Policing Workplace e-Mail Use

Many people mistakenly believe that viewing personal e-mails from a workplace computer via the Internet, as opposed to an e-mail program such as Microsoft Outlook, shields the contents of e-mails from the employer's purview. It was under this mistaken belief that the plaintiff in Stengart used her company-issued laptop to access her Web-based, password-protected Yahoo e-mail account, which contained e-mails from her attorney. She did not realize that images of those e-mails were saved automatically in the laptop's temporary Internet file cache folder. Soon after, she quit her job and filed a discrimination claim against her employer. The company forensically retrieved images of the Yahoo e-mails from the laptop's hard drive, and used the contents (attorney-client communications) of the e-mails in a subsequent court pleading.

Written Technology Policies and Ambiguity

In arguing that the e-mails were not privileged, the employer cited its written workplace technology policy, which stated that it could review and intercept “all matters” on the company's computers at any time without notice to the employee. However, the policy did expressly allow employees to use the Internet for “occasional personal use.” This, as the employer later learned, is an unfortunate way an employer adds ambiguity to an otherwise clear and precise workplace policy. The Stengart court explained that by “acknowledging that occasional personal use of e-mail is permitted, the [Employee Computer Use] Policy created doubt about whether those e-mails are company or private property.” Additionally, the court noted that the employer's policy failed to “warn employees that the contents of e-mails sent via personal accounts can be forensically retrieved and read by the company.”

The court also noted specific steps the plaintiff had taken to maintain the confidentiality of her e-mails. She had used a personal, password-protected e-mail account (rather than her employer's e-mail system) and had not saved the password to her private e-mail account on her employer's computer. Additionally, the e-mails from her attorney contained a written statement in the message body warning the reader that the messages were personal and confidential and may be attorney-client communications.

Perhaps the most surprising aspect of the Stengart opinion was that the court refused to consider whether the existence of a clear company policy could eliminate or significantly diminish an employee's expectation of privacy in attorney-client communications. Rather, after announcing that “employers have no need or basis to read the specific contents of personal, privileged, attorney-client communications in order to enforce corporate policy,” the court stated that “even a more clearly written company manual ' that is, a policy that banned all personal computer use and provided unambiguous notice that an employer could retrieve and read an employee's attorney client communications, if accessed on a personal, password-protected e-mail account using the company's computer system ' would not be enforceable.” The court reiterated that employers can still adopt and enforce workplace policies to “protect the assets, reputation, and productivity of a business,” and fire employees who are in violation of workplace rules.

The Stengart Approach

The Stengart approach is unique. In fact, very few courts have held that employees who used a workplace computer to communicate with their attorney did not waive the attorney-client privilege. See, e.g., Nat'l Econ. Research Assocs. v. Evans, No. 04-2618, 2006 Mass. Super. LEXIS 371 (Mass. Super. Ct. 2006) (finding reasonable expectation of privacy where employee used a private, password-protected e-mail account and was unaware the computer was automatically saving images of e-mails in its temporary Internet files folder); Transocean Capital, Inc v. Fortin, 21 Mass. L. Rep. 597 (Mass. Super. Ct. 2006) (finding reasonable expectation of privacy in workplace e-mails because the employer had failed to adopt an employee handbook that stated that all communications transmitted, received, or stored in the employer's computer systems belong to the employer); Curto v. Medical World Commc'ns, Inc., No. 03-cv-6327, 2006 U.S. Dist. LEXIS 29387 (E.D.N.Y. May 15, 2006) (holding not clearly erroneous a magistrate judge's order that an employee's personal use of a company-owned computer in her home did not result in waiver of attorney-client privilege).

Stengart drew guidance from two other cases ' In re Asia Global Crossing, Ltd., 322 B.R. 247, 257 (Bank'r S.D.N.Y. 2005) and National Economic Research Associates, Inc. v. Evans, 2006 Mass. Super. LEXIS 371 (Mass. Super. Ct. 2006). In Asia Global Crossing, the federal bankruptcy court introduced a four-factor test to determine whether an employee retains an expectation of privacy in computer files and e-mail accessed from a workplace computer. Affirmative answers to the following questions weigh against the employee retaining a reasonable expectation of privacy in workplace e-mails:

• Does the employer maintain a policy banning personal or other objectionable use?
• Does the employer monitor the use of the employee's computer or e-mail?
• Do third parties have a right of access to the computer or e-mails?
• Did the employer notify the employee, or was the employee aware, of the use and monitoring policies? See Asia Global Crossing, 322 B.R. at 257.

