Workplace Privacy, Data Management & Security Report : Privacy Lawyers & Attorneys : Jackson Lewis Law Firm : Data Security, HIPAA & Confidentiality Issues

Co-author: Joseph J. Lazzarotti

The New Jersey’s highest Court has concluded that an employee, Marina Stengart, could reasonably expect that e-mail communication with her lawyer through her personal, password-protected, web-based e-mail account would remain private, and that sending and receiving them using a company laptop did not eliminate the attorney-client privilege that protected them. The Court went on to say that her employer’s counsel had violated the rules of professional conduct by reading her e-mails. The Supreme Court decided Stengart v. Loving Care on March 30, 2010 upholding the June 2009 decision of the state Appellate Division. 

This case makes two important points for employers: 

1) The Court stated that even a more clearly written and unambiguous policy regarding employer monitoring of emails would not be enforceable. That is, a clear policy stating that the employer could retrieve and read an employee’s attorney-client communication, accessed through a personal, password-protected e-mail account using the company’s computer system will not overcome an employee’s expectation of privacy and the privilege would remain. 

2) The Court's opinion seems to suggest that employers cannot discipline employees for simply spending some time at work receiving personal, confidential legal advice from a private lawyer, although the Court noted that an employee who “spends long stretches of the workday” doing so may be disciplined. 

Loving Care's employee handbook’s “Electronic Communication” policy governed employees’ use of company computers. The policy stated, among other things, “internet use and communication … are considered part of the company’s business” and “such communication are not to be considered private or personal to any individual employee.” However, the policy also provided, “[o]ccasional personal use is permitted.”

The Court found the Policy does not give express notice to employees that messages exchanged on a personal, password-protected, web-based e-mail account are subject to monitoring if company equipment is used. Although the Policy states that the company may review matters on “the company’s media systems and services,” those terms are not defined. The prohibition of certain uses of “the e-mail system” appears to refer to a company e-mail account, not personal accounts. Similarly, the Policy does not warn that the contents of personal, web-based e-mails are stored on a hard drive and can be forensically retrieved and read. The Court also found the Policy creates ambiguity by declaring that e-mails “are not to be considered private or personal,” while also permitting “occasional personal use” of e-mail.

The Court determined that an employee’s reasonable expectation of privacy in a particular work setting must be addressed on a case-by-case basis, but stated that by using a personal e-mail account and not saving the password, Stengart had a subjectively reasonable expectation of privacy in the e-mails exchanged with her attorney on her personal, password-protected, web-based e-mail account, which was accessed on a company laptop. This subjective expectation of privacy was objectively reasonable in light of the ambiguous language of the Policy and the attorney-client nature of the communication.

This decision, and others highlighted previously in this blog, present numerous issues for employers.  While it may not be enforceable in New Jersey, we recommend, in light of the reasoning in this decision, that employers consider modifying their existing electronic communication policies to include:

• Clear notice that personal, web-based emails accessed using company networks and stored on company networks or company computers can be monitored and reviewed by the company (of course, care should be taken here to avoid concerns under the Electronic Communications Privacy Act and the Stored Communications Act);
• Definitions of the specific technologies and devices to which the policies apply;
• Warnings that web-based, personal e-mail can be stored on the hard-drive of a computer and forensically accessed;
• No ambiguities about personal use. 

See our sample electronic communication policy outline for more information. However, even with such a policy in place, employers and their lawyers must be aware of the potential liability they face for improperly accessing information on the employers' systems which may later be deemed “private” or subject to a privilege.

Contributed by Lillian Chaves Moon

Based partially upon an interpretation of Florida law, in Global Policy Partners, LLC, et al. v. Yessin, 2009 U.S. Dist. LEXIS 112472 (Nov. 24, 2009), a Virginia district court has ruled that an LLC’s partner does not always have the authority to access a partner’s e-mails simply by virtue of his status in the company.

Katherine and Brent Yessin, husband and wife and business partners, were feuding as part of a messy divorce and business dissolution. Mrs. Yessin, on behalf of herself and the Florida business, brought suit against Mr. Yessin for his alleged illegal access of her personal e-mails, including those containing attorney-client communications in her divorce case, stored on the company’s server in violation of the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. §1030(a), and other federal and state statutes. In a motion to dismiss his wife’s complaint, Mr. Yessin argued that under Florida law, as a manager/partner in his business, he had the authority to access all e-mails stored on the business’s computer server regardless of his reason for doing so. The court disagreed.

The court found that even assuming Florida law authorized managers to access e-mail information stored on a company’s computer system, authorization is limited to carrying out the company’s business. Likewise, under the CFAA, authorization to access a computer system may not simply be based on a person’s status within the organization, but whether the person is accessing information in accordance with the “expected norms or intended use” of the computer network. Because the scope of Mr. Yessin’s authority to access his wife’s e-mails depended upon a detailed factual inquiry into his purposes for doing so, Mr. Yessin’s motion to dismiss the CFAA counts of the complaint was denied and Mrs. Yessin was allowed to proceed in her action.

Caution for employers: This decision has implications for employers in how and why managers may access employee e-mails. While an employer generally has the right to review stored e-mails on the employer’s system, regardless of whether the e-mails are an employee’s personal or business communications, the employer or employer’s agent must have a legitimate business purpose for such review, not a nefarious reason. Note, however, that, some courts have limited an employer’s ability to review an employee’s e-mails in other situations, such as when the e-mail is subject to the attorney-client privilege. Employers’ policies and procedures for accessing employee e-mails should be periodically reviewed and revised, where necessary, to ensure that the individuals who access lawfully stored e-mails not only have the appropriate status within the company, but also are doing so for legitimate business purposes.