On March 30, 2010, the New Jersey Supreme Court ruled that attorneys for an employer violated the privacy rights of a former employee and the rules of professional conduct by reading e-mails the employee sent to her counsel on a company laptop through her personal password protected e-mail account. Stengart v. LovingCare Agency, Inc. 2010 WL 1189458 (N.J. March 30, 2010).
Stengart was LovingCare’s Executive Director of Nursing. She filed suit against the Company and several individuals for among other things, alleged constructive discharge because of a hostile work environment, retaliation and harassment based on gender, religion and national origin. On several days in December 2007, Stengart used her laptop to access a personal, password-protected e-mail account on Yahoo's Web site, through which she communicated with her attorney about her situation at work. She never saved her Yahoo ID or password on the company laptop. Not long after, Stengart left her employment with LovingCare and returned the laptop. On February 7, 2008, she filed the lawsuit.
In an effort to preserve electronic evidence for discovery, in or around April 2008, LovingCare’s lawyers hired experts to create a forensic image of the laptop's hard drive. Among the items retrieved were temporary Internet files containing the contents of seven or eight e-mails Stengart had exchanged with her lawyer via her Yahoo account. LovingCare’s lawyers read the e-mails and intended to use them in their defense.
A legend appeared at the bottom of the e-mails that Stengart's lawyer sent. It warned readers that
THE INFORMATION CONTAINED IN THIS E-MAIL COMMUNICATION IS INTENDED ONLY FOR THE PERSONAL AND CONFIDENTIAL USE OF THE DESIGNATED RECIPIENT NAMED ABOVE. This message may be an Attorney-Client communication, and as such is privileged and confidential. If the reader of this message is not the intended recipient, you are hereby notified that you have received this communication in error, and that your review, dissemination, distribution, or copying of the message is strictly prohibited. If you have received this transmission in error, please destroy this transmission and notify us immediately by telephone and/or reply e-mail.
Stengart’s lawyer argued that the e-mail communications were private and attorney-client privileged. LovingCare’s counsel argued that Stengart had no expectation of privacy in the e-mails, and that the attorney-client privilege was waived because of a company policy that provided in pertinent part:
The company reserves and will exercise the right to review, audit, intercept, access, and disclose all matters on the company's media systems and services at any time, with or without notice.
E-mail and voice mail messages, internet use and communication and computer files are considered part of the company's business and client records. Such communications are not to be considered private or personal to any individual employee.
The principal purpose of electronic mail (e-mail) is for company business communications. Occasional personal use is permitted; however, the system should not be used to solicit for outside business ventures, charitable organizations, or for any political or religious purpose, unless authorized by the Director of Human Resources.
The New Jersey Supreme Court held that the scope of the policy was unclear: “It is not clear from that language whether the use of personal, password-protected, web-based e-mail accounts via company equipment is covered. The Policy uses general language to refer to its ‘media systems and services’ but does not define those terms.” The court noted that elsewhere, the Policy prohibits certain uses of “the e-mail system,” which appears to be a reference to company e-mail accounts. Based on its interpretation of the Policy, the court found that “employees do not have express notice that messages sent or received on a personal, web-based e-mail account are subject to monitoring if company equipment is used to access the account.”
The court further observed that the Policy did not warn employees that the contents of such e-mails are stored on a hard drive and can be forensically retrieved and read by Loving Care. Although the Policy declared that e-mails “are not to be considered private or personal to any individual employee,” the court noted that the Policy acknowledges that “[o]ccasional personal use [of e-mail] is permitted.” The court concluded that “[a]s written, the Policy creates ambiguity about whether personal e-mail use is company or private property.”
The court turned to the issue of whether Stengart had a reasonable expectation of privacy in the e-mails. This standard derives from the common law and the search and seizure clauses of the U.S. and New Jersey Constitutions. Because this case involved private parties only, the court did not use a constitutional analysis. Instead, it focused on the common law tort of “intrusion on seclusion.” The Restatement (Second) of Torts provides that “[o]ne who intentionally intrudes, physically or otherwise, upon the solitude or seclusion of another or his private affairs or concerns, is subject to liability to the other for invasion of his privacy, if the intrusion would be highly offensive to a reasonable person.” This cause of action has both subjective and objective components.
After reviewing case law from other jurisdictions, the court concluded that Stengart had a reasonable expectation of privacy in the e-mails she exchanged with her attorney on the company laptop. She took steps to protect the privacy of those e-mails and shield them from her employer. She used a personal, password-protected e-mail account instead of her company e-mail address and did not save the account's password on her computer. According to the court, “she had a subjective expectation of privacy in messages to and from her lawyer discussing the subject of a future lawsuit.”
The court also observed that the e-mails were not illegal or inappropriate material stored on Loving Care's equipment, which might harm the company in some way. “They are conversations between a lawyer and client about confidential legal matters, which are historically cloaked in privacy. Our system strives to keep private the very type of conversations that took place here in order to foster probing and honest exchanges.” Additionally, the court focused on the warning contained in the e-mails from Stengart’s lawyer: “While a pro forma warning at the end of an e-mail might not, on its own, protect a communication . . . other facts present here raise additional privacy concerns.” The court concluded that “[i]n light of the language of the Policy and the attorney-client nature of the communications, her expectation of privacy was also objectively reasonable.”
The court was careful to point out the limitations of its ruling:
Companies can adopt lawful policies relating to computer use to protect the assets, reputation, and productivity of a business and to ensure compliance with legitimate corporate policies. And employers can enforce such policies. They may discipline employees and, when appropriate, terminate them, for violating proper workplace rules that are not inconsistent with a clear mandate of public policy. . . For example, an employee who spends long stretches of the workday getting personal, confidential legal advice from a private lawyer may be disciplined for violating a policy permitting only occasional personal use of the Internet. But employers have no need or basis to read the specific contents of personal, privileged, attorney-client communications in order to enforce corporate policy. Because of the important public policy concerns underlying the attorney-client privilege, even a more clearly written company manual-that is, a policy that banned all personal computer use and provided unambiguous notice that an employer could retrieve and read an employee's attorney-client communications, if accessed on a personal, password-protected e-mail account using the company's computer system-would not be enforceable.
In addition to ruling that Stengart had an expectation of privacy with respect to the e-mails, the court ruled that the company’s attorneys violated the rules of professional conduct by not notifying Stengart’s lawyer immediately when it discovered the nature of the e-mails. The court therefore remanded the case to the trial court to determine appropriate sanctions and for further proceedings.
Although the Stengart case is unique because of the arguably ambiguous language of the e-mail policy, the fact that attorney-client communications are privileged, and the employee’s use of a private password-protected e-mail account, it serves as a wake-up call to employers to review their policies and practices in this area. The Arent Fox Employment Law Group regularly advises clients with respect to these and other employee privacy matters. Please feel free to contact us if you have any questions.