In National Economic Research Associates, Inc. v. Evans, the Superior Court of Massachusetts focused on whether an employee who used a workplace computer to access his private, Web-based e-mails had waived the attorney-client privilege. Like the plaintiff in Stengart, the defendant in Evans accessed his password-protected personal Yahoo e-mail account using a company-issued laptop to exchange communications with his attorney, completely unaware that the laptop was automatically copying images of the Yahoo Web site to its temporary Internet file cache folder. After he quit, his employer forensically imaged the laptop and discovered the communications.

The Evans court first held that the attorney-client privilege attached to the e-mails because the employer's computer-use policy, which warned employees that it would monitor Internet sites visited, failed to warn that it would monitor the contents of e-mails made from a personal e-mail account accessed via the Internet. On the facts before it, the court held that the employee had not waived the privilege because of three steps he took to make sure the e-mails remained confidential. First, the employee communicated with his attorney through his private, password-protected Yahoo e-mail account rather than through his employer's e-mail system. Second, he had neither forwarded any of the e-mails to his work e-mail, nor downloaded the e-mails or otherwise saved them to his work computer. Finally, he made an effort to delete all personal files from his employer's computer and ran a disk defrag program to prevent recovery of the deleted files.

The Evans court advised employers that if they “wish ' to read an employee's attorney-client communications unintentionally stored in a temporary file on a company-owned computer that were made via a private, password-protected e-mail account accessed through the Internet, not the company's Intranet, the employer must plainly communicate to the employee that all such e-mails are stored on the hard disk of the company's computer in a 'screen shot' temporary file and the company expressly reserves the right to retrieve those temporary files and read them.” Evans, 2006 Mass. Super. LEXIS 371 at *13.

The Bottom Line

Guidance from Stengart, Asia Global Crossing, and Evans applies not only to workplace computers, but also to any other type of employer-provided technology, including cell phones, pagers, GPS devices, digital cameras, copy machines, and smart phones like the BlackBerry, the iPhone, and the Motorola Droid. The latter, for example, integrates full e-mail, Internet browsing, GPS, audio recording, digital imaging, and text-messaging. Employers that provide employees with these types of devices need to establish detailed, written policies to improve workplace productivity and protect the assets and reputation of the company. This can be accomplished as follows:

• Disseminate a formal workplace policy governing employees' use of the computers and other devices or carefully review and update any policy that is already in place.
• Notify and educate employees on the workplace policy.
• Apply the policy to all technology, whether office-based or portable.
• Regularly and repeatedly warn employees that the company can and will monitor workplace computer use.
• Specifically warn employees that the company will monitor the contents of Internet communications.
• Specifically warn employees that the company's computers and internet system will automatically capture Web-based content and save those files to the computer's hard drive.
• Monitor and enforce the workplace policy.
• Inform employees of any third parties that have access to the employer's e-mail system and Internet accounts.

Employees, likewise, can take steps to maintain the privacy of
communications that originate from the workplace or from a company-supplied device. They should be told to wait until they get home to use their own computer and Internet to send e-mails. Those whose jobs require frequent travel should be advised to avoid the temptation of using a company-provided laptop to send or receive personal e-mails. Instead, clients should invest in a mini laptop or smart phone and use it for all personal communications. But if the communication simply cannot wait and the e-mail has to go out now, employees should only use a Web-based, password-protected e-mail account such as Yahoo or G-mail and not the employer's e-mail system. Likewise, employees should not forward any personal e-mails to their work e-mail address ' doing so will likely waive the attorney-client privilege. Finally, employees should never download or save copies of e-mail communications to the employer's computer or device.

Conclusion

There is little doubt that as technology continues to infiltrate our daily lives and provide conveniences that cannot even be imagined, the temptation to ignore or blur the divide between purely personal and purely professional use of technology is great, and certainly comes at a cost. The blurrier the divide, the more personal privacy will be compromised.

Fernando M. Pinguelo, a trial lawyer and partner of Norris McLaughlin & Marcus, co-chairs the firm's Response to Electronic Discovery and Information group. Laura J. Tyson is a recent graduate of Seton Hall Law School.

On-the-job Internet surfing has become a problem that employers can no longer ignore. A recent Office of Inspector General investigation, for example, revealed that senior-level SEC staff, including an attorney, used their workplace computers to view online pornography for up to eight hours per day during the period of time that led this country's biggest economic meltdown since the Great Depression. See, www.washingtonpost.com/wp-srv/politics/documents/SECPornSummary.pdf. The workplace Internet-abuse epidemic is not restricted to massive operations, either. Small companies express concerns that their staff wastes valuable office time tagging photos in Facebook and sending personal e-mails instead of doing work. Yet the blurry divide between prolonged, purely personal workplace Internet (ab)use and the occasional, legitimate need to use temporarily a company computer to communicate with a bank, an online vendor, or an attorney, continues. A company's decision on where to draw the line on personal use of workplace computers poses a great challenge to employers, and recent court rulings do not make the decision and its enforcement any easier.

