Employers Should Act Promptly in Response to NJ High Court's Recognition of Employee's Right to Privacy in Lawyer-Client Emails Stored on Company Computers

Posted on April 1, 2010 by Privacy and Data Protection Practice Group

In a case with significant implications for all employers, the New Jersey Supreme Court ruled earlier this week that Marina Stengart, a former executive employee of Loving Care Agency, had a reasonable expectation of privacy in e-mail exchanged with her personal attorney through a personal, web-based e-mail account even though those communications were stored on a company-issued laptop. However, rather than limiting its decision to the facts of the case, that court went further, broadly stating that even “a policy that banned all personal computer use and provided unambiguous notice that an employer could retrieve and read an employees’ attorney-client communications . .. would not be enforceable.” In other words, New Jersey employers cannot properly read their employee’s e-mail exchanges with a personal attorney stored on company equipment — no matter what the employer tells its employees in its electronic resources policy.

Stengart also is significant because it illustrates the circumstances in which a court might find that an employee reasonably could expect privacy in e-mail stored on the employer’s electronic resources. To begin with, the New Jersey Supreme Court relied heavily on Stengart’s efforts to shield her e-mail from Loving Care. She used a private, personal, password-protected, web-based e-mail account, rather than the company’s e-mail server, and she did not save the user ID or password for that account on company-issued equipment. In addition, the New Jersey Supreme Court cited Stengart’s affidavit testimony in the trial court that she did not know that a duplicate of e-mail transmitted through a personal e-mail account would be saved in a temporary file on the company-issued laptop used to transmit the e-mail or that a computer forensic expert (like the one hired by Loving Care) could retrieve the messages. Finally, the court emphasized that reasonable privacy expectations customarily inhere in attorney-client communications (as opposed to communications that are unlawful or otherwise violate company policy), quoting in full the confidentiality notice contained in all e-mails sent by Stengart’s lawyer.

Loving Care’s electronic resources policy only weakened the company’s position. The court noted that the policy did not even mention personal e-mail accounts, let alone notify Stengart of Loving Care’s ability to retrieve from company-issued equipment e-mail transmitted through a personal e-mail account.

Although Stengart is binding only on employers doing business in New Jersey, the court’s ruling and analysis, apparently the first from any state supreme court, likely will influence other courts addressing similar circumstances. Consequently, it is critical that employers located anywhere in the United States understand the limits of the New Jersey Supreme Court’s decision:

  • The case does not change the commonly accepted principle that employers can use a well-crafted policy to reduce employee’s privacy expectations in communications stored on, or transmitted through, corporate electronic resources;
  • The court did not establish that employees have a right, as a matter of public policy, to use corporate electronic resources to communicate with a personal attorney;
  • The court itself acknowledged that employers can discipline employees for violating an electronic resources policy even if the violation is constituted by the employee’s communication with a personal attorney, albeit New Jersey employers cannot properly read the content of employee-attorney communications on which the discipline is based., It remains unclear if the decision means that other types of communications normally subject to privilege, such as with a doctor, clergy member or spouse, are also protected;
  • The court repeatedly emphasized the attorney-client nature of the communication and did not suggest that its finding of Stengart’s reasonable expectation of privacy would have been the same had Stengart been exchanging e-mail with a non-lawyer;
  • While the court found that Stengart had a reasonable expectation of privacy in her e-mail, it did not suggest that Stengart had a viable claim against Loving Care for invasion of privacy, which would require a showing that the employer’s review of the e-mail would be highly offensive to a reasonable person.

In short, the decision does not create a dystopia for employers in which employees can engage in unrestrained personal, e-mail use of corporate electronic resources, through either a corporate or personal e-mail account. The decision, nonetheless, should be a call to action for employers to revise or supplement their existing electronic resources policies as follow:

  • Inform all employees that the policy applies to every employee;
  • Warn employees that the company will monitor the use of employees’ electronic resources;
  • Notify employees that duplicates of e-mail transmitted through a personal, web-based e-mail account using company equipment could be stored on that equipment;
  • Explain that the company may, in its discretion, review all communications stored on, or transmitted by, company equipment regardless whether a personal account is used, subject to state laws regarding attorney-client communications
  • Prohibit employees from using any company resources (including the telephone) to communicate with a personal attorney except with the company’s prior approval;
  • Warn employees that they can be disciplined for violating the policy, including the prohibition on communications with a personal attorney using corporate electronic resources.

