Your Social Media Policy Will Not Trump Attorney-Client Privilege (in NJ)

This post summarizes a conversation occurring on the Martindale-Hubbell® Connected professional network for lawyers.

On March 30, the New Jersey Supreme Court decided that companies do not have the right to access employee’s attorney-client email communications if accessed on a personal, password-protected e-mail account using the company’s computer system. In fact, sending and receiving such emails using a company laptop does not eliminate the attorney-client privilege that protects the communications. The court stated:

A policy that provided unambiguous notice that an employer could retrieve and read an employee’s attorney-client communications, if accessed on a personal, password-protected e-mail account using the company’s computer system, would not be enforceable.

In this case [1], the plaintiff sent several emails to her lawyer from her company-owned laptop, in anticipation of a lawsuit against her employer. The employee sent the emails over the company’s network, but via the employee’s personal Yahoo email account, and she did not store her password on the laptop.

Unbeknownst to the employee, the company cached each web page (including web-based emails) viewed by the employee on their laptop, in the temporary Internet files and on the company’s servers. After the employee left the company and initiated a lawsuit, the company found those attorney-client emails during the discovery process, provided them to company lawyers, and the communications were subsequently used in the defense strategy.

The key point to note is that the company’s electronic communications policy stated that the company was permitted to access and review all information on the company media, and that e-mails and Internet communications were not to be considered private or personal to employees; however, the company’s policy stated that occasional personal use was permitted.

In addition to protecting an employee’s attorney-client privilege, the court also expressed the opinion that the company’s policy was ambiguous, and unlikely to be enforceable for other types of messages, too. Although the company’s policy stated that the company may review matters on “the company’s media systems and services,” those terms were not defined in the policy, and the prohibition of certain uses of “the e-mail system” appeared to refer to company e-mail accounts, not personal accounts. The Policy did not warn employees that the contents of personal, web-based e-mails are stored on employee-issued computers, and could be forensically retrieved and read. The policy also created ambiguity by declaring that e-mails “are not to be considered private or personal,” while also permitting “occasional personal use” of e-mail.

The court said Stengart had a reasonable expectation of privacy because the email account was personal, password protected, and the password was not stored on the laptop — an area where the company policy was silent and ambiguous.

Here are several takeaways for folks writing social media policies (at least, in New Jersey):

  1. When companies allow reasonable personal use of company-issued systems, absent specific policies to the contrary, employees have a reasonable expectation of privacy to the content and communications they access or contribute via personal, password protected services, such as email. One would guess that such expectations extend to social utilities and social networking sites.
  2. The fact that the employee did not store her password on the computer was cited several times as a factor in her reasonable expectation of privacy. It is unclear whether an employee should expect such privacy if they let the browser “remember me” through storage of cookies to streamline logins.
  3. If you are going to take away your employees’ privacy rights within Internet communications on company computers, don’t handicap your policy by simultaneously permitting occasional personal use of the same computers.
  4. Attorney-client privilege cannot be waived by well-crafted policies.

The judgment leaves open the following questions:

  • If you use your company laptop to access Facebook, does the company have the right to inspect your content on Facebook?
  • What about your bank account records if you check your balance from a company computer?

Should everyone who is an employee conduct all personal online business via their personal mobile device, and only via the cellular network (not the company’s network)?

If you know of other states ruling on similar matters, please let me know.


Footnotes

  1. Stengartv Loving Care Agency (2010 N.J. LEXIS 241)

One Response to Your Social Media Policy Will Not Trump Attorney-Client Privilege (in NJ)

  1. Anonymous June 30, 2011 at 5:19 am #

    I honestly think it would be too invasive to do monitoring on an employee’s personal accounts even if using the company computers. There should really be a clear policy stating the limits up to where a company should dig deep into. Employees also need that needed privacy because in a way, they do have rights of their own even in their workplaces. It’s not a healthy workplace environment if employers won’t give that level of trust to their own employees. Although I’m not against monitoring employee internet usage, I still believe that there are correct ways to do it without going too far as digging deep into their personal activities. Great share, thanks!