Under what circumstances do employees who use a workplace computer to communicate with their attorneys waive the attorney-client privilege that would normally attach to such a communication? A recent ruling from New Jersey addressed this question. In Stengart v. Loving Care Agency, Inc., 2010 N.J. LEXIS 241 (N.J. March 30, 2010), the Supreme Court of New Jersey ruled that an employee's private, password-protected e-mails containing communications with her attorney remained privileged, despite the existence of a detailed, written workplace technology policy that expressly placed employees on notice that the employer could intercept and review communications made using the employer's computers at any time. The issue of how the attorney-client privilege applies to workplace e-mails remains murky in many jurisdictions, and this New Jersey ruling, and a few others, provide some much-needed guidance for employers and employees alike.

Outsmarted by Technology

Many people mistakenly believe that viewing personal e-mails from a workplace computer via the Internet, as opposed to an e-mail program such as Microsoft Outlook, shields the contents of e-mails from the employer's purview. It was under this mistaken belief that the plaintiff in Stengart used her company-issued laptop to access her Web-based, password-protected Yahoo e-mail account, which contained e-mails from her attorney. She did not realize that images of those e-mails were saved automatically in the laptop's temporary Internet file cache folder. Soon after, she quit her job and filed a discrimination claim against her employer. The company forensically retrieved images of the Yahoo e-mails from the laptop's hard drive, and used the contents (attorney-client communications) of the e-mails in a subsequent court pleading.

Written Technology Policies and Ambiguity

In arguing that the e-mails were not privileged, the employer cited its written workplace technology policy, which stated that it could review and intercept “all matters” on the company's computers at any time without notice to the employee. However, the policy did expressly allow employees to use the Internet for “occasional personal use.” This, as the employer later learned, is an unfortunate way an employer adds ambiguity to an otherwise clear and precise workplace policy. The Stengart court explained that by “acknowledging that occasional personal use of e-mail is permitted, the [Employee Computer Use] Policy created doubt about whether those e-mails are company or private property.” Additionally, the court noted that the employer's policy failed to “warn employees that the contents of e-mails sent via personal accounts can be forensically retrieved and read by the company.”

The court also noted specific steps the plaintiff had taken to maintain the confidentiality of her e-mails. She had used a personal, password-protected e-mail account (rather than her employer's e-mail system) and had not saved the password to her private e-mail account on her employer's computer. Additionally, the e-mails from her attorney contained a written statement in the message body warning the reader that the messages were personal and confidential and may be attorney-client communications.

Perhaps the most surprising aspect of the Stengart opinion was that the court refused to consider whether the existence of a clear company policy could eliminate or significantly diminish an employee's expectation of privacy in attorney-client communications. Rather, after announcing that “employers have no need or basis to read the specific contents of personal, privileged, attorney-client communications in order to enforce corporate policy,” the court stated that “even a more clearly written company manual ' that is, a policy that banned all personal computer use and provided unambiguous notice that an employer could retrieve and read an employee's attorney client communications, if accessed on a personal, password-protected e-mail account using the company's computer system ' would not be enforceable.” The court reiterated that employers can still adopt and enforce workplace policies to “protect the assets, reputation, and productivity of a business,” and fire employees who are in violation of workplace rules.

The Stengart Approach

The Stengart approach is unique. In fact, very few courts have held that employees who used a workplace computer to communicate with their attorney did not waive the attorney-client privilege. See, e.g., Nat'l Econ. Research Assocs. v. Evans, No. 04-2618, 2006 Mass. Super. LEXIS 371 (Mass. Super. Ct. 2006) (finding reasonable expectation of privacy where employee used a private, password-protected e-mail account and was unaware the computer was automatically saving images of e-mails in its temporary Internet files folder); Transocean Capital, Inc v. Fortin , 21 Mass. L. Rep. 597 (Mass. Super. Ct. 2006) (finding reasonable expectation of privacy in workplace e-mails because the employer had failed to adopt an employee handbook that stated that all communications transmitted, received, or stored in the employer's computer systems belong to the employer); Curto v. Medical World Commc'ns, Inc., No. 03-cv-6327, 2006 U.S. Dist. LEXIS 29387 (E.D.N.Y. May 15, 2006) (holding not clearly erroneous a magistrate judge's order that an employee's personal use of a company-owned computer in her home did not result in waiver of attorney-client privilege).

