Employers Should Act Promptly in Response to NJ High Court's Recognition of Employee's Right to Privacy in Lawyer-Client Emails Stored on Company Computers

Posted on April 1, 2010 by Privacy and Data Protection Practice Group

In a case with significant implications for all employers, the New Jersey Supreme Court ruled earlier this week that Marina Stengart, a former executive employee of Loving Care Agency, had a reasonable expectation of privacy in e-mail exchanged with her personal attorney through a personal, web-based e-mail account even though those communications were stored on a company-issued laptop. However, rather than limiting its decision to the facts of the case, that court went further, broadly stating that even “a policy that banned all personal computer use and provided unambiguous notice that an employer could retrieve and read an employees’ attorney-client communications . .. would not be enforceable.” In other words, New Jersey employers cannot properly read their employee’s e-mail exchanges with a personal attorney stored on company equipment — no matter what the employer tells its employees in its electronic resources policy.

Stengart also is significant because it illustrates the circumstances in which a court might find that an employee reasonably could expect privacy in e-mail stored on the employer’s electronic resources. To begin with, the New Jersey Supreme Court relied heavily on Stengart’s efforts to shield her e-mail from Loving Care. She used a private, personal, password-protected, web-based e-mail account, rather than the company’s e-mail server, and she did not save the user ID or password for that account on company-issued equipment. In addition, the New Jersey Supreme Court cited Stengart’s affidavit testimony in the trial court that she did not know that a duplicate of e-mail transmitted through a personal e-mail account would be saved in a temporary file on the company-issued laptop used to transmit the e-mail or that a computer forensic expert (like the one hired by Loving Care) could retrieve the messages. Finally, the court emphasized that reasonable privacy expectations customarily inhere in attorney-client communications (as opposed to communications that are unlawful or otherwise violate company policy), quoting in full the confidentiality notice contained in all e-mails sent by Stengart’s lawyer.

Loving Care’s electronic resources policy only weakened the company’s position. The court noted that the policy did not even mention personal e-mail accounts, let alone notify Stengart of Loving Care’s ability to retrieve from company-issued equipment e-mail transmitted through a personal e-mail account.

Although Stengart is binding only on employers doing business in New Jersey, the court’s ruling and analysis, apparently the first from any state supreme court, likely will influence other courts addressing similar circumstances. Consequently, it is critical that employers located anywhere in the United States understand the limits of the New Jersey Supreme Court’s decision:

  • The case does not change the commonly accepted principle that employers can use a well-crafted policy to reduce employee’s privacy expectations in communications stored on, or transmitted through, corporate electronic resources;
  • The court did not establish that employees have a right, as a matter of public policy, to use corporate electronic resources to communicate with a personal attorney;
  • The court itself acknowledged that employers can discipline employees for violating an electronic resources policy even if the violation is constituted by the employee’s communication with a personal attorney, albeit New Jersey employers cannot properly read the content of employee-attorney communications on which the discipline is based., It remains unclear if the decision means that other types of communications normally subject to privilege, such as with a doctor, clergy member or spouse, are also protected;
  • The court repeatedly emphasized the attorney-client nature of the communication and did not suggest that its finding of Stengart’s reasonable expectation of privacy would have been the same had Stengart been exchanging e-mail with a non-lawyer;
  • While the court found that Stengart had a reasonable expectation of privacy in her e-mail, it did not suggest that Stengart had a viable claim against Loving Care for invasion of privacy, which would require a showing that the employer’s review of the e-mail would be highly offensive to a reasonable person.

In short, the decision does not create a dystopia for employers in which employees can engage in unrestrained personal, e-mail use of corporate electronic resources, through either a corporate or personal e-mail account. The decision, nonetheless, should be a call to action for employers to revise or supplement their existing electronic resources policies as follow:

  • Inform all employees that the policy applies to every employee;
  • Warn employees that the company will monitor the use of employees’ electronic resources;
  • Notify employees that duplicates of e-mail transmitted through a personal, web-based e-mail account using company equipment could be stored on that equipment;
  • Explain that the company may, in its discretion, review all communications stored on, or transmitted by, company equipment regardless whether a personal account is used, subject to state laws regarding attorney-client communications
  • Prohibit employees from using any company resources (including the telephone) to communicate with a personal attorney except with the company’s prior approval;
  • Warn employees that they can be disciplined for violating the policy, including the prohibition on communications with a personal attorney using corporate electronic resources.

