Federal Courts' Disagreement Over E-Mail Privacy Highlights Employers' Need to Revisit E-Mail Policies

Posted on December 21, 2009 by Privacy and Data Protection Practice Group

As the Supreme Court prepares to address the question whether public employees can expect privacy in text messages sent by government-issued phones through a service provider under contract with the government, federal district courts continue to reach conflicting results when addressing whether private employees waive the attorney-client privilege by communicating with a personal attorney using their employer’s electronic resources. With yet another federal court recently finding no waiver, employers should revisit and revise their electronic resources policies to increase their chances of winning the waiver battle.

In Convertino v. United States DOJ, 2009 U.S. Dist. LEXIS 115050 (D.C. Dec. 10, 2009), a case decided last week, a former federal prosecutor suing the Justice Department for an allegedly improper leak concerning an investigation into charges that he engaged in prosecutorial misconduct, sought to compel production of e-mails exchanged through the Justice Department’s e-mail system between Jonathan Tukel, a federal prosecutor involved in the investigation, and Tukel’s personal attorney. The federal District Court for the District of Columbia held that Tukel had not waived the privilege. The court determined that Tukel reasonably could expect privacy in the communications with his attorney because the Justice Department’s e-mail policy permitted personal use of its e-mail system, and Tukel stated in an affidavit that he was unaware that the Department regularly monitored his e-mail.

In contrast to this result, a federal district court in Idaho, in Alamar Ranch, LLC v. County of Boise, 2009 U.S. Dist. LEXIS 101866 (D. Idaho Nov. 2, 2009), held just six weeks earlier that an employee had waived the attorney-client privilege by exchanging e-mail with her attorney using her employer’s e-mail system. The court relied on the employer’s e-mail usage policy, which notified the employee that: (1) all e-mail was the employer’s property; (2) the employer reserved the right to monitor e-mail; and (3) employees should not assume that e-mail would be confidential. The court gave no weight to the employee’s testimony, almost identical to Tukel’s in the D.C. case, that she was unaware of the monitoring. The court found her subjective belief “unreasonable . . . in this technological age.”

Although not mentioned in the D.C. court’s opinion, the Justice Department’s e-mail usage policy most likely contains the same language that the Idaho court relied upon to find a waiver. Thus, the principal difference between the two cases appears to be the Justice Department’s express permission of some non-business use of its e-mail system. That said, employers would be short-sighted to think that prohibiting all non-business use in an e-mail policy would ensure a finding of waiver. Courts are likely to look to the employer’s de facto policy regarding non-business use, which, for virtually all employers, will be tacit permission of non-business e-mail despite an express ban on non-business use in the employer’s e-mail policy.

Given the above, employers can strengthen their position in the waiver battler by expressly stating the following in an e-mail policy with respect to non-business use of the employer’s e-mail system:

  • Non-business e-mails are not private and are subject to the employer’s electronic resources policy in its entirety, including the employer’s policy on monitoring;
  • Employees are prohibited from using the employer’s electronic resources to communicate with a personal attorney;
  • Employees who use the employer’s electronic resources to engage in non-business e-mail communications through a personal web-based e-mail account should be aware that duplicates of such e-mail may be stored on the employer’s electronic resources and will be subject to review by the employer in accordance with its electronic resources policy.

This entry was written by Philip L. Gordon.
Tags: , , , , , , , ,

Supreme Court Review of Quon May Provide Important Guidance for Private Employers

Posted on December 14, 2009 by Privacy and Data Protection Practice Group

The U.S. Supreme Court agreed, today, to review the Ninth Circuit Court of Appeal’s decision in Quon v. Arch Wireless, a case with potentially important implications for private employers. As explained in prior posts, the appellate court held that the City of Ontario Police Department violated a SWAT officer’s reasonable expectation of privacy by reviewing the content of his sexually explicit text messages, even though: (1) the messages had been sent with a Department-issued pager through a service provider under contract with the Department, and (2) the Department’s formal policy informed all SWAT officers that the Department might review their text messages. In reaching that conclusion, the Ninth Circuit relied principally on a statement by the officer in charge of the text messaging program to the SWAT officer that the Department would not review his text messages if he voluntarily paid any overage charges resulting from excessive personal use.

Although there are some differences in the privacy standards applicable to public sector and private employers, the standards are sufficiently similar that the Supreme Court’s decision likely will provide important guidance for employers on at least three issues. First, the law is relatively well settled that private employers can review any communications stored on a corporate e-mail server when the employer notifies employees of the monitoring, typically through an electronic resources policy. Quon is one of the first cases to address whether the same rule applies when the employee’s communication is transmitted through a third-party service provider under contract with the employer. The issue has gained increasing importance as an increasingly large number of employees use text messaging during the work day. (A case currently under consideration by the New Jersey Supreme Court, Stengart v. Loving Care, addresses an employee’s privacy expectations in copies of e-mail stored on a company-issued laptop that were sent through the employee’s personal e-mail account to her attorney.)

