Employees routinely access their personal, web-based email accounts—such as Gmail, Yahoo, or Hotmail — from work computers to send personal emails during the workday. One might think the steps of eschewing their work email account and logging into a web-based service with a private username and password would provide extra protection against disclosure of the personal emails to their employers. However, when the personal emails are sent from the employee to her attorneys for the purpose of obtaining legal advice, that may not be the case. In our inaugural Electronic Discovery Update, we highlighted opinions dealing with this specific discovery issue. See How Private Are Personal Emails?, Electronic Discovery Update, Mar. 2008, available at http://www.kramerlevin.com. As recent cases demonstrate, the law in this area has continued to develop. Specifically, the employer’s manual or computer policy may greatly impact whether the privilege and privacy protections one might otherwise expect when transmitting personal emails will extend to those transmissions.
New Jersey Precedent
In Stengart v. Loving Care Agency, Inc., No. BER-L-858-08 (N.J. Super. Ct. L. Div. Feb. 5, 2009) the New Jersey Superior Court, Law Division, held that when an employee has notice of an employer’s electronic communication policy that clearly indicates the employee has no expectation of privacy in Internet use and communications on a work computer, the employee waives the protection of the attorney-client privilege with respect to emails sent to an attorney from a work computer, even if sent using a personal, password-protected, web-based email account.
The plaintiff, a former employee at the defendant home care services company, had been issued a company laptop on which she accessed both a work email account and a personal, password-protected, web-based Yahoo email account. Plaintiff occasionally sent emails to her attorney from her Yahoo account, using her company laptop during business hours. After she tendered her resignation, the plaintiff filed a discrimination lawsuit against her former employer, alleging that a hostile workplace environment had caused her to be constructively discharged. During discovery, defendant’s attorneys sent the laptop’s hard drive for routine forensic analysis intended to recover deleted information. The analysis revealed temporary internet files containing the contents of several emails between the plaintiff and her attorney sent from the plaintiff’s Yahoo account. When the plaintiff learned during the course of discovery that the defendant had recovered the emails, she asserted attorney-client privilege and demanded the emails be returned to her or destroyed.
The court determined that the attorney-client privilege would not apply to the plaintiff’s Yahoo account emails unless the plaintiff had a reasonable expectation of privacy in the correspondence with her attorney. The court’s inquiry into the plaintiff’s expectation of privacy focused on whether her employer had provided adequate notice that such communications were not private, and chiefly involved an examination of the defendant company’s policy governing employee Internet use. The relevant portion of the policy was included in a section of the defendant’s employee handbook titled “Electronic Communication.” While the policy permitted occasional personal use of company technology, it imposed limitations on that use:
Technology resources are considered company assets and must be protected from unauthorized access, modification, destruction, and/or disclosure.
E-mail and voice mail messages, internet use and communication and computer files are considered part of the company’s business and client records. Such communications are not to be considered private or personal to any individual employee.
Id. at 4. The court also questioned whether the plaintiff had notice of the employer’s policy. In this case, the defendant distributed the employee handbook containing the policy in physical form to employees and also made it available electronically on the company network. The plaintiff in particular had special notice of the policy because she aided in drafting and distributing the handbook in her capacity as Director of Nursing and manager of one of the company’s branches.
The court ruled that the plaintiff did not have a reasonable expectation of privacy with respect to her Yahoo account emails, and thus that they were not protected by the attorney-client privilege, because the plaintiff had notice of the employer’s Internet usage policy, which clearly communicated that all such communications on work computers, including those sent from personal, password-protected, web-based email accounts, could not be considered private or personal to the employee.
A case decided by the Superior Court of Massachusetts further emphasizes the importance of employers’ Internet usage policies in adjudicating whether attorney-client privilege protection attaches to emails sent by employees from web-based email accounts on work computers. National Econ. Research Assocs., Inc., v. Evans, 2006 Mass. Super. LEXIS 371, No. 04-2618 BLS2 (2006), involved a dispute between the plaintiff-employer and the defendant, a former employee, arising out of the defendant’s departure from plaintiff’s company. Like the plaintiff in Stengart, the defendant-employee here was issued a company laptop. Before his departure from the firm, he discussed various legal issues relating to the termination of his employment in emails with his attorney sent from his personal, web-based Yahoo email account on his work computer. Despite the defendant’s best efforts to delete all personal information from the laptop before he returned it to his employer, a computer forensics expert hired by the plaintiff was able to uncover emails between the defendant and his attorney stored on the computer’s hard drive as temporary internet files. The plaintiff asked the court to order disclosure of the emails on grounds that they were not protected by the attorney-client privilege and that in the alternative the defendant had waived that protection by sending them from his work computer.
As in Stengart, the court’s analysis turned on the plaintiff’s policy regarding employee Internet usage, which was contained in a “Policies and Procedures Manual” available for employee review on the company’s intranet. A section of the policy titled “Computer and Communication Resources” permitted limited personal use of email and the Internet, but maintained that “[a]ll computer resources are the property of the company,” and informed employees that “to the extent permitted by law . . . the company may, from time to time and at its discretion, review any information sent or stored using these resources.” Id. at *5. Another section of the manual, titled “Information Management Policies and Procedures,” contained the policy regarding the use of work email accounts, and warned employees that network administrators can read their work email. Id. at *6. Additionally, that section informed employees that “all Internet access is logged by user” and that logs “may be kept of users’ network activities” including “logins, Internet sites visited, and electronic mail sent or received” using the company’s network. Id. at **6-7.
On the basis of the policy’s language, the court in Evans drew a distinction between emails sent by the defendant from his work and Yahoo accounts. The court reasoned that the defendant would have no expectation of privacy with respect to emails sent from his work account using the company network because the policy clearly communicated that those emails could be read by network administrators and were subject to the company’s discretionary review. While the policy also indicated that the employer would log Internet access, sites visited, and network traffic, the court found that these categories of information did not include the content of emails sent from a personal, web-based email account. The court also noted that many computer users do not know that the content of such emails could be stored on their computer hard drives as temporary internet files, and that the policy did not effectively apprise employees of this possibility. The court concluded that because the defendant had a reasonable expectation that the emails he sent to his attorney from his Yahoo account on his work computer were private, he had not waived the protection of the attorney-client privilege with respect to those emails.
In addition, the court suggested that employees would not have a reasonable expectation of privacy with respect to emails sent from personal, web-based email accounts on work computers if employers notified them that: (1) the contents of such emails are stored on the hard drives of the employees’ work computers as temporary internet files; and (2) the company reserved the right to access and read those files. Id. at *13.
While there are few cases directly discussing this novel issue, the Stengart and Evans decisions illustrate that a critical factor in determining whether an employer will be permitted to access its employee’s correspondence with an attorney sent from a work computer on a personal, web-based email account is the clarity with which the employer’s Internet usage policy communicates that such correspondence cannot be considered private or personal to the employee. The easiest way to accomplish this is by drafting and distributing a policy that notifies employees that all Internet use, communications, and email — expressly including email from personal web-based accounts — transacted on company technology is the property of the employer and subject to the employer’s review. In addition, it may be helpful to include an explanation of how the contents of such emails may be stored as temporary internet files to satisfy the stricter standard suggested by the Evans court.
On the other hand, clients who wish to ensure that email communications with their attorneys remain protected by the attorney-client privilege have a simpler task: avoid emailing their attorneys from their work computers.