Significantly, employers should ensure that all employees receive, review and acknowledge receipt of the new/amended electronic resources policy. In addition, employers should establish guidelines for handling potentially privileged communications discovered on the employer’s information systems. First, IT and HR professionals should be trained in the indicators of potentially privileged communication, told not to review such communications except to the extent necessary to determine whether they might be privileged, and to promptly inform in-house or outside counsel about the discovery. Second, counsel should not review such communications except as minimally necessary to determine whether they might be privileged and, if so, follow applicable ethical rules for addressing waiver of privilege arising from the inadvertent disclosure of an attorney-client communication. Third, if the employer has implemented the policies described above, it should fully document the extent of the violation of company policy and determine whether and to what extent the employee should be disciplined.

Employers clearly have an overriding interest in preventing employees from using corporate electronic resources to plan potentially devastating litigation against the employer. Stengart does not bar employers form doing so.

For further analysis of this development, see Littler's ASAP New Jersey Supreme Court Rules that E-Mails Exchanged Between Employee and Her Attorney Using Company's Computer Remain Privileged.

This entry was co-authored by Philip L. Gordon and Christopher M. Leh.
Tags: , , , , , , ,
  • Print
  • Trackbacks
  • Share Link

Supreme Court Review of Quon May Provide Important Guidance for Private Employers

Posted on December 14, 2009 by Privacy and Data Protection Practice Group

The U.S. Supreme Court agreed, today, to review the Ninth Circuit Court of Appeal’s decision in Quon v. Arch Wireless, a case with potentially important implications for private employers. As explained in prior posts, the appellate court held that the City of Ontario Police Department violated a SWAT officer’s reasonable expectation of privacy by reviewing the content of his sexually explicit text messages, even though: (1) the messages had been sent with a Department-issued pager through a service provider under contract with the Department, and (2) the Department’s formal policy informed all SWAT officers that the Department might review their text messages. In reaching that conclusion, the Ninth Circuit relied principally on a statement by the officer in charge of the text messaging program to the SWAT officer that the Department would not review his text messages if he voluntarily paid any overage charges resulting from excessive personal use.

Although there are some differences in the privacy standards applicable to public sector and private employers, the standards are sufficiently similar that the Supreme Court’s decision likely will provide important guidance for employers on at least three issues. First, the law is relatively well settled that private employers can review any communications stored on a corporate e-mail server when the employer notifies employees of the monitoring, typically through an electronic resources policy. Quon is one of the first cases to address whether the same rule applies when the employee’s communication is transmitted through a third-party service provider under contract with the employer. The issue has gained increasing importance as an increasingly large number of employees use text messaging during the work day. (A case currently under consideration by the New Jersey Supreme Court, Stengart v. Loving Care, addresses an employee’s privacy expectations in copies of e-mail stored on a company-issued laptop that were sent through the employee’s personal e-mail account to her attorney.)

Second, the Supreme Court’s decision likely will address how a formal employment policy that otherwise would defeat an employee’s privacy expectation could be countermanded by an informal representation to a specific employee. Here, private employers likely will receive guidance on the types of informal statements that could be sufficient to countermand a formal policy as well as the degree of authority of the person making the informal statement necessary to override the formal policy.

Third, the Supreme Court also granted review on the question whether the senders of text messages to the SWAT officer had a reasonable expectation that his government employer would not read them. This question raises an issue that often is overlooked in cases revolving around an employer’s review of employee e-mail, i.e., the privacy interests of the sender. Without further development, it is difficult to anticipate the extent to which the Supreme Court’s ruling on this issue might affect private employers and what that affect might be.

