Supreme Court of Canada Concludes that Employees May Have a Reasonable Expectation of Privacy in Relation to Their Work-Issued Computers

Posted on October 25, 2012 by Privacy and Data Protection Practice Group

The Supreme Court of Canada released its eagerly awaited decision in R. v. Cole, 2012 SCC 53, on October 19, 2012. In the decision, the Court held that employees may have a reasonable, though diminished, expectation of privacy in personal information stored on their work computers - at least where the personal use of such devices is permitted or reasonably expected by employers. This reasonable expectation of privacy is protected by the Canadian Charter of Rights and Freedoms. To learn more about the decision, please continue reading at our collaborative blog, Global Employment Law.

 

Tags: , , , ,
  • Print
  • Trackbacks
  • Share Link

After Starbucks Laptop Is Stolen, Alleged Victims of Identity Theft Win Pyrrhic Victory

Posted on January 4, 2011 by Privacy and Data Protection Practice Group

In a recent published decision, the Ninth Circuit court of appeals held that the threat of identity theft arising from stolen personal information about current and former Starbucks’ employees contained on a company laptop computer was enough of an injury to establish the plaintiffs’ standing to sue the company in federal court. This victory was short-lived, however, because the court also held — consistent with many other courts deciding security breach notification cases — that the plaintiffs had not pleaded, and could not prove, that Starbucks’ actions caused them any cognizable harm under state tort or contract law.

In 2008, someone stole a laptop computer from Starbucks containing the unencrypted names, addresses, and social security numbers of nearly 100,000 Starbucks employees. The company informed all affected employees of the theft and offered them one year of free credit monitoring services. Three current and former Starbucks employees who were affected brought two nearly identical putative class action lawsuits against Starbucks, alleging that the compromise of their personal information amounted to negligence and a breach of an implied contract:

  • One plaintiff asserted she had been “extra vigilant about watching her banking and 401(k) accounts,” spent a “substantial amount of time doing so,” and will pay out-of pocket for credit monitoring services once the free service expires.
  • The second plaintiff alleged he “spent and continues to spend substantial amounts of time checking his 401(k) and bank accounts,” placed fraud alerts on his credit cards, and “has generalized anxiety and stress regarding the situation.”
  • The third plaintiff maintained that his bank notified him in December 2008 that someone had attempted to open a new account using his social security number. The bank closed the account, and he did not allege that he suffered any financial loss.

In its decision, the Ninth Circuit addressed the issue of whether the plaintiffs had standing to sue Starbucks. All parties agreed that standing requires a plaintiff to show that: (1) he or she has suffered an injury that is concrete and particularized, as well as actual or imminent rather than conjectural or hypothetical (injury in fact); (2) the injury in fact is fairly traceable to the challenged action of the defendant (causation); and (3) it is likely that the injury will be redressed by a favorable decision (redressability).

Starbucks conceded both causation and redressability, so the Ninth Circuit addressed only injury in fact. It noted that the alleged victim of identity theft would have an injury in fact when he or she faces a credible threat of harm. It then held that each of the plaintiffs below had alleged a credible threat of real and immediate harm stemming from the theft of the Starbucks laptop. In so doing, the Ninth Circuit reached a result similar to that of the Seventh Circuit, but contrary to the application of what appears to be a stricter standard in the Sixth Circuit.

In a second, unpublished memorandum opinion issued the same day, the Ninth Circuit held that even if the plaintiffs' allegations were true, they would not support a claim under state tort or contract law. Under Washington law, said the court, “[t]he mere danger of future harm, unaccompanied by present damage,” was insufficient to support a negligence claim. The court then rejected the plaintiffs’ argument that there was an implied contract between the plaintiffs and Starbucks and dismissed both claims.

Although Starbucks ultimately prevailed, this case underscores three practical lessons. First, employers continue to incur attorneys’ fees, litigation and credit monitoring costs, and the imputed costs associated with staff resources that must be devoted to defending against such class action lawsuits. Second, the prospect of having to incur such costs creates a strong incentive to mitigate the potential risk of a security breach by proactively implementing safeguards for employee data now. Third, the putative plaintiff class included former employees, highlighting the need to extend safeguards to the personal information not only of current employees but also of job applicants and former employees.

