A recent New York state court decision emphasized the importance of creating, applying and enforcing e-mail policies when it held that a physician’s e-mails to his personal attorney on the hospital-employer’s computer system were not privileged and, thus, could be used by the employer in defense of litigation with the physician. Scott v. Beth Israel Med. Ctr. (N.Y. Sup. Ct. Oct. 17, 2007). The Court’s decision relied on the hospital’s comprehensive e-mail policy, which established that:

  • Computers and e-mails “should be used for business purposes only;”
  • Employees were on notice that there were “no personal privacy right[s]” in material “created, received, saved, or sent” using the hospital computer system; and
  • The hospital retained the “right to access and disclose” any electronic communications on its computer system without notice.


A physician employed by a New York hospital filed a lawsuit against the hospital for breach of his employment contract. The stakes were high, as the physician sought nearly $14 million in severance pay. While the lawsuit was pending, the physician used the hospital’s computer system to e-mail his personal attorney about his termination from the hospital. Soon afterward, the physician learned that the hospital possessed copies of these e-mails. Immediately, the physician sought a protective order arguing that the e-mails were protected by the attorney-client privilege. The hospital countered claiming the e-mails were never privileged due to the physician’s violation of the hospital’s e-mail policy.


Focusing on the terms of the hospital’s e-mail policy noted above, the court ruled in favor of the hospital and against the physician’s privilege claims. The court noted that the attorney-client privilege does not apply if the employer: (1) maintains a “policy banning personal or other objectionable use;” (2) monitors the “use of the employee’s computer or email;” and (3) ensures that its employees are aware of the “use and monitoring policies.” It concluded:

A no personal use policy combined with a policy allowing for employer monitoring and the employee’s knowledge of these two policies diminishes any expectation of confidentiality.”

Implications for Employers

This case provides yet another reason for employers to carefully craft, implement, and enforce e-mail (and other technology) policies – and then review and update these policies on a regular basis. In doing so, employers should ask themselves the following questions:

1. Do you have an electronic communications policy in place?

2. If so, does the policy:

  • Prohibit (or at least limit) personal use of the employer’s computer system?
  • Allow the employer to have access to, or monitor, the employee’s e-mail?
  • Clearly state that the employer owns the computer system and network, and that there are limits on the employee’s privacy rights when using them?
  • State how violations will be treated?

3. Has the policy adequately been communicated to employees?

  • Are hard copies of the policies easily accessible?
  • Do employees receive a copy of the policy?
  • Are there training sessions explaining the policy?
  • Are employees required to sign a form acknowledging that the policy has been received and read?

In addition to avoiding claims of privilege like that in the Scott case, employers who can answer “yes” to the questions above will be better equipped to defend against invasion of privacy claims, monitor for non-work-related use of company computer systems, enhance employee productivity, and reduce risk of liability for employee misuse of company computer systems (e.g., sending harassing emails, disclosing confidential information, downloading inappropriate content, etc.).