Notably, the Supreme Court denied the service provider’s request for review of the Ninth Circuit’s ruling that the provider violated the federal Stored Communications Act by disclosing the SWAT officer’s text messages to the Department without his consent. Under the Act, a communications service provider, such as an ISP or cell phone provider, generally cannot disclose stored communications without the sender’s or recipient’s consent. An exception permits disclosure to the subscriber — the Department in the Quon case — when the provider is a “remote computing service.” The Ninth Circuit ruled that a “remote computing service” is akin to an electronic filing cabinet. Because the provider in the Quon case was a facilitator of communications, it was not a “remote computing service” and, therefore, could not take advantage of the exception. With the growing prevalence of “cloud computing” services, the proper definition of a “remote computing service” has become increasingly important. The Supreme Court’s decision to forego review of this issue leaves the Ninth Circuit’s ruling on this issue intact.

At bottom, Quon reflects the dynamic nature of the law governing technology in the workplace as communications technology rapidly moves beyond e-mail, and societal expectations change.

This entry was written by Philip L. Gordon

Photo credit: Niklas Bildhauer
Tags: , , , , , , , , , , ,
  • Print
  • Trackbacks
  • Share Link

New Jersey Appeals Court Broadly Construes Employee's "Right To Privacy" Using Company Computers

Posted on June 30, 2009 by Privacy and Data Protection Practice Group

UPDATE: The New Jersey Supreme Court has agreed to review this decision. We will continue to monitor the case and provide insight on significant developments.

Before resigning from Loving Care Agency and suing the company for discrimination, Marina Stengart used her company-issued laptop to exchange e-mail with her attorney through her personal Yahoo! e-mail account. Loving Care’s computer forensic expert recovered these e-mails from the laptop. Loving Care’s counsel referenced some of them during discovery; Stengart’s counsel demanded the return of all of the e-mail. In a prior blog entry, we discussed the trial court’s ruling that Stengart had waived the attorney-client privilege in light of certain warnings in Loving Care’s computer use policy.

Last week, a New Jersey appellate court reversed the trial court’s ruling. According to the appellate court, Loving Care failed to show that Stengart ever had received the computer use policy. The court also found that the policy did not adequately warn Stengart that Loving Care might read e-mail sent through her personal e-mail account. Employers can address these shortcoming in the following ways:

  • obtain from each employee an executed acknowledgement of receipt of the corporate computer use policy;
  • inform employees that the employer will, in its discretion, review any communication or file stored on any company-owed device;
  • specifically warn employees that the policy applies to copies of e-mail sent through a personal e-mail account that remain on company computers;
  • inform employees that corporate electronic resources cannot be used, without authorization, to consult with an attorney.

Significantly, the New Jersey court suggested that even if Loving Care had taken all of the steps listed above, Stengart still would not have waived attorney-client privilege. The court based that conclusion on the following language:

When an employee, at work, engages in personal communications via a company computer, the company's interest . . . is not in the content of those communications; the company's legitimate interest is in the fact that the employee is engaging in business other than the company's business. Certainly, an employer may monitor whether an employee is distracted from the employer's business and may take disciplinary action if an employee engages in personal matters during work hours; that right to discipline or terminate, however, does not extend to the confiscation of the employee's personal communications.

In other words, according to the court, an employer cannot read an employee’s personal e-mail, even when the employer has a policy stating that the employee has no reasonable expectation of privacy, except when the content of the e-mail needs to be known to determine whether the employee violated company policy or acted unlawfully. This aspect of the court’s opinion, which appears to be non-binding dicta (except when applied to communications between an employee and her attorney) is groundbreaking. If the decision is not reversed on appeal to the New Jersey Supreme Court, employers should expect to see the Stengart case resurface in future employment litigation contending that employer’s improperly accessed employees’ “personal e-mail.”

This entry was co-authored by Philip L. Gordon and Paul H. Mazer.

For a comprehensive analysis of this development, see Littler's ASAP "Employer's Electronic Communications Policy Did Not Allow Company to Review Employee's E-mail Exchange with Her Attorney" by Philip L. Gordon, Eric A. Savage and Paul H. Mazer.
 

