Workplace Privacy, Data Management & Security Report : Privacy Lawyers & Attorneys : Jackson Lewis Law Firm : Data Security, HIPAA & Confidentiality Issues

Co-author: Joseph J. Lazzarotti

The New Jersey’s highest Court has concluded that an employee, Marina Stengart, could reasonably expect that e-mail communication with her lawyer through her personal, password-protected, web-based e-mail account would remain private, and that sending and receiving them using a company laptop did not eliminate the attorney-client privilege that protected them. The Court went on to say that her employer’s counsel had violated the rules of professional conduct by reading her e-mails. The Supreme Court decided Stengart v. Loving Care on March 30, 2010 upholding the June 2009 decision of the state Appellate Division. 

This case makes two important points for employers: 

1) The Court stated that even a more clearly written and unambiguous policy regarding employer monitoring of emails would not be enforceable. That is, a clear policy stating that the employer could retrieve and read an employee’s attorney-client communication, accessed through a personal, password-protected e-mail account using the company’s computer system will not overcome an employee’s expectation of privacy and the privilege would remain. 

2) The Court's opinion seems to suggest that employers cannot discipline employees for simply spending some time at work receiving personal, confidential legal advice from a private lawyer, although the Court noted that an employee who “spends long stretches of the workday” doing so may be disciplined. 

Loving Care's employee handbook’s “Electronic Communication” policy governed employees’ use of company computers. The policy stated, among other things, “internet use and communication … are considered part of the company’s business” and “such communication are not to be considered private or personal to any individual employee.” However, the policy also provided, “[o]ccasional personal use is permitted.”

The Court found the Policy does not give express notice to employees that messages exchanged on a personal, password-protected, web-based e-mail account are subject to monitoring if company equipment is used. Although the Policy states that the company may review matters on “the company’s media systems and services,” those terms are not defined. The prohibition of certain uses of “the e-mail system” appears to refer to a company e-mail account, not personal accounts. Similarly, the Policy does not warn that the contents of personal, web-based e-mails are stored on a hard drive and can be forensically retrieved and read. The Court also found the Policy creates ambiguity by declaring that e-mails “are not to be considered private or personal,” while also permitting “occasional personal use” of e-mail.

The Court determined that an employee’s reasonable expectation of privacy in a particular work setting must be addressed on a case-by-case basis, but stated that by using a personal e-mail account and not saving the password, Stengart had a subjectively reasonable expectation of privacy in the e-mails exchanged with her attorney on her personal, password-protected, web-based e-mail account, which was accessed on a company laptop. This subjective expectation of privacy was objectively reasonable in light of the ambiguous language of the Policy and the attorney-client nature of the communication.

This decision, and others highlighted previously in this blog, present numerous issues for employers.  While it may not be enforceable in New Jersey, we recommend, in light of the reasoning in this decision, that employers consider modifying their existing electronic communication policies to include:

• Clear notice that personal, web-based emails accessed using company networks and stored on company networks or company computers can be monitored and reviewed by the company (of course, care should be taken here to avoid concerns under the Electronic Communications Privacy Act and the Stored Communications Act);
• Definitions of the specific technologies and devices to which the policies apply;
• Warnings that web-based, personal e-mail can be stored on the hard-drive of a computer and forensically accessed;
• No ambiguities about personal use. 

See our sample electronic communication policy outline for more information. However, even with such a policy in place, employers and their lawyers must be aware of the potential liability they face for improperly accessing information on the employers' systems which may later be deemed “private” or subject to a privilege.

The New Jersey Appellate Division (Doe v. XYC Corporation) and the Court of Appeals of Wisconsin (Maypark v. Securitas Serv. USA Inc. & Sigler v. Kobinsky) have both examined an employer’s duty to monitor employees conduct while at work, and have reached drastically different results. Additionally, at least seven states—Arkansas, Illinois, Missouri, North Carolina, Oklahoma, South Carolina, and South Dakota—have enacted laws requiring computer technicians or Internet service providers to report child pornography if they encounter it in the scope of their work. 

New Jersey. In Doe v. XYC, the company’s IT department noticed an employee was accessing pornographic web pages while at work. Despite numerous complaints and suspicious usage by the employee, management took no formal action except to instruct the employee to stop visiting inappropriate web pages. Following the employee’s marriage to the Plaintiff, the employee took nude and semi-nude pictures of Plaintiff’s 10-year-old daughter and uploaded the photos to child porn web pages using his work computer. The employee was arrested and charged, and the Plaintiff sued the company, alleging that it knew or should have known of the employee’s conduct and had a duty to report it. The state Appellate Division reversed the trial court’s decision that no duty existed. It held that XYC Corporation knew or should have known the employee was accessing child pornography at work, and further had a duty to investigate and report it. Thus, in New Jersey, where an employer has the right and ability to monitor Internet usage and the employee has no expectation of privacy, employers have a duty to investigate and report the access of child pornography if they know or should have known an employee was doing so. For a detailed analysis of Doe, click here. 

Wisconsin. In Maypark v. Securitas, the plaintiff sued an employer for allowing a former employee, a security guard, to post photographs of the plaintiff’s employees on an adult website.   An earlier Wisconsin case, Sigler v. Kobinsky, held that a company could not be held liable for alleged negligent supervision leading to an employee's use of a company computer to harass plaintiffs where there is no probability of harm. Specifically, a company had no duty to monitor because it was not reasonably foreseeable that providing employees with unsupervised Internet access would probably result in harm.   Relying on Sigler, the Court in Maypark overturned a $1.4 million negligence verdict against the security company, finding the guard’s action were not foreseeable.

Given the unsettled law on this issue, employers should consider several important factors when it comes to monitoring of employees. The Society for Human Resource Management published an article (*registration required) analyzing this issue. The article provides a number of suggestions, including that of our own Nadine Abrahams, a Jackson Lewis Partner in our Chicago office, who suggests the first step should be setting up a procedure for the immediate reporting of child pornography that has been discovered and the designation of a company representative who should be notified.   Additional steps include:

• Institution of clear, effective and thorough computer usage and monitoring polices, which also address employee expectation of privacy;
• Training of employees conducting any monitoring;
• Prompt investigation of computer usage and allegations of unlawful conduct; and
• Consultation with legal counsel regarding the duty to report to authorities. 

A New Jersey restaurant has been hit with a jury verdict in favor of two waiters who were fired after the restaurant’s managers accessed a private social networking site where the waiters were criticizing management.

As the social networking (e.g., MySpace and Facebook) “craze” continues to expand, employers must be more mindful of privacy concerns relating to content made available in these media by applicants and employees. Hiring and other job decisions often seem based on information obtained from employees’ or applicants’ social interactions on the Internet, at least to some degree. Generally, employment decisions are more supportable where there is a social networking policy that has been communicated to employees. 

In Brian Pietrylo, et al. v. Hillstone Restaurant Group d/b/a Houston’s, a federal court in New Jersey rejected the employer’s attempt to throw out the jury verdict that managers at a Houston's restaurant intentionally and without authorization accessed a private, invitation-only chat group on MySpace in violation of the federal Stored Communications Act (SCA). The SCA prohibits unauthorized access of stored communications such as e-mail and Internet accounts. The Court also upheld the jury’s award of compensatory and punitive damages against Hillstone. 

This case reminds employers to consider carefully any decision to monitor employees’ use of social networking sites.  Mistakes may be costly.