Employee Privacy Expectations

It is strongly recommended that an Internet Acceptable Use Policy be developed and communicated to all employees when an organization begins using an Internet monitoring or web filtering product.

The New Jersey Supreme Court issued an opinion in Stengart v. Loving Care Agency, Inc. considering whether an employee had a reasonable expectation of privacy in emails she exchanged with her attorney via her web-based personal email account using a company laptop. In concluding that the former employee did have an expectation of privacy, the Court analyzed the adequacy of the notice provided by the company’s electronic communications policy and the important public policy concerns raised by the attorney-client privilege.

The employee, Marina Stengart, was the company’s executive director of nursing. The company provided her with a laptop computer to conduct company business. From that laptop, Stengart could send e-mails using her company e-mail address; she could also access the Internet and visit websites through the company’s server. Unbeknownst to Stengart, certain browser software in place automatically made a copy of each web page she viewed, which was then saved on the computer’s hard drive in a “cache” folder of temporary Internet files. Unless deleted and overwritten with new data, those temporary Internet files remained on the hard drive. Stengart used the company laptop to access a personal, password-protected e-mail account on Yahoo’s website, through which she communicated with her attorney regarding a possible discrimination lawsuit against the company. Not long after, Stengart left her employment with Loving Care and returned the laptop and filed a discrimination suit. The employer then pulled the emails off of the laptop’s hard drive and used them to prepare a defense to the discrimination suit. Stengart argued that the emails were protected by the attorney-client privilege.

The Court found the company’s electronic communications policy did not give express notice to employees that messages exchanged on a personal, password-protected, web-based e-mail account are subject to monitoring if company equipment is used. Although the policy stated that the company may review matters on “the company’s media systems and services,” those terms are not defined. The Court also found that the prohibition of certain uses of “the e-mail system” appear to only refer to a company e-mail account, not personal accounts. Similarly, the policy gives employees no warning that the contents of personal, web-based e-mails are stored on a hard drive and can be forensically retrieved and read. Coupled with the fact that the policy permitted “occasional personal use” of e-mail, the Court found that the policy, as written, created an ambiguity about whether personal e-mail use is company or private property.

Employers should consider the wording of their email policies based on the outcome in Stengart. At minimum, Stengart provides that employers who wish to review computer forensics that contain emails employees send via private web-based accounts will need to provide employees with a specific and detailed notice that the company may do so. However, the Court held that, while employers may adopt and enforce lawful policies relating to computer use to protect the assets and productivity of a business, they have no basis to read the contents of employees’ personal, privileged, attorney-client communications sent via personal web-based email. The Court noted that other courts in Pennsylvania and New York have concluded that employees have a lesser expectation of privacy when they communicate with an attorney using a company e-mail system as compared to a personal, web-based account like the Yahoo account used by Stengart. As a result, courts might treat e-mails transmitted via an employer’s e-mail account differently than they would web-based e-mails sent on the same company computer.

Pearl Software’s products provide settings to protect privileged transactions in all managed e-communications.  In addition, Pearl Echo includes a copy of a generic Acceptable Use Policy that companies can adapt for their own use. Optionally, if content is blocked, Pearl Echo can display a copy of the organization’s AUP.

Link: Sample Internet Acceptable Use Policy

Posted in Cyber Security.