Workplace Privacy Counsel : San Francisco Employment Privacy Law Lawyer & Attorney : Littler Mendelson Law Firm : Employment Related Privacy Issues

UPDATE: The New Jersey Supreme Court has agreed to review this decision. We will continue to monitor the case and provide insight on significant developments.

Before resigning from Loving Care Agency and suing the company for discrimination, Marina Stengart used her company-issued laptop to exchange e-mail with her attorney through her personal Yahoo! e-mail account. Loving Care’s computer forensic expert recovered these e-mails from the laptop. Loving Care’s counsel referenced some of them during discovery; Stengart’s counsel demanded the return of all of the e-mail. In a prior blog entry, we discussed the trial court’s ruling that Stengart had waived the attorney-client privilege in light of certain warnings in Loving Care’s computer use policy.

Last week, a New Jersey appellate court reversed the trial court’s ruling. According to the appellate court, Loving Care failed to show that Stengart ever had received the computer use policy. The court also found that the policy did not adequately warn Stengart that Loving Care might read e-mail sent through her personal e-mail account. Employers can address these shortcoming in the following ways:

• obtain from each employee an executed acknowledgement of receipt of the corporate computer use policy;
• inform employees that the employer will, in its discretion, review any communication or file stored on any company-owed device;
• specifically warn employees that the policy applies to copies of e-mail sent through a personal e-mail account that remain on company computers;
• inform employees that corporate electronic resources cannot be used, without authorization, to consult with an attorney.

Significantly, the New Jersey court suggested that even if Loving Care had taken all of the steps listed above, Stengart still would not have waived attorney-client privilege. The court based that conclusion on the following language:

When an employee, at work, engages in personal communications via a company computer, the company's interest . . . is not in the content of those communications; the company's legitimate interest is in the fact that the employee is engaging in business other than the company's business. Certainly, an employer may monitor whether an employee is distracted from the employer's business and may take disciplinary action if an employee engages in personal matters during work hours; that right to discipline or terminate, however, does not extend to the confiscation of the employee's personal communications.

In other words, according to the court, an employer cannot read an employee’s personal e-mail, even when the employer has a policy stating that the employee has no reasonable expectation of privacy, except when the content of the e-mail needs to be known to determine whether the employee violated company policy or acted unlawfully. This aspect of the court’s opinion, which appears to be non-binding dicta (except when applied to communications between an employee and her attorney) is groundbreaking. If the decision is not reversed on appeal to the New Jersey Supreme Court, employers should expect to see the Stengart case resurface in future employment litigation contending that employer’s improperly accessed employees’ “personal e-mail.”

This entry was co-authored by Philip L. Gordon and Paul H. Mazer.

For a comprehensive analysis of this development, see Littler's ASAP "Employer's Electronic Communications Policy Did Not Allow Company to Review Employee's E-mail Exchange with Her Attorney" by Philip L. Gordon, Eric A. Savage and Paul H. Mazer.
 

• Email This
• Print
• Trackbacks
• Share Link

Nevada has joined Massachusetts as the only two states currently mandating encryption of sensitive human resources information.* The Nevada law — which, like the Massachusetts regulations, takes effect January 1, 2010 — applies to any organization doing business in Nevada that collects an individual’s first name or initial and last name plus Social Security number, employee identification number, driver’s license number, or credit or debit card number or financial account number with any required security code (collectively “Personal Information”). Every employer collects employees’ SSNs in the ordinary course of business, and many employers assign employee identification numbers and collect driver’s license numbers. Consequently, the new law applies to all employers.

The statute requires encryption in two circumstances. First, electronic transmissions of Personal Information must be encrypted unless the transmission (a) passes within a secure network, or (b) is sent by fax machine. This means that intracorporate e-mail will not need to be encrypted as long as e-mails do not pass over the public Internet (which usually is the case). However, all e-mail to third parties, i.e., e-mails that do pass over the public Internet containing Personal Information, will need to be encrypted.

Second, no “data storage device” which contains Personal Information may be taken off-site unless the Personal Information is encrypted. The new law’s broad definition of “data storage device” includes laptops, iPhones, BlackBerrys, back-up tapes and disk drives, as well as virtually any other electronic device that can store Personal Information.

Employers who fail to comply with the law will be easily discovered. Because Nevada’s security breach notification law provides a safe harbor from notification for Personal Information that is encrypted, any notice of a security breach that discloses the loss or theft of a laptop, portable digital assistant, back-up tape or other electronic storage medium effectively would constitute an admission that the employer failed to comply with Nevada’s encryption requirement. Because that failure would violate a statutory standard, the absence of encryption most likely would be deemed negligent. For this reason, employers with operations in Nevada should begin now to develop plans for complying with the new Nevada encryption standard.

