Employers Should Address Changing Law On Employee Privacy
Subscribe(Text for those without flash or javascript) Fulcrum's professionals are experienced CPAs, MBAs, ASAs, CFAs, affiliated professors and industry specialists Our expertise encompasses damages analysis, lost profit studies, business and intangible asset valuations, appraisals, fraud investigations, statistics, forensic economic analysis, royalty audits, strategic and market assessments, computer forensics, electronic discovery and analysis of computer data.
Firm Overview Employers Should Address Changing Law On Employee Privacy
April 2010
Library Sections:
- Expert Testimony
- Damages Analysis
- Investigations and Forensic Accounting
- Computer Forensics / Electronic Discovery
- Sarbanes-Oxley and Nonprofit Whistleblower Solutions
- Valuations and Appraisals
- Financial Reporting
- Tax Advice and News
- Other Current Events and Economic Commentary
- Interactive Tools and Personal Financial Advice
In re: Stengart v. Loving Care Agency, Inc., No. A-16-09 (N.J. Mar. 30, 2010), the New Jersey Supreme Court ruled in one of the first decisions on workplace computer privacy to reach the State Supreme Court level.
Loving Care Agency is a provider of home-care nursing and health services. Marina Stengart was an early employee of the firm and manager of one of their offices. Stengart filed suit alleging a hostile work environment and discrimination based on gender, religion, and national origin. Before leaving the firm, she had several e-mail communications with her attorney. She used a private Yahoo e-mail account and not the company’s e-mail system, but sent and received these emails on a company-provided computer.
After Stengart left Loving Care’s employ, the company had a computer forensics expert make an image of the hard disk on Stengart’s computer. The Yahoo e-mails between Stengart and her attorneys were found in the temporary internet files, and Loving Care used those e-mails to prepare their defense. Stengart claimed (i) this was a violation of attorney-client privilege, (ii) the e-mails needed to be excluded and (iii) Loving Care’s attorneys should be removed from the case for having viewed the privileged communications.
The trial court sided with Loving Care, citing the company’s written policies (which Stengart had a role in drafting). As is typical in such policies, Loving Care employees were clearly told that e-mails "are not to be considered private or personal to any individual employee" and that the company had the right to "review, audit, intercept, access, and disclose all matters on the company's media systems and services at any time." Thus the trial court concluded that Stengart had no expectation of privacy on these communications.
The Appellate Court disagreed with the trial court. The New Jersey Supreme Court concurred with the Appellate ruling and expanded on the rationale. The essence of the NJ Supreme Court’s ruling is that the right of attorney-client privilege is too important to be waived or lost easily. The NJ Supreme Court ruled that Stengart had taken reasonable actions to assert and protect her right to attorney-client privilege by (i) using a separate web-based e-mail system, (ii) not saving the passwords on the computer, and (iii) having her attorney include a warning/disclaimer at the footing of each of the e-mails. Specifically:
“Stengart plainly took steps to protect the privacy of those e-mails and shield them from her employer. She used a personal, password-protected e-mail account instead of her company e-mail address and did not save the account's password on her computer. In other words, she had a subjective expectation of privacy in messages to and from her lawyer discussing the subject of a future lawsuit.”
While generally supporting the idea of written data privacy policies, the Court found that Loving Care’s policy was overly broad and vague, and did not give employees adequate guidance to employees regarding how pervasive the company’s reach could be. Specifically:
“The Policy uses general language to refer to its "media systems and services" but does not define those terms. Elsewhere, the Policy prohibits certain uses of "the e-mail system," which appears to be a reference to company e-mail accounts. The Policy does not address personal accounts at all. In other words, employees do not have express notice that messages sent or received on a personal, web-based e-mail account are subject to monitoring if company equipment is used to access the account.The Policy also does not warn employees that the contents of such e-mails are stored on a hard drive and can be forensically retrieved and read by Loving Care.
The Policy goes on to declare that e-mails "are not to be considered private or personal to any individual employee." In the very next point, the Policy acknowledges that "[o]ccasional personal use [of e-mail] is permitted." As written, the Policy creates ambiguity about whether personal e-mail use is company or private property.”
However, the Court indicated that the decision would really not have been altered even with a better policy. According to the ruling:
“Companies can adopt lawful policies relating to computer use to protect the assets, reputation, and productivity of a business and to ensure compliance with legitimate corporate policies. And employers can enforce such policies. … But employers have no need or basis to read the specific contents of personal, privileged, attorney-client communications in order to enforce corporate policy. Because of the important public policy concerns underlying the attorney-client privilege, even a more clearly written company manual -- that is, a policy that banned all personal computer use and provided unambiguous notice that an employer could retrieve and read an employee's attorney-client communications, if accessed on a personal, password-protected e-mail account using the company's computer system -- would not be enforceable.”
U.S. Supreme Court to Rule on Similar Issue
Earlier this week, the U.S. Supreme Court heard oral argument in another case involving employee privacy with employer-provided technology. Because of deference other courts give to any decision of the U.S. Supreme Court, the decision will likely have significance in civil discovery generally, even though the case is not set in a civil litigation context.