This entry was written by Christopher M. Leh and Philip L. Gordon.
 
Tags: , , , , , , , , ,
  • Print
  • Share Link

Employers Should Act Promptly in Response to NJ High Court's Recognition of Employee's Right to Privacy in Lawyer-Client Emails Stored on Company Computers

Posted on April 1, 2010 by Privacy and Data Protection Practice Group

In a case with significant implications for all employers, the New Jersey Supreme Court ruled earlier this week that Marina Stengart, a former executive employee of Loving Care Agency, had a reasonable expectation of privacy in e-mail exchanged with her personal attorney through a personal, web-based e-mail account even though those communications were stored on a company-issued laptop. However, rather than limiting its decision to the facts of the case, that court went further, broadly stating that even “a policy that banned all personal computer use and provided unambiguous notice that an employer could retrieve and read an employees’ attorney-client communications . .. would not be enforceable.” In other words, New Jersey employers cannot properly read their employee’s e-mail exchanges with a personal attorney stored on company equipment — no matter what the employer tells its employees in its electronic resources policy.

Stengart also is significant because it illustrates the circumstances in which a court might find that an employee reasonably could expect privacy in e-mail stored on the employer’s electronic resources. To begin with, the New Jersey Supreme Court relied heavily on Stengart’s efforts to shield her e-mail from Loving Care. She used a private, personal, password-protected, web-based e-mail account, rather than the company’s e-mail server, and she did not save the user ID or password for that account on company-issued equipment. In addition, the New Jersey Supreme Court cited Stengart’s affidavit testimony in the trial court that she did not know that a duplicate of e-mail transmitted through a personal e-mail account would be saved in a temporary file on the company-issued laptop used to transmit the e-mail or that a computer forensic expert (like the one hired by Loving Care) could retrieve the messages. Finally, the court emphasized that reasonable privacy expectations customarily inhere in attorney-client communications (as opposed to communications that are unlawful or otherwise violate company policy), quoting in full the confidentiality notice contained in all e-mails sent by Stengart’s lawyer.

Loving Care’s electronic resources policy only weakened the company’s position. The court noted that the policy did not even mention personal e-mail accounts, let alone notify Stengart of Loving Care’s ability to retrieve from company-issued equipment e-mail transmitted through a personal e-mail account.

Although Stengart is binding only on employers doing business in New Jersey, the court’s ruling and analysis, apparently the first from any state supreme court, likely will influence other courts addressing similar circumstances. Consequently, it is critical that employers located anywhere in the United States understand the limits of the New Jersey Supreme Court’s decision:

  • The case does not change the commonly accepted principle that employers can use a well-crafted policy to reduce employee’s privacy expectations in communications stored on, or transmitted through, corporate electronic resources;
  • The court did not establish that employees have a right, as a matter of public policy, to use corporate electronic resources to communicate with a personal attorney;
  • The court itself acknowledged that employers can discipline employees for violating an electronic resources policy even if the violation is constituted by the employee’s communication with a personal attorney, albeit New Jersey employers cannot properly read the content of employee-attorney communications on which the discipline is based., It remains unclear if the decision means that other types of communications normally subject to privilege, such as with a doctor, clergy member or spouse, are also protected;
  • The court repeatedly emphasized the attorney-client nature of the communication and did not suggest that its finding of Stengart’s reasonable expectation of privacy would have been the same had Stengart been exchanging e-mail with a non-lawyer;
  • While the court found that Stengart had a reasonable expectation of privacy in her e-mail, it did not suggest that Stengart had a viable claim against Loving Care for invasion of privacy, which would require a showing that the employer’s review of the e-mail would be highly offensive to a reasonable person.

In short, the decision does not create a dystopia for employers in which employees can engage in unrestrained personal, e-mail use of corporate electronic resources, through either a corporate or personal e-mail account. The decision, nonetheless, should be a call to action for employers to revise or supplement their existing electronic resources policies as follow:

  • Inform all employees that the policy applies to every employee;
  • Warn employees that the company will monitor the use of employees’ electronic resources;
  • Notify employees that duplicates of e-mail transmitted through a personal, web-based e-mail account using company equipment could be stored on that equipment;
  • Explain that the company may, in its discretion, review all communications stored on, or transmitted by, company equipment regardless whether a personal account is used, subject to state laws regarding attorney-client communications
  • Prohibit employees from using any company resources (including the telephone) to communicate with a personal attorney except with the company’s prior approval;
  • Warn employees that they can be disciplined for violating the policy, including the prohibition on communications with a personal attorney using corporate electronic resources.

