SMHLLAW

by Tichelle Sorensen

1.0 Defining Customer Information as Property

In the wake of a recent privacy policy update by AT&T Corporation defining customer information for some of its products as corporate property,[1] consumer advocates expressed concern over the possible implications for customers of companies who adopt these types of policies.[2] Although subsequent retractions indicate that concern over the perceived breadth the AT&T policy may have been premature (the AT&T policy will only apply customers of certain products), the debate remains relevant.

This concept of personal information as corporate property is especially interesting in the context of employment. Some employers, spurred by concerns of declining productivity, potential liability, or loss prevention have implemented policies designed to closely monitor much of their employees work life. Outside of work, most people follow the expectation that their activities are personal, and not subject to the disapproval of their employer – despite several recent examples demonstrating that this is not always the case.

2.0 Customer as an Employee

Where an employee of a company is also a customer, the implications are even more significant, as employees are clearly more identifiable and have more at stake. Companies routinely gather detailed information about their customers, with increasingly sophisticated technology used to track shopping habits and brand preference. Many supermarkets now use club-type cards, often required to access sale prices and other perks. At some stores, this creates easily accessible and highly detailed customer records. Where a company provides telephone or internet based services, the ability to review a person’s calling records and internet habits can be incredibly revealing – and somewhat uncomfortably so – about their personal habits, beliefs, and practices.

With this amount of information available, both the employee and company should be aware of how these details can be used in the context of employment policies and actions.

As an example, in 1997, the Seventh Circuit Court of Appeals was presented with a case involving Ameritech Corporation,[3] which was sued by a former employee who was fired for violating a company policy following an internal investigation based substantially on the employee’s home telephone records.[4] Ultimately, the court found no basis for Federal Jurisdiction and remanded to Illinois State Court, but expressed concern over the potential implications of the company policy:

“Ameritech’s response is eerily reminiscent of Orwell’s Big Brother…Ameritech’s lawyer stressed at oral argument that the MUD records “belong” to Ameritech, and from that he reasoned that Ameritech had the right to consult those files in the course of its internal management of the company. This means, in essence, that every Ameritech employee, from the CEO on down to the lowliest worker, can expect to have Ameritech reading the records of telephone calls placed from his or her line (which is what MUD records are) at any time, for any reason. Furthermore, the logic of Ameritech’s ownership argument suggests that Ameritech could listen in to anyone’s telephone calls whenever it wants, calling employees on the carpet for spending too much (or too little!) time in the evening on the telephone, criticizing them for patronizing the wrong “900” numbers, and reviewing their calling records every time they take a sick day off.”[5]

The court also indicated that the absolute ownership policy might be overly broad, in violation of the federal Communications Act.[6]

In a subsequent appeal following remand, the Illinois Court of Appeals found that the federal Electronic Communications Privacy Act[7] authorized the actions of the employer, Ameritech, to use or disclose communications to protect “..the rights or property of the provider of that service."[8] The court held that "right or property" includes protecting the company’s "monetary resources" which, in the context of Schmidt, would be depleted because the employee took an additional paid vacation while on disability leave (despite a company policy to the contrary.)[9] The court further reasoned that the investigation into the employee’s activities during the time he was on leave - which included visits by supervisors to his residence, and reviewing records of calls made from his home number and personal calling card - was "reasonable in light of federal case law that requires an employer to conduct a documented investigation into an employee’s alleged misdeeds before the employer may discipline that employee." [10]

3.0 Employee Expectations

What expectation should employees have of privacy in their personal telephone records? If the employer is a telecommunications provider, and the records are reviewed in order to investigate employee fraud or protect some financial interest of the employer, the ECPA seems to provide protection for the use of personal information in this context.

However, employers should be cautioned against implementing blanket policies of monitoring the private actions of employees without seeking the advice of counsel. Schmidt involved an isolated reviewing the calling records of one employee, in the course of an investigation into whether that employee lied about taking a vacation while he was on disability leave. Had the company monitored all employee’s home telephone records on a random and continuous basis – perhaps the court might have responded with the “Big Brother” analysis.

Employees signing up for the services of their employers should expect that the information contained in those records could be used in the course of an investigation affecting their employment. Similarly, this would also apply where the employer provides and pays for cellular telephone service, calling cards, or even credit cards. If records are submitted to the company for payment, employees should not expect that they will not be carefully reviewed by the employer.

4.0 Lessons Learned

If there is a lesson to be learned from the AT&T announcement, it may be that a clear policy is the best path to take. Companies who chose to characterize their customer information as corporate property can disclose their intent in the context of privacy statements or employee handbooks. This may not prevent litigation questioning the boundaries of the use, but employees who are aware of these policies, like all customers, should have the option to take their personal business – and information - elsewhere.

 

---

[1] The full text of the AT&T Policy is available online at http://help.sbcglobal.net/article.php?item=8620 [2] Sara Kehaulani Goo, Concerns Raised Over AT&T Privacy Policy, Wash. Post, Friday June 23, 2006, at D05 [3] Ameritech, one of the divested AT&T Regional Operating Companies, merged with SBC in 1999; in 2005 SBC merged with AT&T Corp. to create AT&T Inc. [4] Schmidt v. Ameritech, 115 F.3d 501 (7th Cir. 1997) [5] Schmidt at 504 [6] Codified in, 47 USC §605 [7] Codified in, 18 USC §2511 [8] Schmidt v. Ameritech Illinois 329 Ill.App3d 1020 (2002) [9] Schmidt at 1034 [10] Schmidt at 1034, citing Babb v. Minder 806 F.2d 749, 756 (7th Cir. 1986)