N.J. Supreme Court upholds privacy of personal e-mails accessed at work

The New Jersey courts have been handling a case that squarely addressed a company’s ability to monitor employee email.

Back in April of 2009, I mentioned a New Jersey case that found e-mail, sent during work hours on a company computer, was not protected by the attorney-client privilege: Compliance Policies and Email. That later was overturned: Workplace Computer Policy and the Attorney Client Privilege.

The New Jersey Supreme Court has ruled on the appeal and found that the employee

“could reasonably expect that e-mail communications with her lawyer through her personal, password-protected, web-based e-mail account would remain private, and that sending and receiving them using a company laptop did not eliminate the attorney-client privilege that protected them.”

The court went a step further and chastised the company’s lawyers for reading and using privileged documents.

The court’s decision focused on two areas: the adequacy of the company’s notice in its computer use policy and the importance of attorney-client privilege.

Computer use policy

The court was not swayed by the company’s arguments about its computer use policy. The company took the position that its employees have no expectation of privacy in their use of company computers based on its Policy. The court found that the policy did not address personal email accounts at all and therefore had no express notice that the accounts would be subject to monitoring. Also, the policy did not warn employees that the contents of the emails could be stored on a hard drive and retrieved by the company.

Attorney Client Communication

The bigger problem was that the communications between attorneys and their client are held to a higher standard. They were not “illegal or inappropriate material” stored on the company’s equipment that could harm the company. The e-mails warned the reader directly that the e-mails are personal, confidential, and may be attorney-client communications.

In my opinion, the nature and content of these emails made this an easy decision for the court.

Key Considerations

The decision does not mean that a company cannot monitor or regulate the use of workplace computers.

  • A policy should be clear that employees have no expectation of privacy in their use of company computers.
  • A policy needs to explicitly not address the use of personal, web-based e-mail accounts accessed through company equipment.
  • A policy should warn employees that the contents of e-mails sent via personal accounts can be forensically retrieved and read by the company.

Sources:

Workplace Computer Policy and the Attorney Client Privilege

email_icon

Back in April, I mentioned a New Jersey case that found e-mail, sent during work hours on a company computer, was not protected by the attorney-client privilege: Compliance Policies and Email (Stengart v. Loving Care [.pdf]) That case has now been overturned. It seems that a company’s policy on computer use may be more limited that I originally posted.

Factual Background:

The company provided Stengart with a laptop computer and a work email address. Prior to her resignation, plaintiff communicated with her attorneys, Budd Larner, P.C., by email about an anticipated suit against the company, and using the work-issued laptop but through her personal, web-based, password-protected Yahoo email account. After Stengart filed suit, the company extracted a forensic image of the hard drive from plaintiff’s computer. In reviewing plaintiff’s Internet browsing history, an attorney discovered numerous communications between Stengart and her attorney from the time period prior to her resignation from employment with Stengart.

I found it strange that the email from a web-based email account would be stored on the local computer. I am going to guess that it was attachments to the email that ended up stored on the computer in a temporary file and not the email itself.

Company Position:

According to the decision, the company’s policy may not have been clearly distributed and applied. There was some factual disputes about whether the company had ever adopted or distributed such a policy. There was a further dispute that even if the policy was put in place as to whether it applied to executives like Stengart.

Decision:

In the end the company’s position didn’t matter and the court assumed the policy was in place. Instead, the court took a harsh position:

A policy imposed by an employer, purporting to transform all private communications into company property — merely because the company owned the computer used to make private communications or used to access such private information during work hours — furthers no legitimate business interest. See Western Dairymen Coop., 684 P.2d 647, 649 (Utah 1984). When an employee, at work, engages in personal communications via a company computer, the company’s interest — absent circumstances the same or similar to those that occurred in State v. M.A., 402 N.J. Super. 353 (App. Div. 2008); Doe v. XYC Corp., 382 N.J. Super. 122, 126 (App. Div. 2005) — is not in the content of those communications; the company’s legitimate interest is in the fact that the employee is engaging in business other than the company’s business. Certainly, an employer may monitor whether an employee is distracted from the employer’s business and may take disciplinary action if an employee engages in personal matters during work hours; that right to discipline or terminate, however, does not extend to the confiscation of the employee’s personal communications.

Those were some broad statements, but the decision was ultimately limited to the attorney-client privilege.

There is no question — absent the impact of the company’s policy — that the attorney-client privilege applies to the emails and would protect them from the view of others. In weighing the attorney-client privilege, which attaches to the emails exchanged by plaintiff and her attorney, against the company’s claimed interest in ownership of or access to those communications based on its electronic communications policy, we conclude that the latter must give way. Even when we assume an employer may trespass to some degree into an employee’s privacy when buttressed by a legitimate business interest, we find little force in such a company policy when offered as the basis for an intrusion into communications otherwise shielded by the attorney-client privilege.

It seems that New Jersey courts are now taking the position that a company cannot read an employee’s personal e-mail, even when the employer has a policy stating that the employee has no reasonable expectation of privacy. The exception to this rule would be when the company needs to know the content of the e-mail to determine whether the employee broke the law or violated company policy.

References:

Compliance Policies and Email

email_icon

You should take a look at your computer use and email policies to see how they address three recent cases involving email in the workplace.

The first case involves unauthorized acces: (Van Alstyne v. Electronic Scriptorium, Inc.).  The president of the company had broken into an employee’s personal AOL email account. The employee had occasionally used that email account for business communications. To top off the bad behavior, the president of the company had propositioned the employee before firing her and then accessing that email account.

In the second case (Stengart v. Loving Care [.pdf]), Ms. Stengart resigned from Loving Care and sued the company. Before leaving she e-mailed her lawyer through her personal web-based account from her company-issued computer using the company’s internet access. Loving Care recovered temporary files stored on that computer which contained copies of Stengart’s attorney-client communications. Stengart discovered that Loving Care’s lawyers planned to use her e-mail in the litigation. She asked the trial court to decide whether the e-mail, sent during work hours on a company computer, was protected by the attorney-client privilege. The court held that it was not.

In the third case (Noonan v. Staples), Staples fired sales director Alan S. Noonan  for padding his expense report. Executive Vice President Jay Baitler sent an e-mail to approximately 1,500 employees explaining the reason for the firing. The e-mail contained no untruths, but Mr. Noonan sued for defamation anyhow. Unfortunately for Staples, truth is not a defense in Massachusetts if the challenged statement was communicated with actual malice.

Lessons? What should you have in your company’s computer policy?

First, tell employees that they should not use personal e-mail accounts for purposes of conducting company business.

Second, the company should have a policy that any message sent from a company computer is subject to disclosure and the employees should not have an expectation of privacy.

Third, employees should not access another employee’s files or email accounts, whether they are the company’s or personal.

Fourth, employees should not use email or company computers to send malicious messages.

Finally, make sure you can prove that each employee knows these rules.

See: