The plaintiff, a nursing manager at Loving Care, was preparing for employment discrimination litigation against her employer when she sent e-mails to her attorney about the case using a personal, password-protected, web-based e-mail account from Yahoo from her employer-issued laptop. In anticipation of discovery, Loving Care hired a computer forensic expert to recover all files stored on the laptop, and the expert turned up copies of some of the e-mails that, unbeknownst to the plaintiff, her web browser had automatically saved to the computer's hard drive. Loving Care's attorneys reviewed the e-mails and used information from them during discovery, which was revealed to the plaintiff's attorney later in the case, who then sought to have them returned under the attorney-client privilege.
Loving Care argued that its electronic communications policy, which allowed employees incidental personal use of its computer systems but reserved the right to "review, audit, intercept, access, and disclose all matters on the company's media systems and services at any time, with or without notice," eliminated any expectation of privacy the plaintiff might have had in the e-mails stored on the computer. Nevertheless, the court found that the plaintiff had a reasonable expectation of privacy for three reasons:
- The plaintiff had a subjective expectation of privacy due to the fact that she used a personal, and not the company, e-mail account to send the messages to her attorney, and did not store her password on the computer.
- The plaintiff's expectation of privacy was objectively reasonable, given that her employer's policy did not address the use of private web-based e-mail accounts, even allowing incidental use of employer computers to send and receive personal e-mail.
- Most importantly, the e-mails clearly were subject to the attorney-client privilege, and contained a standard warning that their contents were confidential and subject to the privilege.
The court went on to hold that, given the public policy concerns underlying the attorney-client privilege, "even a more clearly written company manual -- that is, a policy that banned all personal computer use and provided unambiguous notice that an employer could retrieve and read an employee's attorney-client communications, if accessed on a personal, password-protected e-mail account using the company' computer system -- would not be enforceable." The court, however, noted that an employee could still be sanctioned under an employment policy for spending excessive time communicating with a personal attorney during the work day, though the employer should still not be able to access the content of the communication.
The court zeroed in on the attorney-client-privileged nature of the e-mails, and the privilege played a large role in the final disposition of the case. The court did not address whether Stengart would have had a reasonable expectation of privacy with respect to personal e-mail communications with a non-lawyer. Nor did the court suggest that Stengart had a cause of action against her employer for an invasion of privacy, which would have required a showing that the e-mail review was "highly offensive to a reasonable person". The issue was whether a discovered e-mail communication deserved protection under the attorney-client privilege.
While limited in jurisdictional breadth to New Jersey, Stengart is one of the first cases of its kind, and courts in other states could be tempted to follow it . This could especially be the case as employee use of personal, web-based e-mail in the workplace becomes more common, with many employers relaxing their electronic communications policies to allow for "incidental" use of employee computer systems for personal reasons.
Thus, the case suggests the following:
- Make clear in an acknowledged policy that employees have no expectation of privacy in their use of company computers, whether connected to the network or not, even where "incidental" personal use is allowed.
- Make clear in such a policy that employers retain the right to monitor employees' use of employer resources, including the sending and receiving of personal, web-based e-mail, and explain that e-mails sent through a personal web-based e-mail account can end up being stored on company equipment and suject to review consistent with state law.
- Prohibit the use of company resources to communicate with a personal lawyer and advise employees that they can be disciplined for violations (and all violations of the electronic resources policy). Companies are not required to allow employee use of company equipment to plan litigation against the company.
- For employers that permit "incidental" personal use of computer systems, emphasize that any use of company computers or electronic resources that rise above the level of "incidental" personal use and affect employee productivity can lead to sanctions under the policy, though this provision must be enforced uniformly and in a non-discriminatory manner.
- Instruct company employees who monitor electronic communications not to review personal attorney-client privileged communications but, rather, to bring such communications to the attention of in-house counsel to review in accordance with the applicable ethical rules regarding waiver.
While Stengart is noteworthy, it did nothing to fundamentally alter the well-established principle that employers retain the right to monitor employee use of company equipment and that they can , through a well-crafted policy, reduce employees' privacy expectations.