Employers Should Act Promptly in Response to NJ High Court's Recognition of Employee's Right to Privacy in Lawyer-Client Emails Stored on Company Computers

Posted on April 1, 2010 by Privacy and Data Protection Practice Group

In a case with significant implications for all employers, the New Jersey Supreme Court ruled earlier this week that Marina Stengart, a former executive employee of Loving Care Agency, had a reasonable expectation of privacy in e-mail exchanged with her personal attorney through a personal, web-based e-mail account even though those communications were stored on a company-issued laptop. However, rather than limiting its decision to the facts of the case, that court went further, broadly stating that even “a policy that banned all personal computer use and provided unambiguous notice that an employer could retrieve and read an employees’ attorney-client communications . .. would not be enforceable.” In other words, New Jersey employers cannot properly read their employee’s e-mail exchanges with a personal attorney stored on company equipment — no matter what the employer tells its employees in its electronic resources policy.

Stengart also is significant because it illustrates the circumstances in which a court might find that an employee reasonably could expect privacy in e-mail stored on the employer’s electronic resources. To begin with, the New Jersey Supreme Court relied heavily on Stengart’s efforts to shield her e-mail from Loving Care. She used a private, personal, password-protected, web-based e-mail account, rather than the company’s e-mail server, and she did not save the user ID or password for that account on company-issued equipment. In addition, the New Jersey Supreme Court cited Stengart’s affidavit testimony in the trial court that she did not know that a duplicate of e-mail transmitted through a personal e-mail account would be saved in a temporary file on the company-issued laptop used to transmit the e-mail or that a computer forensic expert (like the one hired by Loving Care) could retrieve the messages. Finally, the court emphasized that reasonable privacy expectations customarily inhere in attorney-client communications (as opposed to communications that are unlawful or otherwise violate company policy), quoting in full the confidentiality notice contained in all e-mails sent by Stengart’s lawyer.

Loving Care’s electronic resources policy only weakened the company’s position. The court noted that the policy did not even mention personal e-mail accounts, let alone notify Stengart of Loving Care’s ability to retrieve from company-issued equipment e-mail transmitted through a personal e-mail account.

Although Stengart is binding only on employers doing business in New Jersey, the court’s ruling and analysis, apparently the first from any state supreme court, likely will influence other courts addressing similar circumstances. Consequently, it is critical that employers located anywhere in the United States understand the limits of the New Jersey Supreme Court’s decision:

  • The case does not change the commonly accepted principle that employers can use a well-crafted policy to reduce employee’s privacy expectations in communications stored on, or transmitted through, corporate electronic resources;
  • The court did not establish that employees have a right, as a matter of public policy, to use corporate electronic resources to communicate with a personal attorney;
  • The court itself acknowledged that employers can discipline employees for violating an electronic resources policy even if the violation is constituted by the employee’s communication with a personal attorney, albeit New Jersey employers cannot properly read the content of employee-attorney communications on which the discipline is based., It remains unclear if the decision means that other types of communications normally subject to privilege, such as with a doctor, clergy member or spouse, are also protected;
  • The court repeatedly emphasized the attorney-client nature of the communication and did not suggest that its finding of Stengart’s reasonable expectation of privacy would have been the same had Stengart been exchanging e-mail with a non-lawyer;
  • While the court found that Stengart had a reasonable expectation of privacy in her e-mail, it did not suggest that Stengart had a viable claim against Loving Care for invasion of privacy, which would require a showing that the employer’s review of the e-mail would be highly offensive to a reasonable person.

In short, the decision does not create a dystopia for employers in which employees can engage in unrestrained personal, e-mail use of corporate electronic resources, through either a corporate or personal e-mail account. The decision, nonetheless, should be a call to action for employers to revise or supplement their existing electronic resources policies as follow:

  • Inform all employees that the policy applies to every employee;
  • Warn employees that the company will monitor the use of employees’ electronic resources;
  • Notify employees that duplicates of e-mail transmitted through a personal, web-based e-mail account using company equipment could be stored on that equipment;
  • Explain that the company may, in its discretion, review all communications stored on, or transmitted by, company equipment regardless whether a personal account is used, subject to state laws regarding attorney-client communications
  • Prohibit employees from using any company resources (including the telephone) to communicate with a personal attorney except with the company’s prior approval;
  • Warn employees that they can be disciplined for violating the policy, including the prohibition on communications with a personal attorney using corporate electronic resources.

