The facts of Stengart are simple. Ms. Stengart brought an employment discrimination suit against her home-nursing company employer, Loving Care (great name, that) and exchanged e-mails with her attorney through a web-based personal Yahoo account that she accessed from a company-issued laptop. In the course of the discovery process the employer’s counsel imaged the laptop’s hard drive and found the e-mails, but did not promptly notify Ms. Stengart’s counsel and turn over the e-mails, as required by New Jersey’s attorney ethics rules. Although the employer purportedly maintained an Internet use policy that indicated “e-mail” and Internet use was the company’s property and could be monitored, the policy was poorly drafted and internally inconsistent, stating at the same time that occasional personal use of work computers was permitted.

The New Jersey Supreme Court held that, given the lack of clarity in the policy that appeared to invite some personal activity, and the fact that the policy did not refer specifically to employer monitoring of password-protected, web-based e-mail usage, Ms. Stengart had not been adequately placed on notice of her employer’s claimed right to monitor. Therefore, under the New Jersey constitutional and common law of privacy, she retained an objectively and subjectively reasonable expectation of privacy in her Yahoo account (i.e., that it fell outside the scope of the monitoring described in the Internet use policy), which Loving Care violated when its lawyers retrieved her private e-mails. Furthermore, the Court held — and this is the kicker — even if the employer’s policy had been totally clear that her Yahoo account usage could be monitored, it would not be enforceable to destroy Ms. Stengart’s attorney-client privilege in the e-mails with her lawyer.

The Court neatly summed up its views on Internet use policies at the end of the opinion:

“Our conclusion that Stengart had an expectation of privacy in e-mails with her lawyer does not mean that employers cannot monitor or regulate the use of workplace computers. Companies can adopt lawful policies relating to computer use to protect the assets, reputation, and productivity of a business and to ensure compliance with legitimate corporate policies. And employers can enforce such policies. They may discipline employees and, when appropriate, terminate them, for violating proper workplace rules that are not inconsistent with a clear mandate of public policy…. For example, an employee who spends long stretches of the workday getting personal, confidential legal advice from a private lawyer may be disciplined for violating a policy permitting only occasional personal use of the Internet. But employers have no need or basis to read the specific contents of personal, privileged, attorney-client communications in order to enforce corporate policy. Because of the important public policy concerns underlying the attorney-client privilege, even a more clearly written company manual — that is, a policy that banned all personal computer use and provided unambiguous notice that an employer could retrieve and read an employee’s attorney-client communications, if accessed on a personal, password-protected e-mail account using the company’s computer system — would not be enforceable.”

Until now, courts examining the issue of whether employees have privacy rights in personal online communications sent from work computers have largely deferred to employer Internet use policies that reserved broad monitoring rights. It is not particularly surprising that the New Jersey judiciary, with its more liberal policy preferences and insistence on the sanctity of the attorney-client privilege, has diverged from more employer-friendly, freedom-of-contract regimes like Pennsylvania in establishing limits on what employers can peek at with Internet use policies. Still, the Stengart case does provide some useful guidelines for how employers (in New Jersey and elsewhere) can structure their Internet use policies to avoid the loss of productivity and liability risks associated with uncontrolled employee web surfing, Facebook usage, etc., while at the same time avoiding a tort claim for invasion of privacy.

1. Specifically discuss whether and how employee access of password-protected, web-based e-mail accounts may be monitored. In other words, don’t make the mistake of the employer in Stengart and assume that references to “e-mail” usage will be interpreted to cover personal Yahoo and gmail accounts as well as messages sent via the company’s official e-mail system. So, for example, you should mention that e-mails from personal web accounts might be stored on the hard drive of the employer’s computer. Also consider giving similar examples with respect to personal activity on restricted areas of social media sites when accessed from work. Greater clarity and specificity about monitoring of password-protected account usage could also help prevent a Stored Communications Act violation as well as liability for invasion of privacy.

2. Don’t send mixed messages concerning personal Internet usage at work. The New Jersey Supreme Court indicated that an employer has the right to prohibit the use of work computers and Internet access for personal reasons and to discipline or terminate employees who violate this policy. For cultural reasons many employers have resisted taking such a draconian line up to now, but it may be time to consider drawing a line in the sand if productivity loss is a major concern. If an employer is willing to tolerate limited personal usage of company IT resources (subject to the restrictions in the policy and any blocking of particular sites that the employer considers a distraction), the policy needs to be absolutely clear that even allowed personal communications may still be monitored and stored. Bottom line for employers: tell your employees that if they consider something really private or sensitive, they should do it at home using their own computer.