Significantly, employers should ensure that all employees receive, review and acknowledge receipt of the new/amended electronic resources policy. In addition, employers should establish guidelines for handling potentially privileged communications discovered on the employer’s information systems. First, IT and HR professionals should be trained in the indicators of potentially privileged communication, told not to review such communications except to the extent necessary to determine whether they might be privileged, and to promptly inform in-house or outside counsel about the discovery. Second, counsel should not review such communications except as minimally necessary to determine whether they might be privileged and, if so, follow applicable ethical rules for addressing waiver of privilege arising from the inadvertent disclosure of an attorney-client communication. Third, if the employer has implemented the policies described above, it should fully document the extent of the violation of company policy and determine whether and to what extent the employee should be disciplined.

Employers clearly have an overriding interest in preventing employees from using corporate electronic resources to plan potentially devastating litigation against the employer. Stengart does not bar employers form doing so.

For further analysis of this development, see Littler's ASAP New Jersey Supreme Court Rules that E-Mails Exchanged Between Employee and Her Attorney Using Company's Computer Remain Privileged.

This entry was co-authored by Philip L. Gordon and Christopher M. Leh.
Tags: , , , , , , ,
  • Print
  • Trackbacks
  • Share Link

New Jersey Appeals Court Broadly Construes Employee's "Right To Privacy" Using Company Computers

Posted on June 30, 2009 by Privacy and Data Protection Practice Group

UPDATE: The New Jersey Supreme Court has agreed to review this decision. We will continue to monitor the case and provide insight on significant developments.

Before resigning from Loving Care Agency and suing the company for discrimination, Marina Stengart used her company-issued laptop to exchange e-mail with her attorney through her personal Yahoo! e-mail account. Loving Care’s computer forensic expert recovered these e-mails from the laptop. Loving Care’s counsel referenced some of them during discovery; Stengart’s counsel demanded the return of all of the e-mail. In a prior blog entry, we discussed the trial court’s ruling that Stengart had waived the attorney-client privilege in light of certain warnings in Loving Care’s computer use policy.

Last week, a New Jersey appellate court reversed the trial court’s ruling. According to the appellate court, Loving Care failed to show that Stengart ever had received the computer use policy. The court also found that the policy did not adequately warn Stengart that Loving Care might read e-mail sent through her personal e-mail account. Employers can address these shortcoming in the following ways:

  • obtain from each employee an executed acknowledgement of receipt of the corporate computer use policy;
  • inform employees that the employer will, in its discretion, review any communication or file stored on any company-owed device;
  • specifically warn employees that the policy applies to copies of e-mail sent through a personal e-mail account that remain on company computers;
  • inform employees that corporate electronic resources cannot be used, without authorization, to consult with an attorney.

Significantly, the New Jersey court suggested that even if Loving Care had taken all of the steps listed above, Stengart still would not have waived attorney-client privilege. The court based that conclusion on the following language:

When an employee, at work, engages in personal communications via a company computer, the company's interest . . . is not in the content of those communications; the company's legitimate interest is in the fact that the employee is engaging in business other than the company's business. Certainly, an employer may monitor whether an employee is distracted from the employer's business and may take disciplinary action if an employee engages in personal matters during work hours; that right to discipline or terminate, however, does not extend to the confiscation of the employee's personal communications.

In other words, according to the court, an employer cannot read an employee’s personal e-mail, even when the employer has a policy stating that the employee has no reasonable expectation of privacy, except when the content of the e-mail needs to be known to determine whether the employee violated company policy or acted unlawfully. This aspect of the court’s opinion, which appears to be non-binding dicta (except when applied to communications between an employee and her attorney) is groundbreaking. If the decision is not reversed on appeal to the New Jersey Supreme Court, employers should expect to see the Stengart case resurface in future employment litigation contending that employer’s improperly accessed employees’ “personal e-mail.”

