New Research: Employee Privacy and Corporate Legal Risk

Perhaps even more disconcerting, 63% of employees reported their companies either had no written policy on checking personal email or other accounts while at work, or if the company did, they don't know about it. And 38% said they use work email at least sometimes to send or receive personal/non-work related communications.

It takes only a quick look at news headlines to realize that mixing personal and professional communications isn't always a great idea.

Personal Privilege

For example, in Peerenboom v. Marvel Entertainment, LLC, 2017 NY Slip Op 01981 [148 AD3d 531], Marvel Entertainment CEO Isaac Perlmutter found out the hard way recently that emails he had sent to his wife and personal lawyer on a work account aren't necessarily privileged.

In part, because Marvel had an email policy in place, New York's Appellate Division upheld a lower court and ruled Perlmutter had no reasonable expectation of privacy with emails sent via company servers because — although Marvel allowed personal emails on company systems as a courtesy, the policy made clear the company owned all data on its system. Now, emails Perlmutter thought were surely privileged appear to be discoverable in litigation.

Peerenboom highlights an important issue: ignorance of a data policy is no excuse. The appellate court held: “Given, among other factors, Perlmutter's status as Marvel's Chair, he was, if not actually aware of Marvel's email policy, constructively on notice of its contents.” Thus, that 63% of employees in the kCura survey without policies — or without knowledge of them — creates risk.

This risk — and expense — is not only for the employee. It's a risk and expense for the employer as well. For instance, in Peerenboom, the company became involved legally in this personal matter, triggering duties to review and produce relevant documents.

Almost a fifth of employees (18%) admit to making mistakes similar to Perlmutter's — using a work device to conduct electronic conversations (email, text, social media, or receipt of a voicemail) with their lawyers.

Corporate Privilege

Email mistakes with shared files can endanger the corporate attorney-client privilege as well. In Harleysville Ins. Co. v. Holding Funeral Home, Inc., No. 1:15cv00057 (W.D. Va. Feb. 9, 2017), an insurance company suing a funeral home sent an email to the National Insurance Crime Bureau (NICB). The email contained a hyperlink to privileged information hosted online.

In response to a subpoena, the NICB sent the email to counsel for the defendant funeral home. Defense counsel accessed the information, and the funeral home argued the insurance company had waived the protections of both the attorney-client privilege and the work product doctrine. The court agreed.

Holding the insurance company had waived the privilege, the court wrote the actions constituted “the cyber world equivalent of leaving its claims file on a bench in the public square and telling its counsel where they could find it.”

Attorney-client communications aren't the only types of sensitive conversations employees report having on their work devices, either. Thirty-two percent have communicated in this manner with their physicians, while 28% have done so with financial professionals.

Of course, not all personal communications conducted on work devices compromise privacy completely. Courts have certainly ruled in favor of employees in privacy disputes when companies have accessed employee data stored in personal accounts.

For example, in a 2013 case in Ohio, the court found that a supervisor who accessed a former employee's private Gmail account (which they had neglected to delete from their company-issued mobile device) had violated the Stored Communications Act of 1986 (SCA), 18 U.S.C. §2701 et seq. (1986). See, Lazette v. Kulmatycki, No. 3:12CV2416, 2013 WL 2455937 (N.D. Ohio June 5, 2013).

To minimize the risk of lawsuits and violations of this nature, it's important that employers clearly define employees' expectation of privacy at work, and then follow those policies consistently. The fact that so many employees report that their companies don't have policies on accessing personal accounts at work — or that they don't know if policies exist — doesn't bode well for employers here.

In some jurisdictions, if an employer fails to create or enforce policies on privacy, or if they do not notify employees that communications may be monitored, they may find that employees still have a reasonable expectation of privacy.

Retention Risk

On another important note, the survey found also that 63% of employees say their company doesn't have — or they don't know if they have — a written email retention policy.

Email retention failures can be disastrous for companies when email becomes an issue in e-discovery.

For instance, former U.S. District Judge Shira Scheindlin's series of decisions Zubulake v. UBS Warburg, LLC, over email retention and production failures helped lead to a $29.3 million verdict in a sexual discrimination action — with $20.2 million of the verdict being in punitive damages.

Of course, it should be noted that Schiendlin's Zubulake decisions pre-dated both the 2006 and the 2015 e-discovery amendments to the Federal Rules of Civil Procedure. The controversial 2015 amendments to the sanctions provisions of Fed. R. Civ. P. 37(e) were seen by many as a repudiation of Scheindlin sanctions jurisprudence.

