Employee Privacy and Corporate Legal Risk

Perhaps even more disconcerting, 63% of employees reported their companies either had no written policy on checking personal email or other accounts while at work, or if the company did, they don't know about it. And 38% said they use work email at least sometimes to send or receive personal/non-work related communications.

It takes only a quick look at news headlines to realize that mixing personal and professional communications isn't always a great idea.

Personal Privilege

For example, in Peerenboom v. Marvel Entertainment, LLC, 2017 NY Slip Op 01981 [148 AD3d 531], Marvel Entertainment CEO Isaac Perlmutter found out the hard way recently that emails he had sent to his wife and personal lawyer on a work account aren't necessarily privileged.

In part, because Marvel had an email policy in place, New York's Appellate Division upheld a lower court and ruled Perlmutter had no reasonable expectation of privacy with emails sent via company servers because — although Marvel allowed personal emails on company systems as a courtesy, the policy made clear the company owned all data on its system. Now, emails Perlmutter thought were surely privileged appear to be discoverable in litigation.

Peerenboom highlights an important issue: ignorance of a data policy is no excuse. The appellate court held: “Given, among other factors, Perlmutter's status as Marvel's Chair, he was, if not actually aware of Marvel's email policy, constructively on notice of its contents.” Thus, that 63% of employees in the kCura survey without policies — or without knowledge of them — creates risk.

This risk — and expense — is not only for the employee. It's a risk and expense for the employer as well. For instance, in Peerenboom, the company became involved legally in this personal matter, triggering duties to review and produce relevant documents.

Almost a fifth of employees (18%) admit to making mistakes similar to Perlmutter's — using a work device to conduct electronic conversations (email, text, social media, or receipt of a voicemail) with their lawyers.

Attorney-client communications aren't the only types of sensitive conversations employees report having on their work devices, either. Thirty-two percent have communicated in this manner with their physicians, while 28% have done so with financial professionals.

Of course, not all personal communications conducted on work devices compromise privacy completely. Courts have certainly ruled in favor of employees in privacy disputes when companies have accessed employee data stored in personal accounts.

For example, in a 2013 case in Ohio, the court found that a supervisor who accessed a former employee's private Gmail account (which they had neglected to delete from their company-issued mobile device) had violated the Stored Communications Act of 1986 (SCA), 18 U.S.C. §2701 et seq. (1986). See, Lazette v. Kulmatycki, No. 3:12CV2416, 2013 WL 2455937 (N.D. Ohio June 5, 2013).

To minimize the risk of lawsuits and violations of this nature, it's important that employers clearly define employees' expectation of privacy at work, and then follow those policies consistently. The fact that so many employees report that their companies don't have policies on accessing personal accounts at work — or that they don't know if policies exist — doesn't bode well for employers here.

In some jurisdictions, if an employer fails to create or enforce policies on privacy, or if they do not notify employees that communications may be monitored, they may find that employees still have a reasonable expectation of privacy.

21st Century Technical Education

Court sanctions aren't the only risk created by employee data. There's also the risk of disrupting business activities with seemingly innocuous employee habits.

For instance, 70% of employees said they use email/folders in their inbox as a filing system at work — a barrier to implementing a defensible retention policy without disrupting business activities. Educating employees about defensible deletion is critical.

The results of kCura's survey show that we have a long way to go in getting 21st century technical education to the level of 21st century technology. Employee data is putting employers at risk, and without sufficient information governance programs, the potential damage to the American workplace is substantial.

*****
David Horrigan is e-discovery counsel and legal content director at kCura. An attorney, industry analyst, and award-winning journalist, he served formerly as analyst and counsel at 451 Research and reporter and assistant editor at The National Law Journal.

The use of business email accounts and digital devices for personal communications can be risky for both employers and employees. However, employees of all levels may be commingling corporate communications with their personal information, according to new research.