This entry was co-authored by Philip L. Gordon and Paul H. Mazer.

For a comprehensive analysis of this development, see Littler's ASAP "Employer's Electronic Communications Policy Did Not Allow Company to Review Employee's E-mail Exchange with Her Attorney" by Philip L. Gordon, Eric A. Savage and Paul H. Mazer.
 

Tags: , , , , ,
  • Print
  • Trackbacks
  • Share Link

New Nevada Law Mandates Encryption of Sensitive HR Data

Posted on June 15, 2009 by Philip Gordon

Nevada has joined Massachusetts as the only two states currently mandating encryption of sensitive human resources information.* The Nevada law — which, like the Massachusetts regulations, takes effect January 1, 2010 — applies to any organization doing business in Nevada that collects an individual’s first name or initial and last name plus Social Security number, employee identification number, driver’s license number, or credit or debit card number or financial account number with any required security code (collectively “Personal Information”). Every employer collects employees’ SSNs in the ordinary course of business, and many employers assign employee identification numbers and collect driver’s license numbers. Consequently, the new law applies to all employers.

The statute requires encryption in two circumstances. First, electronic transmissions of Personal Information must be encrypted unless the transmission (a) passes within a secure network, or (b) is sent by fax machine. This means that intracorporate e-mail will not need to be encrypted as long as e-mails do not pass over the public Internet (which usually is the case). However, all e-mail to third parties, i.e., e-mails that do pass over the public Internet containing Personal Information, will need to be encrypted.

Second, no “data storage device” which contains Personal Information may be taken off-site unless the Personal Information is encrypted. The new law’s broad definition of “data storage device” includes laptops, iPhones, BlackBerrys, back-up tapes and disk drives, as well as virtually any other electronic device that can store Personal Information.

Employers who fail to comply with the law will be easily discovered. Because Nevada’s security breach notification law provides a safe harbor from notification for Personal Information that is encrypted, any notice of a security breach that discloses the loss or theft of a laptop, portable digital assistant, back-up tape or other electronic storage medium effectively would constitute an admission that the employer failed to comply with Nevada’s encryption requirement. Because that failure would violate a statutory standard, the absence of encryption most likely would be deemed negligent. For this reason, employers with operations in Nevada should begin now to develop plans for complying with the new Nevada encryption standard.

*For comprehensive coverage of the Massachusetts data security regulations, see Littler ASAP "New Massachusetts Regulations Impose Substantial Obligations on Corporate Human Resources Departments to Safeguard Employees' Personal Information" by Philip Gordon.

Tags: , , , ,
  • Print
  • Trackbacks
  • Share Link

Massachusetts Extends Deadline for Compliance with Data Security Breach Regulations

Posted on November 21, 2008 by Philip Gordon

On Friday November 14, 2008, the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) issued a press release postponing the deadline for businesses to comply with recently promulgated regulations mandating the implementation of a “comprehensive written information security program.” As discussed in a previous blog post, the regulations require corporate human resource departments to implement a range of policies and procedures to safeguard the personal information of employees who are Massachusetts residents.

OCABR had initially required that companies comply with these regulations by January 1, 2009. The administrative agency apparently recognized the need to extend the compliance deadline after hearing the business community’s concerns over being forced to bear an additional financial burden in the midst of an economic downturn.

 

The new deadlines apply to three different sections of the regulations and are set forth below:

Written Information Security Program: The general deadline to comply with the regulations is now May 1, 2009. This means that by May 1, businesses must have developed and implemented what the regulations refer to as “a comprehensive, written information security program” to safeguard all personal information kept in paper and electronic format.

Third-Party Service Providers: By May 1, 2009, companies must be able to demonstrate that they have taken steps to verify that third-party service providers with access to the personal information of their clients, customers or employees have the capacity to protect such information. In addition, on or before January 1, 2010, businesses must obtain written certifications that such third-party service providers have established written, comprehensive information security programs designed to protect personal information.

Encryption: Businesses are now required to encrypt all personal information stored on laptops by May 1, 2009, and to ensure that all other portable devices (including PDAs, memory sticks, DVDs, etc.) are encrypted by January 1, 2010.

This entry was co-authored by Jennifer Bombard McGovern.

