This is a brief mention about yet another case, Holmes v. Petrovich, LLC, announced last week, concerning whether an employee enjoys a reasonable expectation of privacy when sending and receiving personal e-mails while using corporate resources. I last wrote about this topic in March of last year, concerning Stengart v. Loving Care Agency, 990 A.2d 650 (N.J. 2010), and in June, 2008, I discussed Quon v. Arch Wireless, a Ninth Circuit decision that established, among other things, that employers could not obtain the contents of employee emails or text messages from a service provider without employee consent, pursuant to the Stored Communications Act. And, in December, 2007, I discussed Long v. Marubeni America Corporation, 2006 WL 2998671 (S.D.N.Y., October 19, 2006), where that court held that both the attorney client and work product privileges were waived by employees using a company computer system to transmit otherwise privileged communications to private counsel, which communications were sent from private password-protected accounts (not from the employer’s email system).
In Marubeni America Corp., a cache of the emails were retained by the company’s system as “temporary internet files.” Because the company could and did obtain these emails by reviewing its own system, the court held that the waiver was created through employees’ failure to maintain the confidentiality of these communications with regard to the company’s electronic communications policy, which policy advised employees not to use the company system for personal purposes and warned that they had no right of privacy in any materials sent over the system. The court reached this result notwithstanding its factual finding that employees were without knowledge that a cache of their email communications had been retained.
In Stengart, supra, plaintiff was provided with a laptop computer to conduct company business. From the laptop, she had access to the Internet through the employer’s server, and she used her laptop to access a personal, password-protected Yahoo! e-mail account, through which she communicated with her attorney about her situation at work. She never saved her Yahoo ID or password on the company laptop. Because plaintiff, “plainly took steps to protect the privacy of those e-mails and shield them from her employer . . . us[ing] a personal, password-protected e-mail account instead of her company e-mail address and . . . not sav[ing] the account’s password on her computer,” the court ruled she had a subjective expectation of privacy in messages to and from her lawyer discussing the subject of a future lawsuit, and that defendant’s lawyers violated RPC 4.4(b) in reading those e-mails.1
Although I am a privacy advocate, I don’t mind mentioning that –in my opinion– the New Jersey Supreme Court used reasoning of dubious providence to preserve the sanctity of the attorney-client privilege. That may be laudable (in our profession), but doubtful reasoning does not provide clarity or certainty about what doctrines and principles truly govern the outcome of these cases from one jurisdiction to the next, and –as the Stengart case demonstrated– attorneys can be subject to discipline based on how a particular court chooses to view the issue.
An example of such reasoning is where the Stengart court explained:
Unbeknownst to [plaintiff], certain browser software in place automatically made a copy of each web page she viewed, which was then saved on the computer’s hard drive in a “cache” folder of temporary Internet files. Unless deleted and overwritten with new data, those temporary Internet files remained on the hard drive.
Whether plaintiff knew that the browser created a cache of the Web pages she visited is irrelevant. In child pornography cases, for example, the trend has been for courts to disregard defendants’ knowledge of browser software caching, because liability should attach to defendant’s act of “reach[ing] out to the Internet through use of a web browser” to obtain the content. Ty E. Howard, Don’t Cache out your Case, 19 Berkely Tech. L.J. 1227 (2004). Likewise, an employee has relinquished dominion over information (and assumed risk) by using a company-owned computer, and volitionally placing the unencrypted information into the company’s information stream.
Moreover, plaintiff had been advised, “The company reserves and will exercise the right to review, audit, intercept, access, and disclose all matters on the company’s media systems and services at any time, with or without notice. . . . . E-mail and voice mail messages, internet use and communication and computer files are considered part of the company’s business and client records. Such communications are not to be considered private or personal to any individual employee.”
Yet the court ruled that “The scope of the written Policy . . . is not entirely clear.” Why? Because, said the court, the policy did not specify whether the use of personal, password-protected, web-based e-mail accounts via company equipment is covered. Id. Because the Policy used “general language” to refer to its “media systems and services” but didn’t define those terms. Id. Because the policy did not warn employees that the contents of such e-mails are stored on a hard drive and can be forensically retrieved and read by the employer. Id.
So, let’s get this straight: To have an effective policy, and to purge an employees’ “reasonable expectation of privacy,” an employer must explicate in detail every fact scenario that is in-scope for the policy, what is meant by network media systems and services, and, further, the policy must disclose: the nature and character of the monitoring software that is in use by the company, the inherent caching functionality of the browser software that is installed on the workstations throughout the enterprise; and an explanation of how the operating system stores files and [fails to] delete files?
Yet, just one year earlier, a lower New Jersey appellate court, citing several federal cases, ruled “we conclude that defendant had no reasonable expectation of privacy in the personal information stored in his workplace computer.” State v. M.A., 402 N.J. Super. 353 (App. Div. 2008) (which has not been overruled). If you read that decision, much emphasis is placed upon the fact that the computer was owned by the company, and that employees were warned that the company reserved the right to monitor communications –facts no different than Stengart. Indeed, the only difference is that in State v. M.A., the court found that, even if defendant had a subjective reasonable expectation of privacy [as later was conferred to plaintiff in Stengart], he lost that expectation because he was using the computer for criminal activity (“A burglar plying his trade in a summer cabin during the off season may have a thoroughly justified subjective expectation of privacy, but it is not one which the law recognizes as ‘legitimate'”).
Last week, the California court in Petrovich, supra, which considered Stengart, and distinguished Stengart as a dissimilar fact situation, ruled that an employee who used the employer’s computer and corporate e-mail account (in violation of corporate policy) to communicate with her lawyer, and having been advised that the employer randomly monitors e-mail usage, was analogous to the employee consulting her lawyer in her employer’s conference room, in a loud voice, with the door open, so that any reasonable person would expect that their discussion of her complaints about her employer would be overheard.
____________________
1Curiously, even `though the court did not formally refer the matter to attorney regulation counsel, and even `though a violation of the Rules of Professional Conduct does not give rise to a private cause of action, the court remanded the case back to the trial court to fashion an “appropriate remedy,” on the basis of the violation.