New Jersey Court Ruling re Workplace Computer Privacy Leaves Tough Questions Unanswered

Posted on September 4, 2008 by Philip Gordon

Joseph Braun, the owner of a New Jersey label manufacturer, hired the wrong bookkeeper and paid a hefty price. Before Braun hired the bookkeeper, referred to only as “M.A.” in a New Jersey appellate court opinion published on August 29, 2008, M.A. had completed twelve months in a pretrial intervention program after being charged with forgery and theft. One month after completing the intervention program, M.A. was charged with fourteen counts of forgery and the theft of more than $220,000 from his employer; he served 364 days in jail after a guilty plea. While still on probation, M.A. landed his bookkeeping job with Braun’s company.

Apparently not having conducted a background check, Braun gave M.A. ever-increasing responsibilities to the point where M.A. was responsible for order entries, payroll, bank records and the company’s computer system. M.A. repaid Braun’s trust by giving himself an $85,000 raise — without Braun’s authorization. The raise was just the tip of the iceberg, as M.A. defalcated more than $650,000 from Braun’s business. M.A. was prosecuted for his crimes, convicted and sentenced to seven years in prison.

On appeal, M.A. argued that the trial court had improperly denied his motion to suppress personal information stored on a laptop as well as a desktop computer found at Braun’s place of business. The New Jersey appellate court, following several frequently cited federal appellate court decisions, held that M.A. had no reasonable expectation of privacy in his workplace computer and affirmed the conviction. In reaching this conclusion, the court relied on the following facts:

(a) Braun’s business owned the computers;

(b) the computers were kept at Braun’s business;

(c) Braun told M.A. when he was hired that the business owned the computers;

(d) the desktop was connected to the corporate network;

(e) co-workers had access to both computers; and

(f) M.A.’s private office was never closed or locked.

The facts were weighed so heavily against M.A. that this case provides guidance in only the most limited circumstances.

A few minor changes of the facts show why: M.A. marked all of his personal files as “private” when saving them to the company’s document management system. It was well known within the company that system administrators respected the “private” designation. M.A. did not permit any other employees to log into his computer; nor did he share his username or password with any co-workers. When M.A. left his private office, he shut and locked his office door using a combination that was unknown to anyone else in the company. On fairly similar facts, the Florida Court of Appeals recently held that a church pastor had a reasonable expectation of privacy in child pornography stored on his office computer.

The point is that corporate ownership of computers and notice to employees of that ownership will not always open the door to searches with impunity of personal information stored on a business computer. Instead, employers should look more deeply into who, in fact, has or could have access to the information at issue and whether workplace computer use policies actually are put into practice.

Tags: , , , , , , , ,

N.J. Supreme Court Seals the Door to Internet Service Providers' Voluntary Disclosure of Information About "Cybersmearing" Employees

Posted on April 22, 2008 by Philip Gordon

Even though people surfing the Internet often leave a trail of data on the web sites they visit, the New Jersey Supreme Court has found a constitutionally protected privacy interest in their anonymity. Rejecting uniform federal court precedent holding that Internet users do not have a reasonable expectation of privacy under the U.S. Constitution in subscriber information stored by their Internet Service Provider (ISP), the state Supreme Court held on April 21 that New Jersey’s Constitution does protect this information against unreasonable searches by law enforcement authorities. While focused on criminal enforcement, the decision most likely will make it even more difficult for employers to identify employees and former employees who anonymously use the Internet to damage companies.

The case arises out of a run-of-the-mill employee vendetta. After defendant Shirley Reid had an argument with the owner of Jersey Diesel, where she was employed, Reid allegedly tried to sabotage the company’s operations. Using her home computer and the unique user ID and password that she had established as part of her job, Reid accessed the web sites of Jersey Diesel’s suppliers and changed the company’s shipping address to a non-existent address. One of Jersey Diesel’s suppliers reported the change to Jersey Diesel and gave the company’s owner the Internet Protocol (IP) address assigned to the computer used to access the supplier’s web site. Jersey Diesel, apparently using an IP Address Locator web site (which is similar to a reverse telephone directory), determined that the IP address was registered to Comcast. Comcast, however, refused to disclose the identity of the subscriber to Jersey Diesel’s owner. The owner then reported the activity to local police. In response to a municipal subpoena served by the local police, Comcast disclosed that Reid was the subscriber associated with the IP address. The local prosecutor indicted Reid on charges of criminal theft.
 

The New Jersey Supreme Court ruled that Reid had a reasonable expectation of privacy in the subscriber information that Comcast turned over to the local police. The Court reasoned that Internet use is integral to daily life and reveals substantial information about an individual’s private life, making ISP subscriber information similar to telephone billing records and bank records. Because New Jersey’s Constitution recognizes a reasonable expectation of privacy in both of those categories of records, ISP subscriber information also should be constitutionally protected. Given this constitutional protection, ISP subscriber information may be produced to law enforcement only in response to a grand jury subpoena. The Court, therefore, affirmed the suppression of Reid’s ISP subscriber information because Comcast had produced it in response to a municipal subpoena.

Jersey Diesel’s situation has become all too common for employers. Employees and former employees, hiding behind the anonymity offered by the Internet, are damaging their employers by posting defamatory or confidential information on the Internet or by engaging in more injurious conduct, such as that alleged against Reid. Like Jersey Diesel, employers typically receive a frosty reception when trying to obtain subscriber information from ISPs. After the Reid decision, ISPs almost surely will refuse to voluntarily disclose any information about New Jersey subscribers out of fear of being sued for invasion of privacy. Although the New Jersey Supreme Court’s decision applies only in New Jersey, employers can expect the decision to have a broader impact.

Notably, the New Jersey Supreme Court expressly refused to address the standard for issuing a civil subpoena that requires an ISP to disclose subscriber information. However, both New Jersey’s intermediate appellate court and California’s Court of Appeal have ruled that an employer has to satisfy a heightened burden before such a subpoena can be issued. The Reid decision most likely will be used in other jurisdictions to lend further support for this heightened standard.
 
Tags: , , , , , , , , , ,