Your company’s Internet use policy may need a little “loving care” after the New Jersey Supreme Court’s predictably iconoclastic ruling in Stengart v. Loving Care Agency, Inc., 2010 N.J. LEXIS 241 (March 30, 2010), which recognized a limited employee right to privacy in e-mails sent from a password-protected personal Yahoo account using a work computer.
The facts of Stengart are simple. Ms. Stengart brought an employment discrimination suit against her home-nursing company employer, Loving Care (great name, that) and exchanged e-mails with her attorney through a web-based personal Yahoo account that she accessed from a company-issued laptop. In the course of the discovery process the employer’s counsel imaged the laptop’s hard drive and found the e-mails, but did not promptly notify Ms. Stengart’s counsel and turn over the e-mails, as required by New Jersey’s attorney ethics rules. Although the employer purportedly maintained an Internet use policy that indicated “e-mail” and Internet use was the company’s property and could be monitored, the policy was poorly drafted and internally inconsistent, stating at the same time that occasional personal use of work computers was permitted.
The New Jersey Supreme Court held that, given the lack of clarity in the policy that appeared to invite some personal activity, and the fact that the policy did not refer specifically to employer monitoring of password-protected, web-based e-mail usage, Ms. Stengart had not been adequately placed on notice of her employer’s claimed right to monitor. Therefore, under the New Jersey constitutional and common law of privacy, she retained an objectively and subjectively reasonable expectation of privacy in her Yahoo account (i.e., that it fell outside the scope of the monitoring described in the Internet use policy), which Loving Care violated when its lawyers retrieved her private e-mails. Furthermore, the Court held — and this is the kicker — even if the employer’s policy had been totally clear that her Yahoo account usage could be monitored, it would not be enforceable to destroy Ms. Stengart’s attorney-client privilege in the e-mails with her lawyer.
The Court neatly summed up its views on Internet use policies at the end of the opinion:
“Our conclusion that Stengart had an expectation of privacy in e-mails with her lawyer does not mean that employers cannot monitor or regulate the use of workplace computers. Companies can adopt lawful policies relating to computer use to protect the assets, reputation, and productivity of a business and to ensure compliance with legitimate corporate policies. And employers can enforce such policies. They may discipline employees and, when appropriate, terminate them, for violating proper workplace rules that are not inconsistent with a clear mandate of public policy…. For example, an employee who spends long stretches of the workday getting personal, confidential legal advice from a private lawyer may be disciplined for violating a policy permitting only occasional personal use of the Internet. But employers have no need or basis to read the specific contents of personal, privileged, attorney-client communications in order to enforce corporate policy. Because of the important public policy concerns underlying the attorney-client privilege, even a more clearly written company manual — that is, a policy that banned all personal computer use and provided unambiguous notice that an employer could retrieve and read an employee’s attorney-client communications, if accessed on a personal, password-protected e-mail account using the company’s computer system — would not be enforceable.”
Until now, courts examining the issue of whether employees have privacy rights in personal online communications sent from work computers have largely deferred to employer Internet use policies that reserved broad monitoring rights. It is not particularly surprising that the New Jersey judiciary, with its more liberal policy preferences and insistence on the sanctity of the attorney-client privilege, has diverged from more employer-friendly, freedom-of-contract regimes like Pennsylvania in establishing limits on what employers can peek at with Internet use policies. Still, the Stengart case does provide some useful guidelines for how employers (in New Jersey and elsewhere) can structure their Internet use policies to avoid the loss of productivity and liability risks associated with uncontrolled employee web surfing, Facebook usage, etc., while at the same time avoiding a tort claim for invasion of privacy.
1. Specifically discuss whether and how employee access of password-protected, web-based e-mail accounts may be monitored. In other words, don’t make the mistake of the employer in Stengart and assume that references to “e-mail” usage will be interpreted to cover personal Yahoo and gmail accounts as well as messages sent via the company’s official e-mail system. So, for example, you should mention that e-mails from personal web accounts might be stored on the hard drive of the employer’s computer. Also consider giving similar examples with respect to personal activity on restricted areas of social media sites when accessed from work. Greater clarity and specificity about monitoring of password-protected account usage could also help prevent a Stored Communications Act violation as well as liability for invasion of privacy.
2. Don’t send mixed messages concerning personal Internet usage at work. The New Jersey Supreme Court indicated that an employer has the right to prohibit the use of work computers and Internet access for personal reasons and to discipline or terminate employees who violate this policy. For cultural reasons many employers have resisted taking such a draconian line up to now, but it may be time to consider drawing a line in the sand if productivity loss is a major concern. If an employer is willing to tolerate limited personal usage of company IT resources (subject to the restrictions in the policy and any blocking of particular sites that the employer considers a distraction), the policy needs to be absolutely clear that even allowed personal communications may still be monitored and stored. Bottom line for employers: tell your employees that if they consider something really private or sensitive, they should do it at home using their own computer.
3. Be consistent in applying the policy. This is a logical corollary of #2, i.e., don’t send mixed messages. Inconsistent application of an IT use policy landed the city of Ontario, California before the U.S. Supreme Court on April 19. In City of Ontario v. Quon, a SWAT team member was issued a department pager under a use policy that clearly indicated everything could be monitored. However, a supervisor allegedly assured Quon that personal text messages would not be reviewed as long as the employee paid for any overages. Needless to say, they were. The question before the Court is whether the supervisor’s statements, which deviated from the IT use policy, were enough to give Quon a reasonable expectation of privacy in the personal texts. Based on the transcript of the oral arguments, the justices seem skeptical (more so, perhaps, than the New Jersey Supreme Court might be). Their decision will be forthcoming in the next few weeks. However, the real take-away here is the case should never have happened. Make sure that all employees, including (and especially) managers confirm receipt of, and are knowledgeable about, your company’s Internet use policy (for example, it can be discussed in employee information security training). A well-drafted policy should describe the business interests underlying it and the company’s seriousness in promoting those interests, and should identify a contact person who can address any questions or issues concerning the policy. The company should also cultivate a culture of compliance (if you’ll forgive the alliteration) so that no one is perceived as exempt; selective application and enforcement can lead not only to privacy-related liability but discrimination claims too.
Now that employee privacy is more than just a rallying cry for plaintiffs’ lawyers, consider whether your Internet use policy could use a little loving care.