Many employers have policies that limit use of the company’s e-mail system and Internet access to company business. Despite these policies, employees routinely use their employer’s e-mail system and Internet access for personal business, and even for communicating with their attorneys. Courts have ruled that, if the employer has a policy reserving the use of company-owned computers and Internet access for business reasons only, employees have no right to privacy in their e-mail messages.
Some employees are careful not to use the company e-mail system for personal communications, but use company equipment, such as laptop computers issued to the employee, to send messages to their attorneys through personal e-mail accounts such as Yahoo®, Google® or AmericaOnline®. When the employee leaves the company, does the employer have the right to search the employee’s computer or the company’s server for personal messages, especially if they were not sent or received through the company’s e-mail system? And what if some of those messages involved communications between the employee and his or her private attorney? Normally such communications would be privileged, but if they are on the employer’s computer or e-mail system, has the employee/client waived the privilege?
The attorney-client privilege may be waived voluntarily by the client, or it may be waived involuntarily through “carelessness.” Most courts have ruled that if an employer states that all employee communications may be monitored and that employee use of these services is limited to work-related communications, then the employee has no general expectation of privacy in e-mails or Internet use and the privilege is waived. But several courts have made an exception for communications between employees and their private attorneys, particularly if the employee used his or her private Internet service provider (ISP) rather than the employer’s.
When is the privilege waived?
E-mails found to be privileged. Courts have ruled that e-mails to an employee’s attorney are privileged if the employee used a private ISP account rather than the employer’s ISP, if the employer had not consistently enforced its computer use policy, or if the employee worked from home. For example, in Curto v. Medical World Communications, 2006 U.S. Dist. LEXIS 29387 (E.D.N.Y. May 15, 2006), Curto filed an EEOC charge against her employer after she was discharged. Curto had worked from home, and had used two company-owned laptops to send e-mails to her attorneys concerning the possibility of suing her employer. Before she returned the laptops to the company, Curto deleted all personal files and her e-mail communications to her attorneys. During the discovery process for her lawsuit, the company hired a consultant who was able to reconstruct the deleted communications between Curto and her attorneys.
The magistrate judge supervising the discovery process ruled that the e-mails were privileged, noting that this employer had rarely exercised its right to inspect employee computer files and thus had “lulled [the employees] into a ‘false sense of security’” with respect to personal use of company equipment and Internet access. Because the employee had worked from home, it was even less likely that the employer would monitor her e-mail use.
Two Massachusetts state court cases reached similar conclusions. In National Economic Research Associates, Inc. v. Evans, 21 Mass. L. Rptr. 337 (Mass. Super. 2006), Evans, an employee, used his employer-issued laptop to communicate with his attorney about his planned resignation, but used his personal Yahoo® account. Evans was unaware that the laptop’s system captured a “screen shot” of every communication onto the computer’s hard drive. Although Evans deleted all of his personal files before returning the laptop to NERA upon his resignation, and even ran a special program to clean the hard drive, the “screen shots” survived. After Evans’ resignation, his former employer retained a computer expert to retrieve information from the laptop he had returned.
NERA had a computer and Internet use policy that informed employees that their messages could be retrieved. The judge reasoned that this policy gave Evans fair warning that the company had the right to monitor the e-mails he sent and received using the company’s e-mail system, but did not notify Evans that the company could monitor communications sent using a personal e-mail account. Evans’ efforts to preserve the confidentiality of these messages (deleting all personal files and e-mails, using a program to clean the hard drive) supported the finding that these communications were privileged.
In TransOcean Capital, Inc. v. Fortin, 21 Mass. L. Rptr. 597 (Mass. Super. 2006), Fortin, a TransOcean employee, used the company’s e-mail system to send a memo to his attorney. TransOcean did not have its own computer use policy, but claimed that the computer use policy of a consulting firm that managed TransOcean’s employment relations and payroll issues applied to Fortin. The court found that TransOcean had not formally adopted the consulting company’s policy, nor had it informed any employees that they were subject to this policy. It was not reasonable to expect that Fortin would have understood that personal e-mails sent using his company e-mail address were not confidential; the court ruled that the e-mails were privileged.
