Baer Business Law – Greater Philadelphia Area – Intellectual Property Law – Business Law – E Commerce – Contracts – Trademarks – Copyrights

In late June I made a post on this blog about the verdict in Pietrylo v. Hillstone Restaurant Group, a closely watched case in which an employer was required to pay back pay and punitive damages for improperly accessing a password-protected employee discussion group on MySpace. The case was (wrongly, I believe) hailed as an important victory for employees’ online privacy rights. In my view, the result would have been different if the employer had handled the investigation more thoughtfully. Having a well drafted Internet use policy distributed to and properly acknowledged by employees would have helped as well.

On June 26, shortly after the Pietrylo verdict, another court (also in New Jersey) handed down a ruling which, at first glance, seems to be an even more emphatic vindication of employee online privacy rights against the prying eyes of Big Brother. You can check out the New Jersey Superior Court, Appellate Division’s opinion in Stengart v. Loving Care Agency, Inc., Docket No. A-3506-08T1, here.

In Stengart, an employee considering legal action against her employer used an employer-provided computer to send e-mails to her attorney through her personal Yahoo account. After the computer’s hard drive was imaged, the employer’s law firm read these e-mails but did not alert the plaintiff’s counsel that it had possession of them. A lower court ruled that, based on the employer’s purported adoption and distribution of an electronic communications policy which supposedly made all communications sent via corporate IT resources its “property,” the plaintiff had no expectation of privacy in the e-mails, and they were not protected by the attorney-client privilege.

The appellate court reversed, and in so doing, filled its opinion with lofty language sure to warm the hearts of privacy advocates and raise doubts about the effectiveness of Internet and computer use policies. For example:

“A policy imposed by an employer, purporting to transform all private communications into company property — merely because the company owned the computer used to make private communications or used to access such private information during work hours — furthers no legitimate business interest…. When an employee, at work, engages in personal communications via a company computer, the company’s interest — absent circumstances the same or similar to those that occurred in [certain cases involving a suspicion that the employee had committed fraud or accessed child pornography] — is not in the content of those communications; the company’s legitimate interest is in the fact that the employee is engaging in business other than the company’s business. Certainly, an employer may monitor whether an employee is distracted from the employer’s business and may take disciplinary action if an employee engages in personal matters during work hours; that right to discipline or terminate, however, does not extend to the confiscation of the employee’s personal communications.”

On closer examination, however, there is less here than meets the eye. On August 19, I made a guest post on Tech Target’s IT Knowledge Exchange giving a detailed legal analysis of the case. Let me just hit the high points here:

1. The employer’s electronic communications policy was badly drafted, made contradictory statements about the allowance of personal communications, and may not even have been in effect. The lower court did not conduct an evidentiary hearing about the adoption, applicability or objective interpretation of the policy.

3. The attorney-client privilege is sacred, particularly in New Jersey, as I know from prior work experience there. As the court admitted, the real issue in the case was not defining the scope of employee online privacy, but rather whether the plaintiff should suffer the draconian penalty of losing her attorney-client privilege in her e-mails with her attorney. Any broader reading of the language quoted above is legally non-binding.

While courts will probably strain to avoid finding a waiver of the attorney-client privilege, a properly drafted and disseminated Internet and computer use policy (for example, emphasizing the employer’s right to monitor and access both work-related and personal communications made using the employer’s IT resources, as opposed to claiming personal communications as the employer’s “property”) remains legal and enforceable. Where such a policy is in place, there is no all-encompassing right to privacy in personal communications transmitted through corporate IT resources.

Please understand where I am coming from: I am NOT advocating, as a normative principle, unlimited employer intrusion into private employee communications. (I have actually been criticized for supposedly being a legal apologist for Big Brother!) With the nine-to-five workday increasingly a thing of the past, most employees have a need to conduct a limited amount of personal business while at work. A well balanced Internet and computer use policy will acknowledge this reality.

With that said, however much I identify with Philadelphia’s heritage of individual liberty, I am not a paid professional civil libertarian. I am a technology lawyer engaged by businesses to help them sleep at night. In this capacity, I recommend that organizations adopt a reasonable Internet and computer use policy that clearly and unambiguously announces the scope of the employer’s monitoring/access rights and is carefully drafted to avoid or win litigation based on an asserted “expectation of privacy.” How much to monitor or access is a cultural and resource-driven decision that needs to be made by each organization.

The Pietrylo and Stengart cases are important pieces in the puzzle, but are more revealing as case studies in failure to use best practices than as some sort of Magna Carta of employee online privacy.