The recent decision for employee e-mail privacy and lawyer-client privilege by the New Jersey Supreme Court produced celebratory fist-bumps by groups ranging from the Employers Association of New Jersey (EANJ) to the National Employment Lawyers Association of New Jersey (NELA-NJ), the Association of Criminal Defense Lawyers of New Jersey (ACDL-NJ), and the New Jersey State Bar Association (NJSBA). As noted in last week’s Cyber Risk Report, the justices ruled that an employee “could reasonably expect that e-mail communications with her lawyer through her personal account would remain private, and that sending and receiving them via a company laptop did not eliminate the attorney-client privilege that protected them.”
Only a few years ago, the case of Stengart v Loving Care might never have gone to court because most companies didn’t pay much attention to employees’ electronic communications except to avoid human resource department issues. Today, corporations have cyber and insider risks to guard against, regulatory and compliance requirements to adhere to, and legitimate business concerns that make monitoring a necessity, not an option. The risk of not knowing what employees may be electronically communicating has increased dramatically.
The court’s full opinion — a significant victory for New Jersey employees accessing their Yahoo!, Gmail, or Hotmail accounts from company-owned computers to correspond with their attorneys — contains some compelling language that corporations may wish to consider when reviewing their own e-mail monitoring policies. In deciding for the plaintiff, the justices outlined a critique of her employer’s electronic communications policy. From the opinion:
The Policy specifically reserves to Loving Care the right to review and access “all matters on the company’s media systems and services at any time.” In addition, e-mail messages are plainly “considered part of the company’s business . . . records.”
It is not clear from that language whether the use of personal, password-protected, web-based e-mail accounts via company equipment is covered. The Policy uses general language to refer to its “media systems and services” but does not define those terms. Elsewhere, the Policy prohibits certain uses of “the e-mail system,” which appears to be a reference to company e-mail accounts. The Policy does not address personal accounts at all. In other words, employees do not have express notice that messages sent or received on a personal, web-based e-mail account are subject to monitoring if company equipment is used to access the account.
The Policy also does not warn employees that the contents of such e-mails are stored on a hard drive and can be forensically retrieved and read by Loving Care.
The Policy goes on to declare that e-mails “are not to be considered private or personal to any individual employee.” In the very next point, the Policy acknowledges that “[o]ccasional personal use [of e-mail] is permitted.” As written, the Policy creates ambiguity about whether personal e-mail use is company or private property.
The scope of the written Policy, therefore, is not entirely clear.
Employers have a right to protect intellectual property, assets, data, brand, and productivity, but “employers have no need to read the specific contents of personal, privileged, attorney-client communications in order to enforce corporate policy,” says Chief Justice Stuart Rabner. Furthermore, Rabner wrote that “even a more clearly written company manual — that is, a policy that banned all personal computer use and provided unambiguous notice that an employer could retrieve and read an employee’s attorney-client communications, if accessed on a personal, password-protected e-mail account using the company’s computer system — would not be enforceable.”
The implications for corporate electronic communications policies are, at least in New Jersey, considerable. The language found “ambiguous” by the Court is common to businesses from New York to California. Companies may want to examine their policies and revise while keeping the Court’s opinion on the defendant’s policy nearby.
Some risks that may arise to corporations with ambiguous electronic policies:
- If employees are not given “express notice” that personal e-mail accounts accessed from company laptops and other company-owned electronic devices such as smart phones are not private and may be monitored, the company’s electronic communications policy could be considered unenforceable.
- If vague phrases such as “media systems and services” describe the company’s hardware and software, courts may find that the language of a policy is “not entirely clear.”
- If employees are not notified that their company and personal e-mail messages sent and received on company equipment can be “forensically retrieved and read,” a company could risk fines and legal judgments.
Monitoring policies may indeed be unenforceable as technology races ahead of the law, but employers may still wish to review their own monitored communications policies for unclear language.
The author would like to thank Jeff Shipley for his insights.