E-mails found unprivileged. In Long v. Marubeni America Corporation, 2006 WL 2998671 (S.D.N.Y. Oct. 19. 2006), two employees used the company’s e-mail system and computers to communicate with their attorney. The company’s computer use policy stated that employees “have no right of personal privacy in any matter stored in, created, or sent over the e-mail… and/or Internet systems” provided by the company. Furthermore, the company sent annual reminders to its employees about its computer use policy. The court ruled that the attorney-client communications were unprivileged.
In Kaufman v. SunGard Inv. System, 2006 WL 1307882 (D.N.J. May 10, 2006), Kaufman used two company laptop computers, and the company’s e-mail system, to communicate with her attorney about litigation against SunGard. She returned the computers to SunGard but deleted certain files. During the discovery process, SunGard’s computer technician retrieved e-mails between Kaufman and her attorney. The judge ruled that the messages were unprivileged because the company had an explicit policy that all communications using its computers and e-mail system were subject to monitoring by the employer.
Federal and state law issues. Federal law prohibits the interception or retrieval of stored e-mail communications under certain circumstances. The Electronic Communications Privacy Act of 1986 (ECPA), 18 U.S.C. §§2510-2522, has been used to challenge employers’ retrieval of employees’ messages to their personal attorneys. Because the ECPA exempts employer-provided e-mail and Internet systems from its requirements, the federal courts have refused to apply it to e-mail created or stored on the company’s system by an employee if the employer provides the Internet system rather than using a commercial ISP. Fraser v. Nationwide Mutual Insurance Co., 352 F.3d 107 (3d Cir. 2003) is an example of such a case. But another federal court applied the ECPA to an executive who instructed his subordinates to intercept customers’ e-mails intended for another company in order to obtain a competitive advantage by learning what books they were ordering. In U.S. v. Councilman, 418 F.3d 67 (1st Cir. 2006)(en banc), the court ruled that the executive could be indicted under the criminal provisions of the ECPA. While Councilman involved the interception of e-mails from non-employees, it demonstrates that employers need to be cautious about the requirements of the ECPA, and to seek legal advice before intercepting e-mail messages.
In addition, some states, such as Connecticut and Delaware, require employers to give employees advance notice that their electronic communications will be monitored, even if the employer is exempt from the provisions of the ECPA. Therefore, employers should confer with counsel before implementing monitoring or retrieval systems.
Suggestions for Employers
- Establish a policy that any message created on or sent through the company’s computer network and/or company-owned computers is subject to monitoring, and that employees have no expectation of privacy in such communications. Notify employees at least annually of this policy in writing and obtain their signatures acknowledging their receipt and understanding or, at a minimum, a “read” receipt if the notice is sent to employees via e-mail.
- Consider creating a similar message that appears each time the employee logs onto the company’s Internet or e-mail system.
Consider including in your policy a statement that the company’s computer system captures “screen shots” of 1) all communications using the company’s computers, even if not connected to the company’s Internet service system and even if using a personal e-mail account and 2) all communications using the company’s e-mail system, even if created on a non-company owned computer.
Before reviewing allegedly “private” employee e-mail, go through the following steps:
- review the company’s computer use policy;
- make sure that the employee received and signed a statement acknowledging receipt and understanding of the policy and that a copy has been retained;
- ascertain whether the company has allowed private use of computers by employees without attempting to monitor or halt the practice;
- ascertain whether the computer use policy has been enforced; and
- consult legal counsel concerning the advisability of seeking judicial review of whether the e-mail can lawfully be retrieved and reviewed (and if the company maintains offices outside of the United States, counsel familiar with foreign privacy laws should be consulted).