Significantly, employers should ensure that all employees receive, review and acknowledge receipt of the new/amended electronic resources policy. In addition, employers should establish guidelines for handling potentially privileged communications discovered on the employer’s information systems. First, IT and HR professionals should be trained in the indicators of potentially privileged communication, told not to review such communications except to the extent necessary to determine whether they might be privileged, and to promptly inform in-house or outside counsel about the discovery. Second, counsel should not review such communications except as minimally necessary to determine whether they might be privileged and, if so, follow applicable ethical rules for addressing waiver of privilege arising from the inadvertent disclosure of an attorney-client communication. Third, if the employer has implemented the policies described above, it should fully document the extent of the violation of company policy and determine whether and to what extent the employee should be disciplined.

Employers clearly have an overriding interest in preventing employees from using corporate electronic resources to plan potentially devastating litigation against the employer. Stengart does not bar employers form doing so.

For further analysis of this development, see Littler's ASAP New Jersey Supreme Court Rules that E-Mails Exchanged Between Employee and Her Attorney Using Company's Computer Remain Privileged.

This entry was co-authored by Philip L. Gordon and Christopher M. Leh.
Tags: , , , , , , ,
  • Print
  • Trackbacks
  • Share Link

Supreme Court Review of Quon May Provide Important Guidance for Private Employers

Posted on December 14, 2009 by Privacy and Data Protection Practice Group

The U.S. Supreme Court agreed, today, to review the Ninth Circuit Court of Appeal’s decision in Quon v. Arch Wireless, a case with potentially important implications for private employers. As explained in prior posts, the appellate court held that the City of Ontario Police Department violated a SWAT officer’s reasonable expectation of privacy by reviewing the content of his sexually explicit text messages, even though: (1) the messages had been sent with a Department-issued pager through a service provider under contract with the Department, and (2) the Department’s formal policy informed all SWAT officers that the Department might review their text messages. In reaching that conclusion, the Ninth Circuit relied principally on a statement by the officer in charge of the text messaging program to the SWAT officer that the Department would not review his text messages if he voluntarily paid any overage charges resulting from excessive personal use.

Although there are some differences in the privacy standards applicable to public sector and private employers, the standards are sufficiently similar that the Supreme Court’s decision likely will provide important guidance for employers on at least three issues. First, the law is relatively well settled that private employers can review any communications stored on a corporate e-mail server when the employer notifies employees of the monitoring, typically through an electronic resources policy. Quon is one of the first cases to address whether the same rule applies when the employee’s communication is transmitted through a third-party service provider under contract with the employer. The issue has gained increasing importance as an increasingly large number of employees use text messaging during the work day. (A case currently under consideration by the New Jersey Supreme Court, Stengart v. Loving Care, addresses an employee’s privacy expectations in copies of e-mail stored on a company-issued laptop that were sent through the employee’s personal e-mail account to her attorney.)

Second, the Supreme Court’s decision likely will address how a formal employment policy that otherwise would defeat an employee’s privacy expectation could be countermanded by an informal representation to a specific employee. Here, private employers likely will receive guidance on the types of informal statements that could be sufficient to countermand a formal policy as well as the degree of authority of the person making the informal statement necessary to override the formal policy.

Third, the Supreme Court also granted review on the question whether the senders of text messages to the SWAT officer had a reasonable expectation that his government employer would not read them. This question raises an issue that often is overlooked in cases revolving around an employer’s review of employee e-mail, i.e., the privacy interests of the sender. Without further development, it is difficult to anticipate the extent to which the Supreme Court’s ruling on this issue might affect private employers and what that affect might be.

Notably, the Supreme Court denied the service provider’s request for review of the Ninth Circuit’s ruling that the provider violated the federal Stored Communications Act by disclosing the SWAT officer’s text messages to the Department without his consent. Under the Act, a communications service provider, such as an ISP or cell phone provider, generally cannot disclose stored communications without the sender’s or recipient’s consent. An exception permits disclosure to the subscriber — the Department in the Quon case — when the provider is a “remote computing service.” The Ninth Circuit ruled that a “remote computing service” is akin to an electronic filing cabinet. Because the provider in the Quon case was a facilitator of communications, it was not a “remote computing service” and, therefore, could not take advantage of the exception. With the growing prevalence of “cloud computing” services, the proper definition of a “remote computing service” has become increasingly important. The Supreme Court’s decision to forego review of this issue leaves the Ninth Circuit’s ruling on this issue intact.