Second, the Supreme Court’s decision likely will address how a formal employment policy that otherwise would defeat an employee’s privacy expectation could be countermanded by an informal representation to a specific employee. Here, private employers likely will receive guidance on the types of informal statements that could be sufficient to countermand a formal policy as well as the degree of authority of the person making the informal statement necessary to override the formal policy.

Third, the Supreme Court also granted review on the question whether the senders of text messages to the SWAT officer had a reasonable expectation that his government employer would not read them. This question raises an issue that often is overlooked in cases revolving around an employer’s review of employee e-mail, i.e., the privacy interests of the sender. Without further development, it is difficult to anticipate the extent to which the Supreme Court’s ruling on this issue might affect private employers and what that affect might be.

Notably, the Supreme Court denied the service provider’s request for review of the Ninth Circuit’s ruling that the provider violated the federal Stored Communications Act by disclosing the SWAT officer’s text messages to the Department without his consent. Under the Act, a communications service provider, such as an ISP or cell phone provider, generally cannot disclose stored communications without the sender’s or recipient’s consent. An exception permits disclosure to the subscriber — the Department in the Quon case — when the provider is a “remote computing service.” The Ninth Circuit ruled that a “remote computing service” is akin to an electronic filing cabinet. Because the provider in the Quon case was a facilitator of communications, it was not a “remote computing service” and, therefore, could not take advantage of the exception. With the growing prevalence of “cloud computing” services, the proper definition of a “remote computing service” has become increasingly important. The Supreme Court’s decision to forego review of this issue leaves the Ninth Circuit’s ruling on this issue intact.

At bottom, Quon reflects the dynamic nature of the law governing technology in the workplace as communications technology rapidly moves beyond e-mail, and societal expectations change.

This entry was written by Philip L. Gordon

Photo credit: Niklas Bildhauer
Tags: , , , , , , , , , , ,

New Jersey Appeals Court Broadly Construes Employee's "Right To Privacy" Using Company Computers

Posted on June 30, 2009 by Privacy and Data Protection Practice Group

UPDATE: The New Jersey Supreme Court has agreed to review this decision. We will continue to monitor the case and provide insight on significant developments.

Before resigning from Loving Care Agency and suing the company for discrimination, Marina Stengart used her company-issued laptop to exchange e-mail with her attorney through her personal Yahoo! e-mail account. Loving Care’s computer forensic expert recovered these e-mails from the laptop. Loving Care’s counsel referenced some of them during discovery; Stengart’s counsel demanded the return of all of the e-mail. In a prior blog entry, we discussed the trial court’s ruling that Stengart had waived the attorney-client privilege in light of certain warnings in Loving Care’s computer use policy.

Last week, a New Jersey appellate court reversed the trial court’s ruling. According to the appellate court, Loving Care failed to show that Stengart ever had received the computer use policy. The court also found that the policy did not adequately warn Stengart that Loving Care might read e-mail sent through her personal e-mail account. Employers can address these shortcoming in the following ways:

  • obtain from each employee an executed acknowledgement of receipt of the corporate computer use policy;
  • inform employees that the employer will, in its discretion, review any communication or file stored on any company-owed device;
  • specifically warn employees that the policy applies to copies of e-mail sent through a personal e-mail account that remain on company computers;
  • inform employees that corporate electronic resources cannot be used, without authorization, to consult with an attorney.

Significantly, the New Jersey court suggested that even if Loving Care had taken all of the steps listed above, Stengart still would not have waived attorney-client privilege. The court based that conclusion on the following language:

When an employee, at work, engages in personal communications via a company computer, the company's interest . . . is not in the content of those communications; the company's legitimate interest is in the fact that the employee is engaging in business other than the company's business. Certainly, an employer may monitor whether an employee is distracted from the employer's business and may take disciplinary action if an employee engages in personal matters during work hours; that right to discipline or terminate, however, does not extend to the confiscation of the employee's personal communications.

In other words, according to the court, an employer cannot read an employee’s personal e-mail, even when the employer has a policy stating that the employee has no reasonable expectation of privacy, except when the content of the e-mail needs to be known to determine whether the employee violated company policy or acted unlawfully. This aspect of the court’s opinion, which appears to be non-binding dicta (except when applied to communications between an employee and her attorney) is groundbreaking. If the decision is not reversed on appeal to the New Jersey Supreme Court, employers should expect to see the Stengart case resurface in future employment litigation contending that employer’s improperly accessed employees’ “personal e-mail.”

This entry was co-authored by Philip L. Gordon and Paul H. Mazer.

For a comprehensive analysis of this development, see Littler's ASAP "Employer's Electronic Communications Policy Did Not Allow Company to Review Employee's E-mail Exchange with Her Attorney" by Philip L. Gordon, Eric A. Savage and Paul H. Mazer.
 

Tags: , , , , ,

Web-Based E-mail Accounts Accessed At Work: Private Or Not? Look To The Handbook

Posted on March 24, 2009 by Privacy and Data Protection Practice Group

Employers often put employees on notice, through an electronic resources policy, that communication via company e-mail accounts is not private. Far fewer policies, however, address employees’ use of their personal Internet-based e-mail accounts using company computer resources. What should an electronic resources policy tell employees on that subject?