Tags: , , , , ,
  • Print
  • Trackbacks
  • Share Link

Recent Fourth Circuit Ruling Demonstrates Risks to Employers of Accessing Employees' Personal E-Mail Accounts

Posted on April 22, 2009 by Philip L. Gordon and Justin A. Morello

In a cautionary tale for all employers, the United States Court of Appeals for the Fourth Circuit recently held that an employer who accessed a former employee's personal e-mail account could be held liable for punitive damages and attorneys' fees under the federal Stored Communications Act, even without the employee proving any actual damages. Continue reading Littler ASAP, Recent Fourth Circuit Ruling Demonstrates Risks to Employers of Accessing Employees' Personal E-Mail Accounts, by Philip L. Gordon and Justin A. Morello.

Tags: , , ,
  • Print
  • Trackbacks
  • Share Link

A Case to Watch re Workplace Monitoring: Sidell v. Structured Settlement Investments

Posted on July 7, 2008 by Justin A. Morello

While the case is still in the early stages, Sidell v. Structured Settlement Investments, LP et al, Case No. 3:08-cv-00710-VLB (D.Conn 2008), is shaping up to be a case to watch. Recently covered by The New York Times, the lawsuit involves an interesting twist on workplace monitoring; namely, what are the limits on an employer’s access, using its own computer equipment, to an employee’s e-mail stored in an employee’s personal e-mail account. Ultimately, the case may add to the growing list of decisions regulating electronic communications in the workplace. See, e.g., Quon v. Arch Wireless; Scott v. Beth Israel. The Ninth Circuit decision in Quon was discussed in our prior blog entry, Ninth Circuit Ruling Not a Significant Obstacle to Employers' Accessing Text Messages.

According to the complaint, this is what happened: A company closed a branch and fired the office manager. The company claimed that the termination was for cause and explained the facts supporting its decision to the manager. Before the company had changed the locks, the office manager entered his old office, logged on to his computer, and sent an e-mail to his personal attorney regarding his potential claims against the company. The office manager did not log-off from his Yahoo! account, nor did he turn off his computer. As a result, this e-mail remained accessible through the computer in the office manager’s former office. Over the next few weeks while using the same e-mail account, the office manager sent his personal attorney numerous additional e-mails regarding his termination.

Soon after his termination, the office manager demanded arbitration under his employment contract. During discovery, it became apparent that following the office manager’s termination, the company had been monitoring the manager’s personal Yahoo! email account. The office manager then filed a separate lawsuit against the company, claiming violations of the Federal Wiretap Act, the Stored Communications Act, state statutes and for invasion of privacy. The case is currently pending.

The Federal Wiretap Act claim most likely will fail because claims under that statute can proceed only if the content of e-mail is acquired in the transmission process. The office manager’s other claims have a chance of surviving. As one commentator noted to The New York Times, these facts “would make a great exam question.”

This case raises a host of issues, including:

  • whether the former employee consented to the employer’s access to his personal e-mail because he did not log-off of his account or turn off his computer and he knew his former employer would have access to it;
  • whether employees have an expectation of privacy when they log-on to web based e-mail through company owned and controlled computers;
  • whether a terminated employee enjoys any expectation of privacy when using a former employer’s computer system;
  • the extent to which an employer may access information left by a terminated employee;
  • at what point attorneys have a duty to disclose attorney-client communications; and
  • how an employer’s electronic resources policies affect the expectation of privacy of employees and former employees. 

This case is also a reminder that electronic resources policies need careful consideration, including:

  • whether the policies should prohibit employees from using corporate resources to access personal e-mail accounts;
  • whether the policies should require employees to consent to their employer accessing their personal e-mail account if accessed using corporate resources; and
  • whether the policies should warn employees that their employer will access employees’ e-mail sent to a personal attorney over the corporate computer network.

There is no one right answer. Rather, employers need to consider their corporate culture, educate employees and be prepared to routinely enforce such policies in a uniform, non-discriminatory manner.
Tags: , , , , , , ,
  • Print
  • Trackbacks
  • Share Link