3. Be consistent in applying the policy. This is a logical corollary of #2, i.e., don’t send mixed messages. Inconsistent application of an IT use policy landed the city of Ontario, California before the U.S. Supreme Court on April 19. In City of Ontario v. Quon, a SWAT team member was issued a department pager under a use policy that clearly indicated everything could be monitored. However, a supervisor allegedly assured Quon that personal text messages would not be reviewed as long as the employee paid for any overages. Needless to say, they were. The question before the Court is whether the supervisor’s statements, which deviated from the IT use policy, were enough to give Quon a reasonable expectation of privacy in the personal texts. Based on the transcript of the oral arguments, the justices seem skeptical (more so, perhaps, than the New Jersey Supreme Court might be). Their decision will be forthcoming in the next few weeks. However, the real take-away here is the case should never have happened. Make sure that all employees, including (and especially) managers confirm receipt of, and are knowledgeable about, your company’s Internet use policy (for example, it can be discussed in employee information security training). A well-drafted policy should describe the business interests underlying it and the company’s seriousness in promoting those interests, and should identify a contact person who can address any questions or issues concerning the policy. The company should also cultivate a culture of compliance (if you’ll forgive the alliteration) so that no one is perceived as exempt; selective application and enforcement can lead not only to privacy-related liability but discrimination claims too.

Now that employee privacy is more than just a rallying cry for plaintiffs’ lawyers, consider whether your Internet use policy could use a little loving care.

In Stengart, as I predicted in my last post on the case, the New Jersey Supreme Court held that an employee did not waive her attorney-client privilege in her suit against the employer by accessing her personal Yahoo! e-mail account through a work computer and using it to communicate with her attorney (not a good idea, but still …). On the other hand, in Quon, where the police department accessed and reviewed a SWAT team member’s provocative texts from a department-issued pager, the situation is a little murkier, and the Court seems leery of making a grand statement about workplace privacy.

What does all of this mean for businesses seeking to avoid liability and manage use of corporate IT resources? As I said, more on this shortly.

The Christmas blizzard

Richard Convertino is a former federal anti-terrorism prosecutor who was forced out by an investigation of prosecutorial misconduct during the Bush administration. Information about the investigation was leaked to the Detroit Free Press. In his action against the Justice Department for whistleblowing retaliation and other claims, Convertino sought discovery of e-mails between Tukel, another prosecutor involved in the investigation, and his private attorney, e-mails that were sent from a Justice Department computer using Tukel’s DOJ account (not even a web-accessed personal e-mail account, as in Stengart). The court refused to grant access to the e-mails, holding that Tukel had a reasonable expectation of privacy which supported his assertion that the e-mails were still protected by the attorney-client privilege.

In finding for Tukel, the court specifically examined the Justice Department’s Internet use policy and determined that, in view of the policy, he was not on notice that his personal e-mails were being monitored and, therefore, his actions in deleting the e-mails from his account in an expeditious manner amounted to a non-waiver of the attorney-client privilege:

“Mr. Tukel reasonably expected his e-mails with his personal attorney to remain private…. Case law in this jurisdiction in not directly on point but New York gives the Court some direction. ‘[T]he question of privilege comes down to whether the intent to communicate in confidence was objectively reasonable.’ … In order for documents sent through e-mail to be protected by the attorney-client privilege there must be a subjective expectation of confidentiality that is found to be objectively reasonable…. [Four factors to determine reasonableness are] ‘(1) does the corporation maintain a policy banning personal or other objectionable use, (2) does the company monitor the use of the employee’s computer or e-mail, (3) do third parties have a right of access to the computer or e-mails, and (4) did the corporation notify the employee, or was the employee aware, of the use and monitoring policies?’ … Each case should be given an individualized look to see if the party requesting the protection of the privilege was reasonable in its actions….

“On the facts of this case, Mr. Tukel’s expectation of privacy was reasonable. The DOJ maintains a policy that does not ban personal use of the company e-mail. Although the DOJ does have access to personal e-mails sent through this account, Mr. Tukel was unaware that they would regularly access and save e-mails sent from his account…. Because his expectations were reasonable, Mr. Tukel’s private e-mails will remain protected by the attorney-client privilege.”

As with Stengart (which was recently argued before the New Jersey Supreme Court), I am unconvinced that rulings like this create a broad right of privacy in personal communications sent through an employer’s IT resources. For one thing, the Internet use policy in Stengart as well as the DOJ’s policy in Convertino explicitly permitted personal use but were less than clear that ALL communications (personal as well as work-related) were subject to monitoring. Had the policies contained language like the following, the results might have been different: “We reserve the right to monitor, and periodically monitor, ALL communications sent using our computers and Internet access, whether personal or work-related, and including personal e-mails sent using your web-accessed e-mail (e.g., gmail, hotmail) account. You agree that you have no expectation of privacy in these e-mails and other communications. You should NOT send sensitive personal e-mails from a work e-mail account or a work computer.”

