Mindful Monitoring

By Ian D. Meklinsky and Anne Ciesla Bancroft

On January 30, 2001, Anthony Cochenour called the FBI with a tip. Cochenour’s company, an Internet service provider, sold e-mail services to Frontline, an online payment processor. Cochenour told FBI Agent James Kennedy that a Frontline employee was accessing child pornography from his work computer. Kennedy contacted Frontline. As it turned out, the company’s IT department was already monitoring the culprit, Brian Ziegler.

After talking with Kennedy, IT employees decided to go beyond monitoring Ziegler’s computer activity remotely through the network. They obtained from HR a key to Ziegler’s office, which he kept locked when he was not there. Staff then entered the office when he was away and made two copies of Ziegler’s hard drive. The company, on advice of counsel, then turned Ziegler’s computer over to the FBI. Forensic examiners found numerous images of child pornography.

In May 2003, Ziegler was indicted on three counts of receiving obscene material. He pled not guilty. He also filed a lawsuit seeking to suppress the evidence against him, claiming that it was obtained illegally.

According to Ziegler’s suit, the government acted through Frontline to obtain the computer files and violated his Fourth Amendment right to privacy in the process. The U.S. District Court for the District of Montana held that Ziegler had no expectation of privacy in the files he accessed on the Internet, so those rights could not be violated by the government or his employer.

Ziegler appealed the decision. He argued that his computer files were the same as files in a desk drawer or a file cabinet. As proof, Ziegler noted that Frontline employees had to go through a locked door and access a password-protected account to get to the incriminating files.

The U.S. Court of Appeals for the Ninth Circuit ruled that Ziegler’s expectations of privacy were not reasonable. The court noted that Frontline had an employee monitoring program and that employees were informed about it through training and a manual. Employees were specifically told that the computers were owned by the company and were not to be used for personal activities. In the written opinion of the case, the court noted that “employee monitoring is largely an assumed practice, and thus we think a disseminated computer-use policy is entirely sufficient to defeat any [privacy] expectation that an employee might harbor.” (U.S. v. Ziegler, U.S. Court of Appeals for the Ninth Circuit, 2006)

Many organizations have resorted to monitoring their employees’ use of e-mail and Internet systems to prevent abuses and to protect themselves and their employees. However, as the Ziegler case illustrates, employers must be mindful of employee privacy rights as they implement monitoring programs if they are to steer clear of liability.



The Magazine — Past Issues


Beyond Print

SM Online

See all the latest links and resources that supplement the current issue of Security Management magazine.