A recent New Jersey case, Stengart v. Loving Care, sheds some light on the answer. Before Maria Stengart resigned and sued Loving Care, her employer, she e-mailed her lawyer through her personal web-based account from her company-issued computer with Loving Care’s Internet access. With the help of a computer forensic expert, Loving Care was able to recover temporary files stored on the hard drive of the company-issued computer which contained copies of Stengart’s attorney-client communications. (Employers should note that many web-based e-mail applications leave such temporary files on the hard drive of the sender’s computer).

When Stengart discovered that Loving Care’s lawyers planned to use her e-mail in the litigation, she objected. The trial court was asked to decide whether the e-mail, sent during work hours on a company laptop, was protected by the attorney-client privilege. The court held that it was not.
 

Key to the decision was the following company policy: “[I]nternet use and communication . . . are considered part of the company’s business and client records. Such communications are not to be considered private or personal to any individual employee.” Put another way, Loving Care told its employees that their Internet use is not private. Stengart’s Internet-based e-mail fell squarely within the policy. As a result, she could not claim the e-mail was protected by attorney-client privilege.

There are two important takeaways for employers. First, be specific about online privacy using the company’s electronic resources. In particular, tell employees that they should not use the company’s Internet connection to access personal e-mail accounts for purposes of conducting company business or to send any e-mail that they wish to keep private.

Second, ensure that you can prove each employee knows the rules. Stengart tried to claim that she was not aware of Loving Care’s Internet policy. The trial court rejected that argument because she was a long-time employee with significant management responsibility. Lower-level, shorter-term employees may have a more credible argument. To defeat that argument before it is made, employers should document that each employee has acknowledged receipt of the company’s electronic resources policy.

This entry was co-authored by Philip L. Gordon and Kate H. Bally.
Tags: , , , , ,

A Case to Watch re Workplace Monitoring: Sidell v. Structured Settlement Investments

Posted on July 7, 2008 by Justin A. Morello

While the case is still in the early stages, Sidell v. Structured Settlement Investments, LP et al, Case No. 3:08-cv-00710-VLB (D.Conn 2008), is shaping up to be a case to watch. Recently covered by The New York Times, the lawsuit involves an interesting twist on workplace monitoring; namely, what are the limits on an employer’s access, using its own computer equipment, to an employee’s e-mail stored in an employee’s personal e-mail account. Ultimately, the case may add to the growing list of decisions regulating electronic communications in the workplace. See, e.g., Quon v. Arch Wireless; Scott v. Beth Israel. The Ninth Circuit decision in Quon was discussed in our prior blog entry, Ninth Circuit Ruling Not a Significant Obstacle to Employers' Accessing Text Messages.

According to the complaint, this is what happened: A company closed a branch and fired the office manager. The company claimed that the termination was for cause and explained the facts supporting its decision to the manager. Before the company had changed the locks, the office manager entered his old office, logged on to his computer, and sent an e-mail to his personal attorney regarding his potential claims against the company. The office manager did not log-off from his Yahoo! account, nor did he turn off his computer. As a result, this e-mail remained accessible through the computer in the office manager’s former office. Over the next few weeks while using the same e-mail account, the office manager sent his personal attorney numerous additional e-mails regarding his termination.

Soon after his termination, the office manager demanded arbitration under his employment contract. During discovery, it became apparent that following the office manager’s termination, the company had been monitoring the manager’s personal Yahoo! email account. The office manager then filed a separate lawsuit against the company, claiming violations of the Federal Wiretap Act, the Stored Communications Act, state statutes and for invasion of privacy. The case is currently pending.

The Federal Wiretap Act claim most likely will fail because claims under that statute can proceed only if the content of e-mail is acquired in the transmission process. The office manager’s other claims have a chance of surviving. As one commentator noted to The New York Times, these facts “would make a great exam question.”

This case raises a host of issues, including:

  • whether the former employee consented to the employer’s access to his personal e-mail because he did not log-off of his account or turn off his computer and he knew his former employer would have access to it;
  • whether employees have an expectation of privacy when they log-on to web based e-mail through company owned and controlled computers;
  • whether a terminated employee enjoys any expectation of privacy when using a former employer’s computer system;
  • the extent to which an employer may access information left by a terminated employee;
  • at what point attorneys have a duty to disclose attorney-client communications; and
  • how an employer’s electronic resources policies affect the expectation of privacy of employees and former employees. 

This case is also a reminder that electronic resources policies need careful consideration, including:

  • whether the policies should prohibit employees from using corporate resources to access personal e-mail accounts;
  • whether the policies should require employees to consent to their employer accessing their personal e-mail account if accessed using corporate resources; and
  • whether the policies should warn employees that their employer will access employees’ e-mail sent to a personal attorney over the corporate computer network.

There is no one right answer. Rather, employers need to consider their corporate culture, educate employees and be prepared to routinely enforce such policies in a uniform, non-discriminatory manner.
Tags: , , , , , , ,