Wednesday, March 31, 2010
The New Jersey Supreme Court just weighed in on the conflict between employer rights in the computers they provide and employee privacy rights. In a man--bites-dog turn of events, the employee won -- at least when the privacy interest at stake is attorney-client privileged communications.
In Stengart v. Loving Care Agency (the name of the defendant apparently is aspirational), plaintiff sued for harassment, retaliation and a variety of other claims after she had left her employment. She had also left behind her employer-provided laptop, from which (while still employed) she had e-mailed her attorney. In doing so, she had used a private, password-protected Yahoo! account to send and receive messages from her attorney, but she had accessed that account using the employer's laptop.She had not saved her ID or password on the laptop, but that was no problem for a computer expert, who created a forensic image of the hard drive, from which the employer's attorneys were able to retrieved a number of e-mails between plaintiff and her attorney. Although that attorney's e-mails contained the usual warning about privilege, the employer's law firm, Sills, Cummis (headquartered right across the street from where I'm writing this), reviewed the communications -- notifying the plaintiff only months later.
Loving Care, of course, had a policy reserving the right to review all e-mail accessed from company computers, which it claimed deprived plaintiff of any expectation of privacy in her communications in the first place and/or waived any privilege that would otherwise exist. The trial court bought the argument, but the Appellate Division reversed, focusing on the language of the policy, The NJ Supreme Court agreed but went further.
It began by noting that the employer's policy neither explicitly addressed accessing private e-mail accounts nor explicitly warned that the contents of such e-mails are stored on hard drives and can be later accessed. It then noted that the plaintiff had taken steps -- using a personal, password-protected account -- to protect her privacy, which indicated that she had a subjective expectation of privacy. Given the failure of the policy to explicitly reach the communications in question, that expectation was also objectively reasonable. Nor were the e-mails "illegal or inappropriate material." In light of the nature of the communications and the standard warning, the privilege attached and was not waived. "The Policy did not give Stengard, or a reasonable person in her position, cause to anticipate that Loving Care would be peering over her shoulder as she opened e-mails from her lawyer on her personal, password-protected Yahoo account."
So far, a ringing endorsement of employee privacy rights. But, of course, one that any competent attorney could easily draft around. I can almost see the management firms gearing up to redraft appropriate use policies to ensure that Stengart will protect few future employees in the Garden State, Or can they.
Section V B of the opinion begins by reaffirming the right of employers "to adopt lawful policies relating to computer use to protect the assets, reputation, and productivity of the business and to ensure compliance with legitimate corporate policies." It even suggests that an employee who spends "long stretches of time" communicating with his lawyer can be disciplined for violating a policy allowing "only occasional personal use." It then goes on: "But employers have no need or basis to read the specific contents of personal, privileged, attorney client communications in order to enforce corporate policy." At least with respect to privileged communications, "even a more clearly written policy -- that is, a policy that banned all personal computer use and provided unambiguous notice that an employer could retrieve and read an employee's attorney-client communications if accessed on a personal, password-protected e-mail account using a company's computer system -- would not be enforceable.
So a pretty clear victory for employees -- if on narrow grounds.
Oh, and the Sills, Cummis firm? It violated the rules of professional responsibility (NJ's version of RPC 4.4(b)) by reading the e-mails. While there was no evidence of bad faith (presumably because of the Loving Care policy), the firm acted inappropriately. Sanctions, and potential disqualification from the case, were left to the trial court. One might predict little sanction by a trial court which, you might recall, didn't think the firm did anything wrong in the first place.
I'd put in a link to the case, but there's something wrong with the court's website. The case is not available on Lexis at the moment, but it should be up shortly.