Blurring of Work, Personal Tech Drives Privacy Disputes

Blurring of Work, Personal Tech Drives Privacy Disputes

The Recorder
January 30, 2015

SAN FRANCISCO — Administrators at Granada Middle School had first grown suspicious of Charles Brautigam after noticing a 17-year-old former student seemed to spend a lot of time hanging around his classroom.

Brautigam, who taught social studies and language arts at the southern California school, assured them he was tutoring the girl—nothing more. Then, in 2008, shortly after she turned 18, the two married. Brautigam was 36.

Complaints began pouring in from parents. Brautigam photographed his underage students without permission, "stalked" them on Twitter at night, and humiliated them in front of their peers, according to a statement of charges filed against him by the East Whittier School District.

District officials placed Brautigam on administrative leave in 2013 and went to work building a case to fire him. During a search of Brautigam's work laptop, an administrator found passwords to his personal Facebook and Gmail accounts saved in the browser, and logged on. According to Brautigam's lawyers, the "online surveillance campaign," went on for months, during which time officials accessed messages Brautigam sent from home to his friends, family, attorneys and union representative.

"If plaintiff had left his house keys in his classroom," Brautigam's attorneys wrote in a 2014 suit against the district for violation of privacy, "one wonders whether defendants would have donned ski-masks and pried into his home."

Brautigam's case may be an extreme example, but disputes involving employees' personal accounts and communications represent a new front in the workplace privacy war. Today many workers use personal cellphones to conduct business or check private email from work computers, blurring the line between work and personal technology.

While U.S. companies have vast leeway to monitor computer use, it's unclear just how deep employers can pry into employees' online history or under what circumstances they can read private emails or social media posts.

Lawrence Julius Turman, an employment partner with Reed Smith in San Francisco, said clients are increasingly asking how to monitor their employees' online activities without setting themselves up for a lawsuit.

Supervisors may be concerned that employees are uploading trade secrets to the cloud or disparaging the company brand on social media, he said. But as the law evolves, often far more slowly than technology, employers aren't sure how to watch for those things without stepping on privacy rights.

"The rules change," Turman said, "and the employers have to keep up with that."

San Francisco lawyer Jeffrey Rosenfeld of Kronenberg Rosenfeld, who represents Brautigam, says the district's intrusion was out of bounds. But he concedes the boundary isn't perfectly defined.

"There's not a wealth of authority on these issues," he said. "Email is a relatively new technology. Monitoring people's email is even newer. So I think we're just starting to see the beginnings of these cases."The East Whittier City School District, represented by McCune & Harber in Los Angeles, says its monitoring of Brautigam's accounts was justified because his passwords were saved and anyone could "stumble upon" them. They say the messages uncovered "prove inappropriate conduct" by Brautigam and are "critically important" to the district's case.

Brautigam signed a employee computer-use policy, which stipulated the district could monitor activity on his work computer. But Rosenfeld, counsel for Brautigam, argues the policy said nothing about accessing personal messages sent from outside computers.

Dana McCune of McCune & Harber didn't respond to calls or emails seeking comment. So far judges have sided with the teacher. A Los Angeles County judge denied the district's demurrer in early January, and last year Administrative Law Judge Vincent Nafarrete ruled the school district cannot use the personal messages to make its case for Brautigam's removal, a decision the Whittier district has appealed.

Lothar Determann, a Baker & McKenzie partner not involved with the case, said such disputes often hinge on what is covered in an employer's computer-use policy. A worker might compromise his position by returning his work laptop with the passwords saved in the browser, Determann noted.

"Usually the employee would change the passwords," he said. "Or not store the passwords for confidential accounts."

A similar issue has surfaced in a suit pitting Lyft's onetime chief operating officer against his former employer. Travis VanderZanden, now vice president of international growth at Uber Technologies Inc., accused his ex-employers at Lyft Inc. of reading personal texts and emails he sent after his last day at the company.

Lyft has its own gripes with VanderZanden, who the company's lawyers claim made off with thousands of sensitive documents before defecting to Uber. In a countersuit, VanderZanden insists Lyft learned of his job talks with the company's rival by sifting through his private communications.

The heavily redacted complaint filed in San Francisco Superior Court doesn't make clear just how VanderZanden believes Lyft accessed the messages. A Lyft spokeswoman has said the claims are baseless, though the company has acknowledged conducting a full forensic investigation on VanderZanden's work computer.

Orrick, Herrington & Sutcliffe partner Joseph Liburt said clients have legitimate reasons for monitoring computer use and workplace privacy has become a hot topic at legal seminars. Companies come to him, Liburt said, looking for "bright line" rules.

So far courts haven't created a clear framework. In August, U.S. District Judge Saundra Brown Armstrong of the Northern District of California ruled for equipment rental company Sunbelt Rentals Inc. A Sunbelt sales representative had synced his work iPhone and iPad to his personal Apple account and neglected to remove the devices when he left the company, allowing his former employer to read messages sent from his new iPhone. In Sunbelt Rentals v. Victor, Armstrong ruled "the transmission of those messages was entirely Victor's doing" and said the company couldn't be faulted for reading them.

A federal judge in Ohio came down differently in a 2013 case, allowing a claim to proceed against Verizon Wireless Inc. under the Stored Communications Act. The judge ruled Verizon had no authority to read 48,000 personal emails still viewable when a former employee turned in her BlackBerry without first closing her Gmail account.

Brautigam's suit in Los Angeles Superior Court includes a federal Wiretap Act claim, which Fenwick & West special counsel Robert Brownstone said can be a difficult one to win. The law, passed in 1968 to address telephone eavesdropping, was last updated in 1986. The archaic language doesn't fit perfectly with email snooping.

Courts in the past have interpreted the Wiretap Act narrowly, Brownstone said. But that could be changing.

"It's possible that over time judges have grown impatient waiting for Congress to update the rules," Brownstone said.

He said the best defense for companies is an airtight computer-use policy.

"What I work with clients on is being very, very clear in the written policy that there's no expectation of privacy," he said, "and it extends to any and all information passing through, received, stored or transmitted on any network device not only provided by the employer, but cost-reimbursed or supported by the employer."

Still, he wouldn't suggest clients draft policies that explicitly say they can log in to employees' personal email accounts. That, he said, is "going to run afoul of too many laws."

Contact the reporter at mkendall@alm.com.



Blurring of Work, Personal Tech Drives Privacy Disputes