You have a mobile workforce, so you issue mobile devices to your employees. You pay for their mobile service and make sure their equipment is working. Since it's intended for business, you have the right to read employees' text messages. What's more, you have a policy that says so, in so many words. All employees must acknowledge this policy when receiving their Blackberry devices or other smartphones.

Legally, you might think you're well covered -- and you might be wrong. In Ontario, Calif., police officials reviewed an unusually large number of texts sent by a police sergeant named Jeff Quon. They found hundreds of sexually explicit texts. Quon sued, arguing that his bosses had no right to read the texts. The case made its way up the food chain to the Ninth Circuit Court of Appeals, which ruled in favor of the cop. Recently, the U.S. Supreme Court agreed to hear the case, with a final ruling expected this summer.

Whatever the court eventually rules, this is unlikely to be the last employment case involving text messages, and employers find themselves setting text and other communications policies in an increasingly confusing world. "Technology is changing fast and the courts are left to catch up," notes Jason C. Gavejian, an associate at Jackson Lewis LLP. "The biggest challenge is the interplay between federal law, and state and local law," he adds. "In one New Jersey case, the courts ruled that employers have an obligation to make sure employees are not viewing child pornography. That requires monitoring. Now the Supreme Court may rule that monitoring is illegal." If it does, the two rulings will be in direct conflict, and employers in New Jersey will have to choose between disobeying state and federal courts.

It should be clear by now that setting an appropriate policy governing the use of mobile devices is a very serious business. But many small companies don't take it seriously enough, says Michael McAuliffe Miller, partner in the labor and employment group at Eckert Seamans Cherin & Mellott, LLC. "The biggest mistake companies make is that they have no policy on texting and mobile communications," he says. "Or else, they have an off-the-shelf policy that they've downloaded from the Internet. Then they're inconsistent about enforcing the policy, especially with employees everybody likes."

Develop a policy on texting

If the above is a good description of how not to handle texting policy, what's the right way to do it, especially in light of the Quon case? Unfortunately, there's no one right way, but here are some steps that may help:

Have the right people create policy. "In many companies we consult, these policies are set by an IT person," notes James Sinclair, principal of OnSite Consulting, a hospitality industry consulting firm that specializes in helping financially troubled companies regain profitability. "I'm a big believer that these should be management decisions." Top management should set mobile communications policy, with input from legal counsel.

Update the policy often. Especially any time you provide employees with new types of devices. "One of the issues in the Quon case is that the police force's policy had been written to apply to e-mail, not texts."

Reduce expectation of privacy. "Employers should have a policy that says employees have 'no reasonable expectation of privacy.' That's the key phrase," Miller says. The policy should be distributed to employees at regular intervals, and they should be asked to acknowledge their agreement. "Some employers make that consent interactive," he adds. "It could be part of the employee's log-in process."

Specify who can change policy -- and who can't. In the Quon case, the police force had a formal policy that said texts weren't private. But a lieutenant told Quon informally that if he paid for any texts beyond the 25,000 characters a month on his pager plan, no one would read his texts. "You should have in your policy that no one but a designated senior official of the company can change the policy," Miller says.

Train managers about the policy. "You want to make sure managers get proper training so that when they inform employees about the policy they're doing it in a uniform fashion, consistent with what the company wants to accomplish," Gavejian says.

Specify how equipment is to be used. This is a tricky question. You can't define unauthorized use too narrowly, Gavejian says. For instance, if you write a rule against sexually explicit text messages, it won't apply to sexually explicit images. Instead he suggests a rule that company equipment be used only for business communications. At the same time, he acknowledges, such a rule may not be realistic. "You can't stop someone from sending a message home saying 'I'll be late for dinner," he notes. "I don't think there's one universal policy everyone can apply. It has to be analyzed on a case-by-case basis, and depending what technology you're using."

Keep messages on your own servers. This is a potentially costly solution that isn't right for every small company. But, because its clients' data is always highly confidential, OnSite Consulting chose to route all e-mails and Blackberry messages through its own servers. "We worked with our general counsel and did a lot of research," Sinclair explains. "By default, if you're going through our server, you're accepting our terms and conditions, and the messages are automatically copied and audited."

This solution may become more popular in the wake of the Quon case: One of the questions at issue is whether his employer had the right to demand his text messages from their pager company, and whether the pager company was right in acceding to that demand. OnSite's server is hosted and maintained by a hosting provider, but it does physically belong to OnSite. "We made it a priority and spent a significant sum for a technology we can't see or directly use and that does not contribute to our return on investment," Sinclair says. "But it provides another layer of protection for our clients." It also provides a real-world model of how to most safely handle employee communications. "We have to do it," Sinclair says. "We can't walk in there as a consulting company and have a less-than-perfect system ourselves."