Stengart drew guidance from two other cases ' In re Asia Global Crossing, Ltd., 322 B.R. 247, 257 (Bank'r S.D.N.Y. 2005) and National Economic Research Associates, Inc. v. Evans, 2006 Mass. Super. LEXIS 371 (Mass. Super. Ct. 2006). In Asia Global Crossing, the federal bankruptcy court introduced a four-factor test to determine whether an employee retains an expectation of privacy in computer files and e-mail accessed from a workplace computer. Affirmative answers to the following questions weigh against the employee retaining a reasonable expectation of privacy in workplace e-mails:

• Does the employer maintain a policy banning personal or other objectionable use?
• Does the employer monitor the use of the employee's computer or e-mail?
• Do third parties have a right of access to the computer or e-mails?
• Did the employer notify the employee, or was the employee aware, of the use and monitoring policies? See Asia Global Crossing, 322 B.R. at 257.

In National Economic Research Associates, Inc. v. Evans, the Superior Court of Massachusetts focused on whether an employee who used a workplace computer to access his private, Web-based e-mails had waived the attorney-client privilege. Like the plaintiff in Stengart, the defendant in Evans accessed his password-protected personal Yahoo e-mail account using a company-issued laptop to exchange communications with his attorney, completely unaware that the laptop was automatically copying images of the Yahoo Web site to its temporary Internet file cache folder. After he quit, his employer forensically imaged the laptop and discovered the communications.

The Evans court first held that the attorney-client privilege attached to the e-mails because the employer's computer-use policy, which warned employees that it would monitor Internet sites visited, failed to warn that it would monitor the contents of e-mails made from a personal e-mail account accessed via the Internet. On the facts before it, the court held that the employee had not waived the privilege because of three steps he took to make sure the e-mails remained confidential. First, the employee communicated with his attorney through his private, password-protected Yahoo e-mail account rather than through his employer's e-mail system. Second, he had neither forwarded any of the e-mails to his work e-mail, nor downloaded the e-mails or otherwise saved them to his work computer. Finally, he made an effort to delete all personal files from his employer's computer and ran a disk defrag program to prevent recovery of the deleted files.

The Evans court advised employers that if they “wish ' to read an employee's attorney-client communications unintentionally stored in a temporary file on a company-owned computer that were made via a private, password-protected e-mail account accessed through the Internet, not the company's Intranet, the employer must plainly communicate to the employee that all such e-mails are stored on the hard disk of the company's computer in a 'screen shot' temporary file and the company expressly reserves the right to retrieve those temporary files and read them.” Evans, 2006 Mass. Super. LEXIS 371 at *13.

The Bottom Line

Guidance from Stengart, Asia Global Crossing, and Evans applies not only to workplace computers, but also to any other type of employer-provided technology, including cell phones, pagers, GPS devices, digital cameras, copy machines, and smart phones like the BlackBerry, the iPhone, and the Motorola Droid. The latter, for example, integrates full e-mail, Internet browsing, GPS, audio recording, digital imaging, and text-messaging. Employers that provide employees with these types of devices need to establish detailed, written policies to improve workplace productivity and protect the assets and reputation of the company. This can be accomplished as follows:

• Disseminate a formal workplace policy governing employees' use of the computers and other devices or carefully review and update any policy that is already in place.
• Notify and educate employees on the workplace policy.
• Apply the policy to all technology, whether office-based or portable.
• Regularly and repeatedly warn employees that the company can and will monitor workplace computer use.
• Specifically warn employees that the company will monitor the contents of Internet communications.
• Specifically warn employees that the company's computers and internet system will automatically capture Web-based content and save those files to the computer's hard drive.
• Monitor and enforce the workplace policy.
• Inform employees of any third parties that have access to the employer's e-mail system and Internet accounts.

Employees, likewise, can take steps to maintain the privacy of
communications that originate from the workplace or from a company-supplied device. They should be told to wait until they get home to use their own computer and Internet to send e-mails. Those whose jobs require frequent travel should be advised to avoid the temptation of using a company-provided laptop to send or receive personal e-mails. Instead, clients should invest in a mini laptop or smart phone and use it for all personal communications. But if the communication simply cannot wait and the e-mail has to go out now, employees should only use a Web-based, password-protected e-mail account such as Yahoo or G-mail and not the employer's e-mail system. Likewise, employees should not forward any personal e-mails to their work e-mail address ' doing so will likely waive the attorney-client privilege. Finally, employees should never download or save copies of e-mail communications to the employer's computer or device.

Conclusion

There is little doubt that as technology continues to infiltrate our daily lives and provide conveniences that cannot even be imagined, the temptation to ignore or blur the divide between purely personal and purely professional use of technology is great, and certainly comes at a cost. The blurrier the divide, the more personal privacy will be compromised.

Fernando M. Pinguelo, a trial lawyer and partner of Norris McLaughlin & Marcus, co-chairs the firm's Response to Electronic Discovery and Information group. Laura J. Tyson is a recent graduate of Seton Hall Law School.