Secondly, I maintain that the attorney-client privilege is something special. If it’s held to be waived, the legal effect on a litigant — loss of or inability to implement legal strategy or exercise legal rights — is potentially catastrophic. Privileged e-mails are different from, say, embarrassing e-mails or e-mails that could get you into trouble with your boss. My sense is that courts will strain to avoid piercing such a hallowed privilege, except where a litigant has acted in a totally cavalier manner with regard to secrecy. I don’t agree with those legal commentators who claim the Convertino case actually reflects a dawning recognition that, due to the timing constraints in our harried modern lives, personal e-mails MUST be sent from work and should be shielded for that reason (regardless of how an employer’s computer/Internet use policy is worded or distributed). The court didn’t say this. In its own words, the case was about what the employee did and did not know about monitoring, pure and simple.

This battle will continue, of course. In the meantime, employers should think carefully about what personal uses of company Internet access and IT resources they wish to permit and make sure their approach to monitoring is clearly explained, particularly when read together with the sections of the policy detailing any approval of personal use.

On June 26, shortly after the Pietrylo verdict, another court (also in New Jersey) handed down a ruling which, at first glance, seems to be an even more emphatic vindication of employee online privacy rights against the prying eyes of Big Brother. You can check out the New Jersey Superior Court, Appellate Division’s opinion in Stengart v. Loving Care Agency, Inc., Docket No. A-3506-08T1, here.

In Stengart, an employee considering legal action against her employer used an employer-provided computer to send e-mails to her attorney through her personal Yahoo account. After the computer’s hard drive was imaged, the employer’s law firm read these e-mails but did not alert the plaintiff’s counsel that it had possession of them. A lower court ruled that, based on the employer’s purported adoption and distribution of an electronic communications policy which supposedly made all communications sent via corporate IT resources its “property,” the plaintiff had no expectation of privacy in the e-mails, and they were not protected by the attorney-client privilege.

The appellate court reversed, and in so doing, filled its opinion with lofty language sure to warm the hearts of privacy advocates and raise doubts about the effectiveness of Internet and computer use policies. For example:

“A policy imposed by an employer, purporting to transform all private communications into company property — merely because the company owned the computer used to make private communications or used to access such private information during work hours — furthers no legitimate business interest…. When an employee, at work, engages in personal communications via a company computer, the company’s interest — absent circumstances the same or similar to those that occurred in [certain cases involving a suspicion that the employee had committed fraud or accessed child pornography] — is not in the content of those communications; the company’s legitimate interest is in the fact that the employee is engaging in business other than the company’s business. Certainly, an employer may monitor whether an employee is distracted from the employer’s business and may take disciplinary action if an employee engages in personal matters during work hours; that right to discipline or terminate, however, does not extend to the confiscation of the employee’s personal communications.”

On closer examination, however, there is less here than meets the eye. On August 19, I made a guest post on Tech Target’s IT Knowledge Exchange giving a detailed legal analysis of the case. Let me just hit the high points here:

1. The employer’s electronic communications policy was badly drafted, made contradictory statements about the allowance of personal communications, and may not even have been in effect. The lower court did not conduct an evidentiary hearing about the adoption, applicability or objective interpretation of the policy.

3. The attorney-client privilege is sacred, particularly in New Jersey, as I know from prior work experience there. As the court admitted, the real issue in the case was not defining the scope of employee online privacy, but rather whether the plaintiff should suffer the draconian penalty of losing her attorney-client privilege in her e-mails with her attorney. Any broader reading of the language quoted above is legally non-binding.

While courts will probably strain to avoid finding a waiver of the attorney-client privilege, a properly drafted and disseminated Internet and computer use policy (for example, emphasizing the employer’s right to monitor and access both work-related and personal communications made using the employer’s IT resources, as opposed to claiming personal communications as the employer’s “property”) remains legal and enforceable. Where such a policy is in place, there is no all-encompassing right to privacy in personal communications transmitted through corporate IT resources.

Please understand where I am coming from: I am NOT advocating, as a normative principle, unlimited employer intrusion into private employee communications. (I have actually been criticized for supposedly being a legal apologist for Big Brother!) With the nine-to-five workday increasingly a thing of the past, most employees have a need to conduct a limited amount of personal business while at work. A well balanced Internet and computer use policy will acknowledge this reality.

With that said, however much I identify with Philadelphia’s heritage of individual liberty, I am not a paid professional civil libertarian. I am a technology lawyer engaged by businesses to help them sleep at night. In this capacity, I recommend that organizations adopt a reasonable Internet and computer use policy that clearly and unambiguously announces the scope of the employer’s monitoring/access rights and is carefully drafted to avoid or win litigation based on an asserted “expectation of privacy.” How much to monitor or access is a cultural and resource-driven decision that needs to be made by each organization.

The Pietrylo and Stengart cases are important pieces in the puzzle, but are more revealing as case studies in failure to use best practices than as some sort of Magna Carta of employee online privacy.