At bottom, Quon reflects the dynamic nature of the law governing technology in the workplace as communications technology rapidly moves beyond e-mail, and societal expectations change.

This entry was written by Philip L. Gordon

Photo credit: Niklas Bildhauer
Tags: , , , , , , , , , , ,
  • Print
  • Trackbacks
  • Share Link

N.J. Supreme Court Seals the Door to Internet Service Providers' Voluntary Disclosure of Information About "Cybersmearing" Employees

Posted on April 22, 2008 by Philip Gordon

Even though people surfing the Internet often leave a trail of data on the web sites they visit, the New Jersey Supreme Court has found a constitutionally protected privacy interest in their anonymity. Rejecting uniform federal court precedent holding that Internet users do not have a reasonable expectation of privacy under the U.S. Constitution in subscriber information stored by their Internet Service Provider (ISP), the state Supreme Court held on April 21 that New Jersey’s Constitution does protect this information against unreasonable searches by law enforcement authorities. While focused on criminal enforcement, the decision most likely will make it even more difficult for employers to identify employees and former employees who anonymously use the Internet to damage companies.

The case arises out of a run-of-the-mill employee vendetta. After defendant Shirley Reid had an argument with the owner of Jersey Diesel, where she was employed, Reid allegedly tried to sabotage the company’s operations. Using her home computer and the unique user ID and password that she had established as part of her job, Reid accessed the web sites of Jersey Diesel’s suppliers and changed the company’s shipping address to a non-existent address. One of Jersey Diesel’s suppliers reported the change to Jersey Diesel and gave the company’s owner the Internet Protocol (IP) address assigned to the computer used to access the supplier’s web site. Jersey Diesel, apparently using an IP Address Locator web site (which is similar to a reverse telephone directory), determined that the IP address was registered to Comcast. Comcast, however, refused to disclose the identity of the subscriber to Jersey Diesel’s owner. The owner then reported the activity to local police. In response to a municipal subpoena served by the local police, Comcast disclosed that Reid was the subscriber associated with the IP address. The local prosecutor indicted Reid on charges of criminal theft.
 

The New Jersey Supreme Court ruled that Reid had a reasonable expectation of privacy in the subscriber information that Comcast turned over to the local police. The Court reasoned that Internet use is integral to daily life and reveals substantial information about an individual’s private life, making ISP subscriber information similar to telephone billing records and bank records. Because New Jersey’s Constitution recognizes a reasonable expectation of privacy in both of those categories of records, ISP subscriber information also should be constitutionally protected. Given this constitutional protection, ISP subscriber information may be produced to law enforcement only in response to a grand jury subpoena. The Court, therefore, affirmed the suppression of Reid’s ISP subscriber information because Comcast had produced it in response to a municipal subpoena.

Jersey Diesel’s situation has become all too common for employers. Employees and former employees, hiding behind the anonymity offered by the Internet, are damaging their employers by posting defamatory or confidential information on the Internet or by engaging in more injurious conduct, such as that alleged against Reid. Like Jersey Diesel, employers typically receive a frosty reception when trying to obtain subscriber information from ISPs. After the Reid decision, ISPs almost surely will refuse to voluntarily disclose any information about New Jersey subscribers out of fear of being sued for invasion of privacy. Although the New Jersey Supreme Court’s decision applies only in New Jersey, employers can expect the decision to have a broader impact.

Notably, the New Jersey Supreme Court expressly refused to address the standard for issuing a civil subpoena that requires an ISP to disclose subscriber information. However, both New Jersey’s intermediate appellate court and California’s Court of Appeal have ruled that an employer has to satisfy a heightened burden before such a subpoena can be issued. The Reid decision most likely will be used in other jurisdictions to lend further support for this heightened standard.
 
Tags: , , , , , , , , , ,
  • Print
  • Trackbacks
  • Share Link