Lessons for Employers in a Social Media World
Recently, in Stengart v. Loving Care Agency, the New Jersey Supreme Court held that an employee had a reasonable expectation of privacy in her Internet-based emails to her lawyer, despite the fact that she sent such emails from a company-owned laptop and was on notice of the employer’s written policy that emails may not be considered “private or personal.” The opinion is significant not only in recognizing a privacy interest for employees’ communications to their attorneys using company-owned-and-monitored networks, but also in providing important guidelines for employers drafting or updating their policies on use of email and the Internet. In addition, Stengart issues a warning to both in-house and outside counsel involved in the forensic review of employees’ computer-based data and communications.
Factual Background
While serving as the Executive Director of Nursing for Loving Care Agency, Inc. (“Loving Care” or the “Company”), Marina Stengart (“Stengart”) used a Company-owned laptop computer that was issued to her for Company business and, per Company policy, “occasional personal use.” In the months before she resigned, Stengart used this laptop to access her personal, password-protected Yahoo email account, through which she exchanged email with an attorney regarding a discrimination suit that she was planning to file against Loving Care. In doing so, Stengart never saved her Yahoo ID or password on the Company’s laptop, and believed that the Company had no access to the emails. Unbeknownst to her, however, software installed on the laptop automatically saved a copy of each web page Stengart viewed – including emails to and from her attorney – to the computer’s hard drive in a “cache” folder of temporary Internet files. When she resigned, Stengart returned the laptop to Loving Care with the “cache” folder intact.
Like many employers anticipating a lawsuit, Loving Care retained a computer expert to create a forensic image of the laptop’s hard drive, including all of Stengart’s emails and web-based activity stored in the “cache” folder. Once Stengart sued, this forensic image was given to Loving Care’s outside counsel, which identified and reviewed seven or eight web-based emails that Stengart had exchanged with her lawyers, each of which bore a legend stating that the email “may be a privileged and confidential attorney-client communication.”
When the Company later referred to the emails in its discovery responses, Stengart’s counsel demanded their immediate return. Loving Care’s attorneys refused, and Stengart asked the trial court to compel the return of the material and disqualify defense counsel for having reviewed her attorney-client communications. In response, Loving Care argued that the Company’s written policy on electronic communications had placed Stengart on notice that she had no reasonable expectation of privacy in files on a Company-owned computer, such that she had waived the attorney-client privilege by using that computer to send the emails. In pertinent part, the Company policy stated:
The company reserves and will exercise the right to review, audit, intercept, access, and disclose all matters on the company’s media systems and services at anytime, with or without notice.
. . . .
E-mail and voice mail messages, internet use and communication and computer files are considered part of the company’s business and client records. Such communications are not to be considered private or personal to any individual employee.
The principal purpose of electronic mail (e-mail) is for company business communications. Occasional personal use is permitted; however, the system should not be used to solicit for outside business ventures, charitable organizations, or for any political or religious purpose, unless authorized by the Director of Human Resources.
The trial court refused to require Loving Care to return the emails and did not disqualify defense counsel, finding that the Company’s policy had notified Stengart that nothing was private, and that she had knowingly waived the attorney-client privilege by sending the emails through a Company-owned computer. Stengart appealed and the Appellate Division reversed, holding that she had not waived the attorney-client privilege. The appellate court also concluded that Loving Care’s counsel violated Rule 4.4(b) of the New Jersey Professional Rules of Conduct by reading and using the emails, and not promptly alerting Stengart’s counsel that defense counsel had them. Loving Care then appealed that decision to the New Jersey Supreme Court.
The Supreme Court’s Decision
The Supreme Court found that Stengart had a reasonable expectation that emails exchanged with her attorney on her personal, password-protected, web-based account would remain private, even though they were accessed through a Company laptop. The court further determined that Stengart’s use of company equipment to send the emails did not waive the attorney-client privilege. The court’s ruling relied both on the overarching importance of the attorney-client privilege, as well as what it viewed as failings in the employer’s written policy.
As the court held, an employee’s expectation of privacy starts with an examination of the language, meaning and scope of an employer’s workplace policies. Despite what appeared to be a fairly detailed announcement to employees, the court found that Loving Care’s email use policy was too “vague and ambiguous” in defining what it covered, and did not adequately apprise employees of the extent to which their communications would be monitored. For example, the Court noted that the policy’s use of general terms such as “media systems and services” failed to adequately alert employees that records of their personal, password-protected, web-based email accounts accessed through a company computer are routinely stored on its hard drive and subject to forensic monitoring and/or review. In addition, the Court pointed to an internal inconsistency within the policy: emails were “not to be considered private or personal,” yet employees were permitted “occasional personal use” of Company computers. This, the Court found, “created doubt about whether those emails are company or private property.”
In the court’s view, an employer’s electronic communication policy generally would not defeat an employee’s expectation of privacy unless it unambiguously disclosed the employer’s technical capabilities to monitor (i.e., automatic storage and retention of web-based personal email accounts or files); eliminated any doubt as to whether the emails are company or private property; and clearly announced the employer’s right and intent to monitor all communications through company equipment. Yet even that sort of policy would not have altered the result in Stengart. Drawing a line in the sand, the New Jersey Supreme Court held that while companies may adopt lawful policies relating to computer use to protect their “assets, reputation, and productivity,” and may even discipline an employee who spends an inordinate amount of the workday speaking with her lawyer, an employer has “no need or basis to read the specific contents” of privileged attorney-client communications (emphasis by the court). In short, the court found that given the important public policy concerns underlying the attorney-client privilege, there can never be any work rule, however drafted, that permits an employer to read an employee’s privileged communications on her personal, password-protected email account.
The court also issued a stern warning to both in-house and outside counsel engaged in the forensic review of employee computer files. Specifically, the court held that defense counsel committed an ethical violation by reading potentially privileged attorney-client communications without first notifying opposing counsel and/or seeking the court’s permission.
Lessons Learned from Stengart
In New Jersey, employers should take away three key things from Stengart:
· Employees have an inviolate right to privacy in their attorney-client communications transmitted through a personal, password-protected email account, even when using an employer’s computers. While an employer may limit or restrict the occurrence of these contacts on work time, it can never access the communications themselves.
· Employers should update their electronic communication and IT policies to either expressly ban or at least restrict personal use of company computers and devices. Also, the policies should fully detail and disclose the technical storage capabilities of the systems, as well as the Company’s intent to routinely monitor and retrieve all communications and/or files accessed through the company’s computers or devices, including personal email and social networking sites such as Facebook, MySpace and Twitter.
· In-house and outside counsel must implement strict protocols for the forensic review of employee computer files, including the immediate segregation and sealing of potentially privileged material, prompt notice to opposing counsel, and court intervention.
Employers in other states should also seriously consider whether they should follow the same sort of approach as well.