Significantly, employers should ensure that all employees receive, review and acknowledge receipt of the new/amended electronic resources policy. In addition, employers should establish guidelines for handling potentially privileged communications discovered on the employer’s information systems. First, IT and HR professionals should be trained in the indicators of potentially privileged communication, told not to review such communications except to the extent necessary to determine whether they might be privileged, and to promptly inform in-house or outside counsel about the discovery. Second, counsel should not review such communications except as minimally necessary to determine whether they might be privileged and, if so, follow applicable ethical rules for addressing waiver of privilege arising from the inadvertent disclosure of an attorney-client communication. Third, if the employer has implemented the policies described above, it should fully document the extent of the violation of company policy and determine whether and to what extent the employee should be disciplined.

Employers clearly have an overriding interest in preventing employees from using corporate electronic resources to plan potentially devastating litigation against the employer. Stengart does not bar employers form doing so.

For further analysis of this development, see Littler's ASAP New Jersey Supreme Court Rules that E-Mails Exchanged Between Employee and Her Attorney Using Company's Computer Remain Privileged.

This entry was co-authored by Philip L. Gordon and Christopher M. Leh.
Tags: , , , , , , ,
  • Email This
  • Print
  • Trackbacks
  • Share Link

Federal Courts' Disagreement Over E-Mail Privacy Highlights Employers' Need to Revisit E-Mail Policies

Posted on December 21, 2009 by Privacy and Data Protection Practice Group

As the Supreme Court prepares to address the question whether public employees can expect privacy in text messages sent by government-issued phones through a service provider under contract with the government, federal district courts continue to reach conflicting results when addressing whether private employees waive the attorney-client privilege by communicating with a personal attorney using their employer’s electronic resources. With yet another federal court recently finding no waiver, employers should revisit and revise their electronic resources policies to increase their chances of winning the waiver battle.

In Convertino v. United States DOJ, 2009 U.S. Dist. LEXIS 115050 (D.C. Dec. 10, 2009), a case decided last week, a former federal prosecutor suing the Justice Department for an allegedly improper leak concerning an investigation into charges that he engaged in prosecutorial misconduct, sought to compel production of e-mails exchanged through the Justice Department’s e-mail system between Jonathan Tukel, a federal prosecutor involved in the investigation, and Tukel’s personal attorney. The federal District Court for the District of Columbia held that Tukel had not waived the privilege. The court determined that Tukel reasonably could expect privacy in the communications with his attorney because the Justice Department’s e-mail policy permitted personal use of its e-mail system, and Tukel stated in an affidavit that he was unaware that the Department regularly monitored his e-mail.

In contrast to this result, a federal district court in Idaho, in Alamar Ranch, LLC v. County of Boise, 2009 U.S. Dist. LEXIS 101866 (D. Idaho Nov. 2, 2009), held just six weeks earlier that an employee had waived the attorney-client privilege by exchanging e-mail with her attorney using her employer’s e-mail system. The court relied on the employer’s e-mail usage policy, which notified the employee that: (1) all e-mail was the employer’s property; (2) the employer reserved the right to monitor e-mail; and (3) employees should not assume that e-mail would be confidential. The court gave no weight to the employee’s testimony, almost identical to Tukel’s in the D.C. case, that she was unaware of the monitoring. The court found her subjective belief “unreasonable . . . in this technological age.”

Although not mentioned in the D.C. court’s opinion, the Justice Department’s e-mail usage policy most likely contains the same language that the Idaho court relied upon to find a waiver. Thus, the principal difference between the two cases appears to be the Justice Department’s express permission of some non-business use of its e-mail system. That said, employers would be short-sighted to think that prohibiting all non-business use in an e-mail policy would ensure a finding of waiver. Courts are likely to look to the employer’s de facto policy regarding non-business use, which, for virtually all employers, will be tacit permission of non-business e-mail despite an express ban on non-business use in the employer’s e-mail policy.

