Employee E-Mail on Employer\'s Computer System May Still Be Private

April 7, 2010

By: Sanjeeve K. DeSoyza

Last week, the New Jersey Supreme Court ruled that an employee has a reasonable expectation of privacy in communications with her lawyer via a personal, password-protected e-mail account, even if accessed on company-issued computer equipment. In Stengart v. Loving Care Agency, Inc., a forensic expert was hired by Loving Care to image Stengart’s laptop after she left her position and filed a lawsuit against the company. In the process, several e-mails exchanged between Stengart and her lawyer through her personal Yahoo e-mail account, were retrieved. The e-mails were reviewed by Loving Care’s counsel, and at least one was utilized in responding to discovery demands. The trial court found no violation of the attorney-client privilege, ruling that Loving Care’s electronic communications policy placed Stengart on sufficient notice that her e-mails were considered company property. However, an intermediate appellate court reversed. It found that the attorney-client privilege applied to the e-mails and ordered the return of the e-mails. In addition, it sent the case back to the trial court for a hearing on potential sanctions against counsel.

After Loving Care appealed those rulings, New Jersey’s highest court agreed, finding that Stengart had a subjective expectation of privacy because she took steps to protect her e-mails, sending them from her personal, password-protected account and not saving her password to the computer. Several factors also convinced the Court that her expectation of privacy was objectively reasonable. For one thing, the precise scope of the company’s e-mail policy was unclear. It did not address use of personal web-based e-mail accounts on company equipment nor did it warn employees that e-mails sent through personal accounts could be forensically retrieved and reviewed. And although the policy provided that e-mails were not to be considered private and confidential, it nevertheless permitted “occasional personal use”, thereby creating ambiguity as to whether personal e-mail was company or private property. The Court also found it significant that the e-mails did not constitute illegal or inappropriate material stored on company equipment, and that the e-mails from Stengart’s attorney included a standard notice as to the personal, confidential, and, possibly, attorney-client nature of the communication. Because Stengart reasonably expected her e-mails would remain private, the court concluded, the attorney-client privilege protected those e-mails from disclosure and no waiver occurred. The Court then expanded on its ruling, declaring that even if a policy expressly banned all personal computer use and unambiguously notified employees that the company could retrieve and read their attorney-client communications sent via a personal, password-protected e-mail account on company equipment, it would nevertheless be outweighed by the public policy concerns underlying the attorney-client privilege and rendered unenforceable.

The New Jersey decision is not binding precedent in New York, although it could be influential. Neither the Second Circuit nor New York’s Court of Appeals have addressed this issue. However, in Scott v. Beth Israel Medical Center, a New York trial court found no privilege where the attorney-client e-mails were exchanged via a company-issued e-mail address on company equipment. In that case, however, the employer’s e-mail policy – which expressly banned any personal e-mail use and further provided that any e-mails received or sent using company equipment were company property – was “critical” to the Court’s decision.

New York employers who permit some personal e-mail use should consider taking a proactive approach by revising their existing technology policies with the Stengart and Scott decisions in mind. Suggested revisions include expressly notifying employees that all e-mails sent or received using company equipment may be reviewed at the company’s discretion, and that all materials accessed, created, received or sent on company-issued computer equipment, including e-mail communications, may remain stored on that equipment even after deletion and retrieved by the employer. Employers should also establish protocols and train appropriate employees in handling potentially privileged communications that may turn up in the course of electronic monitoring.