specialize in information and privacy, which I like to define broadly as including (fascinating) subjects such as the law of confidential business information, the law of production (including e-discovery) and records management.   We also have a very strong client base in the secondary and post-secondary education sectors, and I’ve been lucky to do a significant amount of rewarding work with education sector clients.  My official bio is here, and for more about me please check out my about page.

I got inspired to do this when I had a thought at about routine e-mail surveillance but didn’t know where to publish it.  We have a client newsletter called the Hicks Information and Privacy Post.  I edit it with my good colleague Paul Broad, but its a quaterly and essentially a case law update.  I really enjoy it (and please e-mail me if you’d like to subscribe) but it’s written in my “Hicks voice.”  My thought about e-mail surveillance was the kind of thought you write in an e-mail to a colleague just so you have it down – also the kind of thought you could work into a paper by spending a lot of time on it (but that will never have significantly more value than when it was simply a thought).  So I decided I needed to start this blog.   

My plan is to make at least a couple of posts a week.  I like to scan and read a lot of information and privacy case law, so I’ll post summaries here regularly.  I’ll also try my best to post an original thought once and a while.

If it all works out as planned I’ll learn lots while making some friends and business contacts.  I hope you come back often and enjoy.