Would Zubulake have a different result today? Probably not. The behavior sanctioned in Zubulake would probably still be sanctioned even under the less stringent provisions on the 2015 amendments, requiring an “intent to deprive” for the most severe sanctions.

Data retention policies are often the cornerstone of information governance strategies, but if employees are unaware of them — or the consequences of disregarding them — efforts could be in vain. For example, in a 2016 decision, U.S. District Judge Leonard Stark in Delaware sanctioned an electronics company $3 million in punitive sanctions plus costs for its unlawful deletion of email.

21st Century Technical Education

Court sanctions aren't the only risk created by employee data. There's also the risk of disrupting business activities with seemingly innocuous employee habits.

For instance, 70% of employees said they use email/folders in their inbox as a filing system at work — a barrier to implementing a defensible retention policy without disrupting business activities. Educating employees about defensible deletion is critical.

The results of kCura's survey show that we have a long way to go in getting 21st century technical education to the level of 21st century technology. Employee data is putting employers at risk, and without sufficient information governance programs, the potential damage to the American workplace is substantial.

Method statement: This survey was conducted online in the U.S. by Harris Poll on behalf of kCura, makers of Relativity, between Dec. 28th, 2016 and Jan. 18th, 2017. The research was conducted among 1,013 adults age 18+ who are employed full-time or part-time, not a freelancer, and works in a traditional office setting for at least 50% of the time. Figures for age, gender, race/ethnicity, education, region, and household income were weighted where necessary to bring them into line with their actual proportions in the population. Propensity score weighting was also used to adjust for respondents' propensity to be online.

*****
David Horrigan is e-discovery counsel and legal content director at kCura. An attorney, industry analyst, and award-winning journalist, he served formerly as analyst and counsel at 451 Research and reporter and assistant editor at The National Law Journal.

The use of business email accounts and digital devices for personal communications can be risky for both employers and employees. However, employees of all levels may be commingling corporate communications with their personal information, according to new research.

A survey conducted by Harris Poll on behalf of kCura asked more than 1,000 adults who work in a traditional office setting for at least 50% of the time (referred to as “employees” throughout) about their communication habits in the workplace that may contribute to corporate legal risk and personal privacy compromises.

The results should give corporate legal and information governance professionals a few things to consider. First, more than half of employees (55%) said they believe there is no harm to their companies when they use a work device for personal communications.

Perhaps even more disconcerting, 63% of employees reported their companies either had no written policy on checking personal email or other accounts while at work, or if the company did, they don't know about it. And 38% said they use work email at least sometimes to send or receive personal/non-work related communications.

It takes only a quick look at news headlines to realize that mixing personal and professional communications isn't always a great idea.

Personal Privilege

For example, in Peerenboom v. Marvel Entertainment, LLC , 2017 NY Slip Op 01981 [148 AD3d 531], Marvel Entertainment CEO Isaac Perlmutter found out the hard way recently that emails he had sent to his wife and personal lawyer on a work account aren't necessarily privileged.

In part, because Marvel had an email policy in place, New York's Appellate Division upheld a lower court and ruled Perlmutter had no reasonable expectation of privacy with emails sent via company servers because — although Marvel allowed personal emails on company systems as a courtesy, the policy made clear the company owned all data on its system. Now, emails Perlmutter thought were surely privileged appear to be discoverable in litigation.

Peerenboom highlights an important issue: ignorance of a data policy is no excuse. The appellate court held: “Given, among other factors, Perlmutter's status as Marvel's Chair, he was, if not actually aware of Marvel's email policy, constructively on notice of its contents.” Thus, that 63% of employees in the kCura survey without policies — or without knowledge of them — creates risk.

This risk — and expense — is not only for the employee. It's a risk and expense for the employer as well. For instance, in Peerenboom, the company became involved legally in this personal matter, triggering duties to review and produce relevant documents.

Almost a fifth of employees (18%) admit to making mistakes similar to Perlmutter's — using a work device to conduct electronic conversations (email, text, social media, or receipt of a voicemail) with their lawyers.

Corporate Privilege

Email mistakes with shared files can endanger the corporate attorney-client privilege as well. In Harleysville Ins. Co. v. Holding Funeral Home, Inc., No. 1:15cv00057 (W.D. Va. Feb. 9, 2017), an insurance company suing a funeral home sent an email to the National Insurance Crime Bureau (NICB). The email contained a hyperlink to privileged information hosted online.