Given the above, employers can strengthen their position in the waiver battler by expressly stating the following in an e-mail policy with respect to non-business use of the employer’s e-mail system:

  • Non-business e-mails are not private and are subject to the employer’s electronic resources policy in its entirety, including the employer’s policy on monitoring;
  • Employees are prohibited from using the employer’s electronic resources to communicate with a personal attorney;
  • Employees who use the employer’s electronic resources to engage in non-business e-mail communications through a personal web-based e-mail account should be aware that duplicates of such e-mail may be stored on the employer’s electronic resources and will be subject to review by the employer in accordance with its electronic resources policy.

This entry was written by Philip L. Gordon.
Tags: , , , , , , , ,
  • Email This
  • Print
  • Trackbacks
  • Share Link

Supreme Court Review of Quon May Provide Important Guidance for Private Employers

Posted on December 14, 2009 by Privacy and Data Protection Practice Group

The U.S. Supreme Court agreed, today, to review the Ninth Circuit Court of Appeal’s decision in Quon v. Arch Wireless, a case with potentially important implications for private employers. As explained in prior posts, the appellate court held that the City of Ontario Police Department violated a SWAT officer’s reasonable expectation of privacy by reviewing the content of his sexually explicit text messages, even though: (1) the messages had been sent with a Department-issued pager through a service provider under contract with the Department, and (2) the Department’s formal policy informed all SWAT officers that the Department might review their text messages. In reaching that conclusion, the Ninth Circuit relied principally on a statement by the officer in charge of the text messaging program to the SWAT officer that the Department would not review his text messages if he voluntarily paid any overage charges resulting from excessive personal use.

Although there are some differences in the privacy standards applicable to public sector and private employers, the standards are sufficiently similar that the Supreme Court’s decision likely will provide important guidance for employers on at least three issues. First, the law is relatively well settled that private employers can review any communications stored on a corporate e-mail server when the employer notifies employees of the monitoring, typically through an electronic resources policy. Quon is one of the first cases to address whether the same rule applies when the employee’s communication is transmitted through a third-party service provider under contract with the employer. The issue has gained increasing importance as an increasingly large number of employees use text messaging during the work day. (A case currently under consideration by the New Jersey Supreme Court, Stengart v. Loving Care, addresses an employee’s privacy expectations in copies of e-mail stored on a company-issued laptop that were sent through the employee’s personal e-mail account to her attorney.)

Second, the Supreme Court’s decision likely will address how a formal employment policy that otherwise would defeat an employee’s privacy expectation could be countermanded by an informal representation to a specific employee. Here, private employers likely will receive guidance on the types of informal statements that could be sufficient to countermand a formal policy as well as the degree of authority of the person making the informal statement necessary to override the formal policy.

Third, the Supreme Court also granted review on the question whether the senders of text messages to the SWAT officer had a reasonable expectation that his government employer would not read them. This question raises an issue that often is overlooked in cases revolving around an employer’s review of employee e-mail, i.e., the privacy interests of the sender. Without further development, it is difficult to anticipate the extent to which the Supreme Court’s ruling on this issue might affect private employers and what that affect might be.

Notably, the Supreme Court denied the service provider’s request for review of the Ninth Circuit’s ruling that the provider violated the federal Stored Communications Act by disclosing the SWAT officer’s text messages to the Department without his consent. Under the Act, a communications service provider, such as an ISP or cell phone provider, generally cannot disclose stored communications without the sender’s or recipient’s consent. An exception permits disclosure to the subscriber — the Department in the Quon case — when the provider is a “remote computing service.” The Ninth Circuit ruled that a “remote computing service” is akin to an electronic filing cabinet. Because the provider in the Quon case was a facilitator of communications, it was not a “remote computing service” and, therefore, could not take advantage of the exception. With the growing prevalence of “cloud computing” services, the proper definition of a “remote computing service” has become increasingly important. The Supreme Court’s decision to forego review of this issue leaves the Ninth Circuit’s ruling on this issue intact.

At bottom, Quon reflects the dynamic nature of the law governing technology in the workplace as communications technology rapidly moves beyond e-mail, and societal expectations change.

This entry was written by Philip L. Gordon

Photo credit: Niklas Bildhauer
Tags: , , , , , , , , , , ,
  • Email This
  • Print
  • Trackbacks
  • Share Link

New Jersey Appeals Court Broadly Construes Employee's "Right To Privacy" Using Company Computers

Posted on June 30, 2009 by Privacy and Data Protection Practice Group

UPDATE: The New Jersey Supreme Court has agreed to review this decision. We will continue to monitor the case and provide insight on significant developments.

