Joseph Braun, the owner of a New Jersey label manufacturer, hired the wrong bookkeeper and paid a hefty price. Before Braun hired the bookkeeper, referred to only as “M.A.” in a New Jersey appellate court opinion published on August 29, 2008, M.A. had completed twelve months in a pretrial intervention program after being charged with forgery and theft. One month after completing the intervention program, M.A. was charged with fourteen counts of forgery and the theft of more than $220,000 from his employer; he served 364 days in jail after a guilty plea. While still on probation, M.A. landed his bookkeeping job with Braun’s company.
Apparently not having conducted a background check, Braun gave M.A. ever-increasing responsibilities to the point where M.A. was responsible for order entries, payroll, bank records and the company’s computer system. M.A. repaid Braun’s trust by giving himself an $85,000 raise — without Braun’s authorization. The raise was just the tip of the iceberg, as M.A. defalcated more than $650,000 from Braun’s business. M.A. was prosecuted for his crimes, convicted and sentenced to seven years in prison.
On appeal, M.A. argued that the trial court had improperly denied his motion to suppress personal information stored on a laptop as well as a desktop computer found at Braun’s place of business. The New Jersey appellate court, following several frequently cited federal appellate court decisions, held that M.A. had no reasonable expectation of privacy in his workplace computer and affirmed the conviction. In reaching this conclusion, the court relied on the following facts:
(a) Braun’s business owned the computers;
(b) the computers were kept at Braun’s business;
(c) Braun told M.A. when he was hired that the business owned the computers;
(d) the desktop was connected to the corporate network;
(e) co-workers had access to both computers; and
(f) M.A.’s private office was never closed or locked.
The facts were weighed so heavily against M.A. that this case provides guidance in only the most limited circumstances.
A few minor changes of the facts show why: M.A. marked all of his personal files as “private” when saving them to the company’s document management system. It was well known within the company that system administrators respected the “private” designation. M.A. did not permit any other employees to log into his computer; nor did he share his username or password with any co-workers. When M.A. left his private office, he shut and locked his office door using a combination that was unknown to anyone else in the company. On fairly similar facts, the Florida Court of Appeals recently held that a church pastor had a reasonable expectation of privacy in child pornography stored on his office computer.
The point is that corporate ownership of computers and notice to employees of that ownership will not always open the door to searches with impunity of personal information stored on a business computer. Instead, employers should look more deeply into who, in fact, has or could have access to the information at issue and whether workplace computer use policies actually are put into practice.