In response to a subpoena, the NICB sent the email to counsel for the defendant funeral home. Defense counsel accessed the information, and the funeral home argued the insurance company had waived the protections of both the attorney-client privilege and the work product doctrine. The court agreed.

Holding the insurance company had waived the privilege, the court wrote the actions constituted “the cyber world equivalent of leaving its claims file on a bench in the public square and telling its counsel where they could find it.”

Attorney-client communications aren't the only types of sensitive conversations employees report having on their work devices, either. Thirty-two percent have communicated in this manner with their physicians, while 28% have done so with financial professionals.

Of course, not all personal communications conducted on work devices compromise privacy completely. Courts have certainly ruled in favor of employees in privacy disputes when companies have accessed employee data stored in personal accounts.

For example, in a 2013 case in Ohio, the court found that a supervisor who accessed a former employee's private Gmail account (which they had neglected to delete from their company-issued mobile device) had violated the Stored Communications Act of 1986 (SCA), 18 U.S.C. §2701 et seq. (1986). See, Lazette v. Kulmatycki, No. 3:12CV2416, 2013 WL 2455937 (N.D. Ohio June 5, 2013).

To minimize the risk of lawsuits and violations of this nature, it's important that employers clearly define employees' expectation of privacy at work, and then follow those policies consistently. The fact that so many employees report that their companies don't have policies on accessing personal accounts at work — or that they don't know if policies exist — doesn't bode well for employers here.

In some jurisdictions, if an employer fails to create or enforce policies on privacy, or if they do not notify employees that communications may be monitored, they may find that employees still have a reasonable expectation of privacy.

Retention Risk

On another important note, the survey found also that 63% of employees say their company doesn't have — or they don't know if they have — a written email retention policy.

Email retention failures can be disastrous for companies when email becomes an issue in e-discovery.

For instance, former U.S. District Judge Shira Scheindlin's series of decisions Zubulake v. UBS Warburg, LLC, over email retention and production failures helped lead to a $29.3 million verdict in a sexual discrimination action — with $20.2 million of the verdict being in punitive damages.

Of course, it should be noted that Schiendlin's Zubulake decisions pre-dated both the 2006 and the 2015 e-discovery amendments to the Federal Rules of Civil Procedure. The controversial 2015 amendments to the sanctions provisions of Fed. R. Civ. P. 37(e) were seen by many as a repudiation of Scheindlin sanctions jurisprudence.

Would Zubulake have a different result today? Probably not. The behavior sanctioned in Zubulake would probably still be sanctioned even under the less stringent provisions on the 2015 amendments, requiring an “intent to deprive” for the most severe sanctions.

Data retention policies are often the cornerstone of information governance strategies, but if employees are unaware of them — or the consequences of disregarding them — efforts could be in vain. For example, in a 2016 decision, U.S. District Judge Leonard Stark in Delaware sanctioned an electronics company $3 million in punitive sanctions plus costs for its unlawful deletion of email.

21st Century Technical Education

Court sanctions aren't the only risk created by employee data. There's also the risk of disrupting business activities with seemingly innocuous employee habits.

For instance, 70% of employees said they use email/folders in their inbox as a filing system at work — a barrier to implementing a defensible retention policy without disrupting business activities. Educating employees about defensible deletion is critical.

The results of kCura's survey show that we have a long way to go in getting 21st century technical education to the level of 21st century technology. Employee data is putting employers at risk, and without sufficient information governance programs, the potential damage to the American workplace is substantial.

Method statement: This survey was conducted online in the U.S. by Harris Poll on behalf of kCura, makers of Relativity, between Dec. 28th, 2016 and Jan. 18th, 2017. The research was conducted among 1,013 adults age 18+ who are employed full-time or part-time, not a freelancer, and works in a traditional office setting for at least 50% of the time. Figures for age, gender, race/ethnicity, education, region, and household income were weighted where necessary to bring them into line with their actual proportions in the population. Propensity score weighting was also used to adjust for respondents' propensity to be online.

*****
David Horrigan is e-discovery counsel and legal content director at kCura. An attorney, industry analyst, and award-winning journalist, he served formerly as analyst and counsel at 451 Research and reporter and assistant editor at The National Law Journal.