Before resigning from Loving Care Agency and suing the company for discrimination, Marina Stengart used her company-issued laptop to exchange e-mail with her attorney through her personal Yahoo! e-mail account. Loving Care’s computer forensic expert recovered these e-mails from the laptop. Loving Care’s counsel referenced some of them during discovery; Stengart’s counsel demanded the return of all of the e-mail. In a prior blog entry, we discussed the trial court’s ruling that Stengart had waived the attorney-client privilege in light of certain warnings in Loving Care’s computer use policy.

Last week, a New Jersey appellate court reversed the trial court’s ruling. According to the appellate court, Loving Care failed to show that Stengart ever had received the computer use policy. The court also found that the policy did not adequately warn Stengart that Loving Care might read e-mail sent through her personal e-mail account. Employers can address these shortcoming in the following ways:

  • obtain from each employee an executed acknowledgement of receipt of the corporate computer use policy;
  • inform employees that the employer will, in its discretion, review any communication or file stored on any company-owed device;
  • specifically warn employees that the policy applies to copies of e-mail sent through a personal e-mail account that remain on company computers;
  • inform employees that corporate electronic resources cannot be used, without authorization, to consult with an attorney.

Significantly, the New Jersey court suggested that even if Loving Care had taken all of the steps listed above, Stengart still would not have waived attorney-client privilege. The court based that conclusion on the following language:

When an employee, at work, engages in personal communications via a company computer, the company's interest . . . is not in the content of those communications; the company's legitimate interest is in the fact that the employee is engaging in business other than the company's business. Certainly, an employer may monitor whether an employee is distracted from the employer's business and may take disciplinary action if an employee engages in personal matters during work hours; that right to discipline or terminate, however, does not extend to the confiscation of the employee's personal communications.

In other words, according to the court, an employer cannot read an employee’s personal e-mail, even when the employer has a policy stating that the employee has no reasonable expectation of privacy, except when the content of the e-mail needs to be known to determine whether the employee violated company policy or acted unlawfully. This aspect of the court’s opinion, which appears to be non-binding dicta (except when applied to communications between an employee and her attorney) is groundbreaking. If the decision is not reversed on appeal to the New Jersey Supreme Court, employers should expect to see the Stengart case resurface in future employment litigation contending that employer’s improperly accessed employees’ “personal e-mail.”

This entry was co-authored by Philip L. Gordon and Paul H. Mazer.

For a comprehensive analysis of this development, see Littler's ASAP "Employer's Electronic Communications Policy Did Not Allow Company to Review Employee's E-mail Exchange with Her Attorney" by Philip L. Gordon, Eric A. Savage and Paul H. Mazer.
 

Tags: , , , , ,
  • Email This
  • Print
  • Trackbacks
  • Share Link

Web-Based E-mail Accounts Accessed At Work: Private Or Not? Look To The Handbook

Posted on March 24, 2009 by Privacy and Data Protection Practice Group

Employers often put employees on notice, through an electronic resources policy, that communication via company e-mail accounts is not private. Far fewer policies, however, address employees’ use of their personal Internet-based e-mail accounts using company computer resources. What should an electronic resources policy tell employees on that subject?

A recent New Jersey case, Stengart v. Loving Care, sheds some light on the answer. Before Maria Stengart resigned and sued Loving Care, her employer, she e-mailed her lawyer through her personal web-based account from her company-issued computer with Loving Care’s Internet access. With the help of a computer forensic expert, Loving Care was able to recover temporary files stored on the hard drive of the company-issued computer which contained copies of Stengart’s attorney-client communications. (Employers should note that many web-based e-mail applications leave such temporary files on the hard drive of the sender’s computer).

When Stengart discovered that Loving Care’s lawyers planned to use her e-mail in the litigation, she objected. The trial court was asked to decide whether the e-mail, sent during work hours on a company laptop, was protected by the attorney-client privilege. The court held that it was not.
 