City of Ontario, California. vs. Quon, No. 08-1332, involves the City’s written policy warning employees to not expect privacy in their communications on city-owned computers and associated equipment. The policy, which was signed by Quon (a police SWAT officer), allowed limited "light" personal use, but reserved the City’s right to monitor and log all network activity. While on duty, Quon used his department-issued equipment to exchange hundreds of personal messages. The personal messages represented the vast majority of the total usage, and included many sexually explicit messages with his wife, his girlfriend, and a fellow SWAT sergeant. Quon was cited for violating the city's policy on use of the equipment.
Quon’s immediate supervisor condoned the personal use of the City’s equipment so long as Quon reimbursed the City for the usage that exceeded what was expected. Quon made the requested reimbursements. Because of this reimbursement and related tacit approval, the City’s actual policy became confused. The City stated that this supervisor did not have the authority to override the City’s policy, but Quon naturally countered that he had the right to rely on his supervisor’s statements.
Quon, his wife, the girlfriend, and his colleague sued over the City’s review of and reprimand for the personal usage. They alleged their Fourth Amendment rights were violated. The U.S. district court in the Central District of California found that Quon and his co-plaintiffs had a reasonable expectation of privacy under a test announced by the Supreme Court in its 1987 decision, O'Connor v. Ortega, 480 U.S. 709 (1987). Under that test, a government employee's expectation of privacy must be one "that society is prepared to consider reasonable" under the "operational realities of the workplace". Applying that standard, the District Court said Quon's expectation was reasonable. The Court then submitted to a jury the question of whether the city's review of the messages was reasonable under the circumstances. The jury said yes, because the purpose was to address cost and usage issues, and not to discover misconduct.
Quon appealed the jury verdict on the reasonableness of the search. The Ninth U.S. Circuit Court of Appeals reversed this finding, ruling that (i) the scope of the search was unreasonable and excessively intrusive, and (ii) Quon and the co-plaintiffs all had a reasonable expectation of privacy in their messages.
Many commentators suggest that the U.S. Supreme Court intends to overturn the Ninth Circuit. Our suggestions below apply regardless of how the U.S. Supreme Court rules.
Practical Implications of the Loving Care Case
- Just because it may be privileged does not mean that a former employee and his legal counsel want to take the chance that their communications could be read. As a provider of computer forensic services, we certainly were not surprised that Loving Care’s expert was able to discover complete copies of the e-mails, despite the fact that the emails were sent from a web-based e-mail account. Legal counsel should instruct their employee-clients to not use their employer’s computers and systems to send, receive or read communications for which confidentiality is desired.
- Company-use policies should be updated to eliminate the concerns expressed by the Loving Care Court, thereby ensuring that the use policy provides protection in other contexts. Although a better policy would not have changed the overall result regarding confidential attorney communications in Stengart vs. Loving Care, employers should address the Court’s observations explaining why the policy was perceived to be vague.
- The Quon case arises in large part because the City’s actual implementation of their use policy was circumvented by Quon’s supervisor. Mixing of personal and business use of emails using company-owned technology is becoming a reality in many situations. Employers should review their policies to ensure that they reflect the realities of the workplace, and then enforce such policies consistently.
- Once a suitable policy is in place and being consistently enforced, employers can and should use computer forensics to address issues with potentially-problematic employees. The restriction from the Loving Care ruling is limited, leaving a wealth of other allowable and useful information on the disk. See “Computer Forensics Deserve a Place in Your Human Resource Toolkit” for recommendations and an explanation regarding use of computer forensics in every situation involving the departure of a challenging employee. However, when one finds a potentially-privileged communication, opposing counsel should be notified, and court instruction sought as to the disposition of the communication that resides on the employer’s systems.
However the ruling provides an additional rationale for having the examination performed by an outside expert. There is no way to pre-filter the forensic computer examination to exclude attorney-client communications, but leave all others. In most cases, the examiner learns that a particular message is an attorney-client communication as the message is read. Putting aside the obvious technical skills that an outside expert brings , the outside expert also acts as a filter to prevent the possibility that the company’s legal counsel could be disqualified from the representation for having seen what a court later determines is a privileged communication.
The need for the computer forensic examiner to act as a privacy gatekeeper is not a new thing. Law-enforcement computer forensics experts are well aware of the situations of finding data on hard disks that, while of interest, are beyond the scope of the search order and must be ignored. In effect, the NJ Supreme Court is saying that there is an implied search order for all private-sector disk examinations. Future case law will probably expand such restrictions; for example, employee e-mails pertaining to their medical conditions or personal finances might also be considered off limits for the same reason as the Stengart case applies to attorney communications. For more information about the use of neutral computer examiners, see “Special Masters and Court-Appointed Experts Save Electronic Discovery Costs”.
Fulcrum Inquiry performs computer forensics, and forensic accounting investigations.