 
Tags: , , , , , ,
  • Print
  • Trackbacks
  • Share Link

New Jersey Court Ruling re Workplace Computer Privacy Leaves Tough Questions Unanswered

Posted on September 4, 2008 by Philip Gordon

Joseph Braun, the owner of a New Jersey label manufacturer, hired the wrong bookkeeper and paid a hefty price. Before Braun hired the bookkeeper, referred to only as “M.A.” in a New Jersey appellate court opinion published on August 29, 2008, M.A. had completed twelve months in a pretrial intervention program after being charged with forgery and theft. One month after completing the intervention program, M.A. was charged with fourteen counts of forgery and the theft of more than $220,000 from his employer; he served 364 days in jail after a guilty plea. While still on probation, M.A. landed his bookkeeping job with Braun’s company.

Apparently not having conducted a background check, Braun gave M.A. ever-increasing responsibilities to the point where M.A. was responsible for order entries, payroll, bank records and the company’s computer system. M.A. repaid Braun’s trust by giving himself an $85,000 raise — without Braun’s authorization. The raise was just the tip of the iceberg, as M.A. defalcated more than $650,000 from Braun’s business. M.A. was prosecuted for his crimes, convicted and sentenced to seven years in prison.

On appeal, M.A. argued that the trial court had improperly denied his motion to suppress personal information stored on a laptop as well as a desktop computer found at Braun’s place of business. The New Jersey appellate court, following several frequently cited federal appellate court decisions, held that M.A. had no reasonable expectation of privacy in his workplace computer and affirmed the conviction. In reaching this conclusion, the court relied on the following facts:

(a) Braun’s business owned the computers;

(b) the computers were kept at Braun’s business;

(c) Braun told M.A. when he was hired that the business owned the computers;

(d) the desktop was connected to the corporate network;

(e) co-workers had access to both computers; and

(f) M.A.’s private office was never closed or locked.

The facts were weighed so heavily against M.A. that this case provides guidance in only the most limited circumstances.

A few minor changes of the facts show why: M.A. marked all of his personal files as “private” when saving them to the company’s document management system. It was well known within the company that system administrators respected the “private” designation. M.A. did not permit any other employees to log into his computer; nor did he share his username or password with any co-workers. When M.A. left his private office, he shut and locked his office door using a combination that was unknown to anyone else in the company. On fairly similar facts, the Florida Court of Appeals recently held that a church pastor had a reasonable expectation of privacy in child pornography stored on his office computer.

The point is that corporate ownership of computers and notice to employees of that ownership will not always open the door to searches with impunity of personal information stored on a business computer. Instead, employers should look more deeply into who, in fact, has or could have access to the information at issue and whether workplace computer use policies actually are put into practice.

Tags: , , , , , , , ,
  • Print
  • Trackbacks
  • Share Link

Our HR Manager's Laptop Was Stolen; Should We Offer Credit Monitoring Service?

Posted on July 25, 2007 by Philip Gordon

As of 2006, 1 in 9 Americans had received a notice of security breach. That ratio is bound to rise with the continued onslaught of hacking and the theft of laptop computers now the crime du jour.  The decision whether to provide notice of security breach, now governed by law in 36 states and the District of Columbia, is relatively easy when compared to the decision whether to provide free credit monitoring service.

No law requires a business to offer credit monitoring after a security breach, so why do so many businesses seem to opt for it? Preventing loss of good will seems to be the answer.  According to a 2006 study by the Ponemon Institute, businesses suffer damages in lost customer opportunity cost equaling almost $100/lost record.  That loss far exceeds the cost of one year’s worth of credit monitoring which, depending upon the size of the breach and the type of service, can range from $15 to $50 per individual.

While employees are not customers, employee disgruntlement can result in loss of productivity and increased turnover with an associated increase in recruiting costs. Employers confronting the question whether to offer free credit monitoring should try to quantify these costs as compared to the cost of providing credit monitoring service. In making this calculation, employers should keep in mind that the percentage of notice recipients who actually exercise the right to credit monitoring can be low, ranging, according to one report from as little as 5% or less to as high as 30%.
 

Tags: , , , , ,
  • Print
  • Trackbacks
  • Share Link