Employers generally think that they own and control all data that passes through their computer networks, whether work-related or personal to an employee. Earlier this week, in Stengart v. Loving Care Agency [pdf], the New Jersey Supreme Court issued a landmark decision that should concern all businesses, and could greatly inhibit employers’ ability to monitor how employees use workplace technology for personal reasons.
Consider the following facts. You issue a manager a company-owned laptop. The employee – who is not technologically savvy – does not realize that the Internet browser automatically saves on the hard drive a copy of each web page viewed. During her employment, the employee uses the computer to contact her attorney using her personal, web-based, password protected Yahoo email account. She did not save her private login or password on the computer. After she quit and returned the laptop, she sues for discrimination. You are able to extract, via a computer forensic expert, the emails she sent to her attorney. When you turn over in discovery copies of those emails, it hits the fan.
You rely on the following Electronic Communication Policy for your belief that the employee had relinquished any expectation of privacy over the personal emails stored on the company-owned computer:
The company reserves and will exercise the right to review, audit, intercept, access, and disclose all matters on the company’s media systems and services at any time, with or without notice.…
Email and voice mail messages, internet use and communication and computer files are considered part of the company’s business and client records. Such communications are not to be considered private or personal to any individual employee.
The principal purpose of electronic mail (email) is for company business communications. Occasional personal use is permitted; however, the system should not be used to solicit for outside business ventures, charitable organizations, or for any political or religious purpose, unless authorized by the Director of Human Resources.
The Policy also specifically prohibits “certain uses of the email system” including sending inappropriate sexual, discriminatory, or harassing messages, chain letters, “[m]essages in violation of government laws,” or messages relating to job searches, business activities unrelated to the employment, or political activities. The Policy concludes with the following warning: “Abuse of the electronic communications system may result in disciplinary action up to and including separation of employment.”
The court in Stengart held that the employee had a reasonable expectation of privacy in the personal, password-protected, web-based email account accessed on the company-owned computer.
The employee subjectively expected the emails to be private because she used a personal, password-protected email account instead of her company email address, and did not store the account’s password on the computer.
The expectation of privacy was also objectively reasonable, because the Policy does not address the use of personal, web-based email accounts, and does not warn employees that the contents of emails sent via personal accounts can be forensically retrieved and read by the company. Moreover, by permitting occasional personal use, the Policy created doubt over who owns the emails.
The following language – which suggests that regardless of the policy language used, the ability of employers to peer into employees’ private, web-based email is severely restricted – is probably the most important part of the opinion for employers.
The Policy did not give Stengart, or a reasonable person in her position, cause to anticipate that Loving Care would be peering over her shoulder as she opened emails from her lawyer on her personal, password-protected Yahoo account….
[This] does not mean that employers cannot monitor or regulate the use of workplace computers. Companies can adopt lawful policies relating to computer use to protect the assets, reputation, and productivity of a business and to ensure compliance with legitimate corporate policies. And employers can enforce such policies. They may discipline employees and, when appropriate, terminate them, for violating proper workplace rules that are not inconsistent with a clear mandate of public policy…. For example, an employee who spends long stretches of the workday getting personal, confidential legal advice from a private lawyer may be disciplined for violating a policy permitting only occasional personal use of the Internet. But employers have no need or basis to read the specific contents of personal, privileged, attorney-client communications in order to enforce corporate policy. Because of the important public policy concerns underlying the attorney-client privilege, even a more clearly written company manual – that is, a policy that banned all personal computer use and provided unambiguous notice that an employer could retrieve and read an employee’s attorney client communications, if accessed on a personal, password protected email account using the company’s computer system – would not be enforceable.
On Monday, I’ll be back with my thoughts on the lessons of this case and how to incorporate them into your Electronic Communications Policy.