*For comprehensive coverage of the Massachusetts data security regulations, see Littler ASAP "New Massachusetts Regulations Impose Substantial Obligations on Corporate Human Resources Departments to Safeguard Employees' Personal Information" by Philip Gordon.

• Email This
• Print
• Trackbacks
• Share Link

On Friday November 14, 2008, the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) issued a press release postponing the deadline for businesses to comply with recently promulgated regulations mandating the implementation of a “comprehensive written information security program.” As discussed in a previous blog post, the regulations require corporate human resource departments to implement a range of policies and procedures to safeguard the personal information of employees who are Massachusetts residents.

OCABR had initially required that companies comply with these regulations by January 1, 2009. The administrative agency apparently recognized the need to extend the compliance deadline after hearing the business community’s concerns over being forced to bear an additional financial burden in the midst of an economic downturn.

• Email This
• Print
• Trackbacks
• Share Link

Joseph Braun, the owner of a New Jersey label manufacturer, hired the wrong bookkeeper and paid a hefty price. Before Braun hired the bookkeeper, referred to only as “M.A.” in a New Jersey appellate court opinion published on August 29, 2008, M.A. had completed twelve months in a pretrial intervention program after being charged with forgery and theft. One month after completing the intervention program, M.A. was charged with fourteen counts of forgery and the theft of more than $220,000 from his employer; he served 364 days in jail after a guilty plea. While still on probation, M.A. landed his bookkeeping job with Braun’s company.

Apparently not having conducted a background check, Braun gave M.A. ever-increasing responsibilities to the point where M.A. was responsible for order entries, payroll, bank records and the company’s computer system. M.A. repaid Braun’s trust by giving himself an $85,000 raise — without Braun’s authorization. The raise was just the tip of the iceberg, as M.A. defalcated more than $650,000 from Braun’s business. M.A. was prosecuted for his crimes, convicted and sentenced to seven years in prison.

On appeal, M.A. argued that the trial court had improperly denied his motion to suppress personal information stored on a laptop as well as a desktop computer found at Braun’s place of business. The New Jersey appellate court, following several frequently cited federal appellate court decisions, held that M.A. had no reasonable expectation of privacy in his workplace computer and affirmed the conviction. In reaching this conclusion, the court relied on the following facts:

(a) Braun’s business owned the computers;

(b) the computers were kept at Braun’s business;

(c) Braun told M.A. when he was hired that the business owned the computers;

(d) the desktop was connected to the corporate network;

(e) co-workers had access to both computers; and

(f) M.A.’s private office was never closed or locked.

The facts were weighed so heavily against M.A. that this case provides guidance in only the most limited circumstances.

A few minor changes of the facts show why: M.A. marked all of his personal files as “private” when saving them to the company’s document management system. It was well known within the company that system administrators respected the “private” designation. M.A. did not permit any other employees to log into his computer; nor did he share his username or password with any co-workers. When M.A. left his private office, he shut and locked his office door using a combination that was unknown to anyone else in the company. On fairly similar facts, the Florida Court of Appeals recently held that a church pastor had a reasonable expectation of privacy in child pornography stored on his office computer.

The point is that corporate ownership of computers and notice to employees of that ownership will not always open the door to searches with impunity of personal information stored on a business computer. Instead, employers should look more deeply into who, in fact, has or could have access to the information at issue and whether workplace computer use policies actually are put into practice.

• Email This
• Print
• Trackbacks
• Share Link

As of 2006, 1 in 9 Americans had received a notice of security breach. That ratio is bound to rise with the continued onslaught of hacking and the theft of laptop computers now the crime du jour.  The decision whether to provide notice of security breach, now governed by law in 36 states and the District of Columbia, is relatively easy when compared to the decision whether to provide free credit monitoring service.

No law requires a business to offer credit monitoring after a security breach, so why do so many businesses seem to opt for it? Preventing loss of good will seems to be the answer.  According to a 2006 study by the Ponemon Institute, businesses suffer damages in lost customer opportunity cost equaling almost $100/lost record.  That loss far exceeds the cost of one year’s worth of credit monitoring which, depending upon the size of the breach and the type of service, can range from $15 to $50 per individual.

While employees are not customers, employee disgruntlement can result in loss of productivity and increased turnover with an associated increase in recruiting costs. Employers confronting the question whether to offer free credit monitoring should try to quantify these costs as compared to the cost of providing credit monitoring service. In making this calculation, employers should keep in mind that the percentage of notice recipients who actually exercise the right to credit monitoring can be low, ranging, according to one report from as little as 5% or less to as high as 30%.
 

• Email This
• Print
• Trackbacks
• Share Link