In previous Electronic Discovery Updates, we examined the developing issue of whether the attorney-client privilege protects emails between an employee and her attorney sent from the employee’s personal, web-based, passwordprotected email account — such as a Yahoo!, Gmail, or Hotmail account — but accessed on a work computer. In Stengart v. Loving Care Agency, Inc., 990 A.2d 650 (N.J. 2010), the New Jersey Supreme Court became one of only a handful of courts in the country to reach this issue, upholding an appellate ruling that an employee did not waive the protection of the attorney-client privilege with respect to personal emails sent to her attorney from a company-issued laptop because she had a reasonable expectation that the correspondence would remain private. The court’s decision includes a lengthy critique of the employer’s electronic communications policy, which it deemed vague and ambiguous. The decision provides guidance to employers and counsel faced with the challenge of drafting effective, enforceable policies that ensure sufficient employer oversight and control over company computer systems, while acknowledging the modern reality that most employees put their employers’ computers to at least occasional personal use.
The plaintiff in Stengart, a former employee of the defendant home care services company, had been issued a company laptop on which she occasionally accessed her personal, password-protected Yahoo! email account to correspond with her attorney regarding a dispute with her employer. The plaintiff eventually resigned and brought an employment discrimination lawsuit against the company. In anticipation of discovery, defendant’s counsel sent the plaintiff’s company laptop to an expert for forensic analysis that recovered emails between the plaintiff and her attorney about the dispute that had been automatically stored in the computer’s memory in a cache of temporary internet files. When the plaintiff learned that the defendant had recovered the emails, she asserted attorney-client privilege and demanded the emails be returned to her or destroyed.
In February 2009, the New Jersey Superior Court, Law Division, ruled that the plaintiff had waived the protection of the attorney-client privilege by sending the emails on her company-issued computer. Stengart v. Loving Care Agency, Inc., No. BER-L-858-08 (N.J. Super. Ct. L. Div. Feb. 5, 2009). The court determined the plaintiff could not have had a reasonable expectation of privacy in the emails in light of the company’s written electronic communications policy that, according to the Law Division, clearly communicated that such emails were company property.
On appeal in June 2009, the New Jersey Superior Court, Appellate Division, reversed the trial court’s decision and ordered defendant’s counsel to return all copies of the emails and destroy any record of them. Stengart v. Loving Care Agency, Inc., 973 A.2d 390 (N.J. Super. Ct. App. Div. 2009). Unlike the trial court, the Appellate Division found that based on ambiguities in the written policy, defendant’s employees could retain an expectation of privacy in personal emails sent from work computers. Furthermore, the Appellate Division held that the strong public policy in favor of protecting the confidentiality of attorney-client communications outweighed the employer’s interest in enforcing the policy.
In March 2010, the New Jersey Supreme Court affirmed and modified the Appellate Division’s judgment, holding that the attorney-client privilege protected the plaintiff’s emails from disclosure and that, under the circumstances of the case, the plaintiff could have had a reasonable expectation that the emails would remain private. Stengart v. Loving Care Agency, Inc., 990 A.2d 650, 654 (N.J. 2010).
Determining the Reasonableness of Employees’ Expectations of Privacy
As in the prior Stengart decisions, the Supreme Court’s determination of the application of attorney-client privilege turned on whether the plaintiff had a reasonable expectation of privacy in the personal emails sent from her work computer. Borrowing a similar standard from tort law, the court reasoned that an employee’s expectation of privacy in her email communications must be both subjectively and objectively reasonable. In addition, the court acknowledged that “whether an employee has a reasonable expectation of privacy in her particular work setting must be addressed on a case-by-case basis.” Id. at 660.
Lacking relevant New Jersey precedent, the court culled a number of factors useful in the determination of the reasonableness of an employee’s expectation of privacy from analogous decisions in other jurisdictions:
- Whether the employer has a policy banning personal or objectionable use of work computers;
- Whether the company monitors employee use of work computers or email;
- Whether third parties have a right to access employees’ computers or email;
- Whether employees were notified or aware of the relevant policies;
- Whether the work computer in question was accessed from the employee’s home rather than the company’s office, which might make an expectation of privacy more reasonable; and
- Whether the email in question was sent from a web-based, personal email account rather than an employer-provided account, which might make an expectation of privacy more reasonable.