A survey conducted by Harris Poll on behalf of kCura asked more than 1,000 adults who work in a traditional office setting for at least 50% of the time (referred to as “employees” throughout) about their communication habits in the workplace that may contribute to corporate legal risk and personal privacy compromises.

The results should give corporate legal and information governance professionals a few things to consider. First, more than half of employees (55%) said they believe there is no harm to their companies when they use a work device for personal communications.

Perhaps even more disconcerting, 63% of employees reported their companies either had no written policy on checking personal email or other accounts while at work, or if the company did, they don't know about it. And 38% said they use work email at least sometimes to send or receive personal/non-work related communications.

It takes only a quick look at news headlines to realize that mixing personal and professional communications isn't always a great idea.

Personal Privilege

For example, in Peerenboom v. Marvel Entertainment, LLC , 2017 NY Slip Op 01981 [148 AD3d 531], Marvel Entertainment CEO Isaac Perlmutter found out the hard way recently that emails he had sent to his wife and personal lawyer on a work account aren't necessarily privileged.

In part, because Marvel had an email policy in place, New York's Appellate Division upheld a lower court and ruled Perlmutter had no reasonable expectation of privacy with emails sent via company servers because — although Marvel allowed personal emails on company systems as a courtesy, the policy made clear the company owned all data on its system. Now, emails Perlmutter thought were surely privileged appear to be discoverable in litigation.

Peerenboom highlights an important issue: ignorance of a data policy is no excuse. The appellate court held: “Given, among other factors, Perlmutter's status as Marvel's Chair, he was, if not actually aware of Marvel's email policy, constructively on notice of its contents.” Thus, that 63% of employees in the kCura survey without policies — or without knowledge of them — creates risk.

This risk — and expense — is not only for the employee. It's a risk and expense for the employer as well. For instance, in Peerenboom, the company became involved legally in this personal matter, triggering duties to review and produce relevant documents.

Almost a fifth of employees (18%) admit to making mistakes similar to Perlmutter's — using a work device to conduct electronic conversations (email, text, social media, or receipt of a voicemail) with their lawyers.

Attorney-client communications aren't the only types of sensitive conversations employees report having on their work devices, either. Thirty-two percent have communicated in this manner with their physicians, while 28% have done so with financial professionals.

Of course, not all personal communications conducted on work devices compromise privacy completely. Courts have certainly ruled in favor of employees in privacy disputes when companies have accessed employee data stored in personal accounts.

For example, in a 2013 case in Ohio, the court found that a supervisor who accessed a former employee's private Gmail account (which they had neglected to delete from their company-issued mobile device) had violated the Stored Communications Act of 1986 (SCA), 18 U.S.C. §2701 et seq. (1986). See, Lazette v. Kulmatycki, No. 3:12CV2416, 2013 WL 2455937 (N.D. Ohio June 5, 2013).

To minimize the risk of lawsuits and violations of this nature, it's important that employers clearly define employees' expectation of privacy at work, and then follow those policies consistently. The fact that so many employees report that their companies don't have policies on accessing personal accounts at work — or that they don't know if policies exist — doesn't bode well for employers here.

In some jurisdictions, if an employer fails to create or enforce policies on privacy, or if they do not notify employees that communications may be monitored, they may find that employees still have a reasonable expectation of privacy.

21st Century Technical Education

Court sanctions aren't the only risk created by employee data. There's also the risk of disrupting business activities with seemingly innocuous employee habits.

For instance, 70% of employees said they use email/folders in their inbox as a filing system at work — a barrier to implementing a defensible retention policy without disrupting business activities. Educating employees about defensible deletion is critical.

The results of kCura's survey show that we have a long way to go in getting 21st century technical education to the level of 21st century technology. Employee data is putting employers at risk, and without sufficient information governance programs, the potential damage to the American workplace is substantial.

*****
David Horrigan is e-discovery counsel and legal content director at kCura. An attorney, industry analyst, and award-winning journalist, he served formerly as analyst and counsel at 451 Research and reporter and assistant editor at The National Law Journal.