Key to the decision was the following company policy: “[I]nternet use and communication . . . are considered part of the company’s business and client records. Such communications are not to be considered private or personal to any individual employee.” Put another way, Loving Care told its employees that their Internet use is not private. Stengart’s Internet-based e-mail fell squarely within the policy. As a result, she could not claim the e-mail was protected by attorney-client privilege.

There are two important takeaways for employers. First, be specific about online privacy using the company’s electronic resources. In particular, tell employees that they should not use the company’s Internet connection to access personal e-mail accounts for purposes of conducting company business or to send any e-mail that they wish to keep private.

Second, ensure that you can prove each employee knows the rules. Stengart tried to claim that she was not aware of Loving Care’s Internet policy. The trial court rejected that argument because she was a long-time employee with significant management responsibility. Lower-level, shorter-term employees may have a more credible argument. To defeat that argument before it is made, employers should document that each employee has acknowledged receipt of the company’s electronic resources policy.

This entry was co-authored by Philip L. Gordon and Kate H. Bally.
Tags: , , , , ,
  • Email This
  • Print
  • Trackbacks
  • Share Link

A Case to Watch re Workplace Monitoring: Sidell v. Structured Settlement Investments

Posted on July 7, 2008 by Justin A. Morello

While the case is still in the early stages, Sidell v. Structured Settlement Investments, LP et al, Case No. 3:08-cv-00710-VLB (D.Conn 2008), is shaping up to be a case to watch. Recently covered by The New York Times, the lawsuit involves an interesting twist on workplace monitoring; namely, what are the limits on an employer’s access, using its own computer equipment, to an employee’s e-mail stored in an employee’s personal e-mail account. Ultimately, the case may add to the growing list of decisions regulating electronic communications in the workplace. See, e.g., Quon v. Arch Wireless; Scott v. Beth Israel. The Ninth Circuit decision in Quon was discussed in our prior blog entry, Ninth Circuit Ruling Not a Significant Obstacle to Employers' Accessing Text Messages.

According to the complaint, this is what happened: A company closed a branch and fired the office manager. The company claimed that the termination was for cause and explained the facts supporting its decision to the manager. Before the company had changed the locks, the office manager entered his old office, logged on to his computer, and sent an e-mail to his personal attorney regarding his potential claims against the company. The office manager did not log-off from his Yahoo! account, nor did he turn off his computer. As a result, this e-mail remained accessible through the computer in the office manager’s former office. Over the next few weeks while using the same e-mail account, the office manager sent his personal attorney numerous additional e-mails regarding his termination.

Soon after his termination, the office manager demanded arbitration under his employment contract. During discovery, it became apparent that following the office manager’s termination, the company had been monitoring the manager’s personal Yahoo! email account. The office manager then filed a separate lawsuit against the company, claiming violations of the Federal Wiretap Act, the Stored Communications Act, state statutes and for invasion of privacy. The case is currently pending.

The Federal Wiretap Act claim most likely will fail because claims under that statute can proceed only if the content of e-mail is acquired in the transmission process. The office manager’s other claims have a chance of surviving. As one commentator noted to The New York Times, these facts “would make a great exam question.”

This case raises a host of issues, including:

  • whether the former employee consented to the employer’s access to his personal e-mail because he did not log-off of his account or turn off his computer and he knew his former employer would have access to it;
  • whether employees have an expectation of privacy when they log-on to web based e-mail through company owned and controlled computers;
  • whether a terminated employee enjoys any expectation of privacy when using a former employer’s computer system;
  • the extent to which an employer may access information left by a terminated employee;
  • at what point attorneys have a duty to disclose attorney-client communications; and
  • how an employer’s electronic resources policies affect the expectation of privacy of employees and former employees. 

This case is also a reminder that electronic resources policies need careful consideration, including:

  • whether the policies should prohibit employees from using corporate resources to access personal e-mail accounts;
  • whether the policies should require employees to consent to their employer accessing their personal e-mail account if accessed using corporate resources; and
  • whether the policies should warn employees that their employer will access employees’ e-mail sent to a personal attorney over the corporate computer network.

There is no one right answer. Rather, employers need to consider their corporate culture, educate employees and be prepared to routinely enforce such policies in a uniform, non-discriminatory manner.
Tags: , , , , , , ,
  • Email This
  • Print
  • Trackbacks
  • Share Link