Id. at 662-63.
While the court considered a number of the above factors in finding the plaintiff’s expectation of privacy reasonable in Stengart, and noted that no single factor alone was dispositive of the issue, the court emphasized that its analysis principally focused on two issues: first, “the important public policy concerns raised by the attorney-client privilege,” which it found applicable here given the nature of the attorney-client communications at issue, and second, the degree to which the employer’s written policy gave employees notice that their personal email communications on work computers might be monitored by their employer or otherwise rendered not private. Id. at 659.
Electronic Communications Policy Critical in Determining Reasonableness of Expectation of Privacy
Analyzing the language of the employer’s electronic communications policy, the court concluded that the policy was vague, ambiguous, and unclear, and determined that as a result, an employee reading it could have a reasonable expectation in the privacy of personal email sent from work computers. Id. at 659, 663. The court noted a number of the policy’s ambiguities and deficiencies:
- The policy failed to address personal email accounts, giving employees no express notice that email sent or received on a personal, web-based account on a work computer would be subject to employer monitoring; n While the policy expressly reserved the defendant’s right to review and access “all matters on the company’s media systems and services at any time,” the policy failed to define the terms “media systems and services”;
- While the policy prohibited some uses of the “email system,” it was not clear whether “email system” referred only to the company’s own email system or included personal email accounts as well;
- The policy failed to communicate to employees that emails from their personal, web-based accounts could be stored on a work computer’s hard drive and later “forensically retrieved” and read by their employer; and
- While the policy stated that “emails are not to be considered private or personal to any individual employee,” it incongruously permitted “[o]ccasional personal use [of email].”
Id. at 659.
Applying the relevant “expectation of privacy” factors listed above to the instant case, the court found the plaintiff had both a subjectively and objectively reasonable expectation of privacy in the emails sent to her attorney. The plaintiff’s use of a personal, password-protected email account instead of her company account, and decision not to save her personal account’s password on her work computer, both indicated her subjective expectation that the communications remain private. As evidence that her expectations were objectively reasonable, the court pointed to the ambiguous language of the policy and the attorney-client nature of the emails.
Id. at 663.
Drafting Electronic Communications Policies After Stengart
While the Stengart decision is only binding in New Jersey, it provides guidance on crafting effective, enforceable electronic communications policies to employers in jurisdictions where this novel issue of law has yet to be decided. By pointing out the deficiencies in the employer’s written policy, the court in Stengart emphasized the importance of clarity above all in crafting effective policies. Employers should draft policies that:
- Unambiguously and expressly enumerate all prohibited conduct;
- Provide clear definitions of all potentially ambiguous terms; and
- Describe any employer monitoring or surveillance in a way that communicates to employees without technical training all the ways in which their use of work computers is not private (for example, providing an explanation of how employee web activity can be captured in temporary internet files and may be later reviewed by the employer).
However, it is important to note that under Stengart even a crystal clear electronic communications policy may not trump the protection of the attorney-client privilege and permit an employer to retrieve and read personal emails sent by an employee to an attorney from a work computer. “Because of the important public policy concerns underlying the attorney-client privilege, even a more clearly written company manual . . . that banned all personal computer use and provided unambiguous notice that an employer could retrieve and read an employee’s attorneyclient communications . . . would not be enforceable.” Id. at 665.
According to the court in Stengart, employers wishing to limit or prohibit such communications may certainly draft policies to that effect; the proper remedy for violations of corporate policy, however, is the exercise of appropriate discipline or termination, not access to the contents of offending communications that would otherwise enjoy the protection of the attorney-client privilege. Id. at 665.
For employees seeking to avoid disclosure of email communications with their attorneys, of course, the simplest solution remains waiting until they are at their own personal computers before clicking send.