Location, Location, Location
Tanya Forsheit recently appeared on Fox to discuss the Supreme Court’s evaluation of GPS surveillance under the Fourth Amendment in US v. Jones. The case raises important issues regarding technology, aggregation of data, and privacy expectations with respect to location information.
What a Farming Bankruptcy Can Teach Us About Privacy in the Cloud
Today's post about the cloud is brought to you from above the clouds, via wi-fi on a plane, using a cloud service (our blog service provider). First I pause to note how awesome that is. I could not have been doing this five years ago. Now, back to the point. Privacy in the cloud. Specifically, the potential impact of "segregation" of data in the cloud, whatever that means. Does "segregation" that prevents "intermingling" preserve an organization's reasonable expectation of privacy vis-a-vis the government under the Fourth Amendment? One recent case, although not about a cloud of any shape or form, suggests that it might.
I love finding cloud law where you least expect it. Recently reported in BNA's Privacy & Security Law Report, In re SK Foods Inc., No. 2:09-cv-02938, is a bankruptcy matter involving a debtor that processes tomato products. In SK Foods, the United States District Court for the Eastern District of California stayed the Bankruptcy Court's order that would have allowed the Trustee to continue to possess and review information relating to third party non-debtors pending appeal. Why? There was evidence suggesting that, despite residing on shared computer servers, the data of the third parties had not been "intermingled" with the debtor's data, the servers belonged to a third party, the debtor could not access the third party records without authorization, and the third parties demanded return of their records once the Trustee intervened. Read on after the jump for a detailed review of the District Court's order, available here, and consideration of its implications for the cloud.
Procedural and Factual Background
In SK Foods, non-debtor third parties SSC Farms, LLC, SSC Farming LLC, SSC Farming 1, LLC, SSC Farming 2, LLC, and Scott Salyer (I will refer to them collectively herein as the "SSC Third Parties") sought a stay of the Bankruptcy Court's order giving the Trustee authorization to continue to possess and review information relating to the SSC Third Parties pending their appeal of that order. Third party Salyer is the founder of the debtor SK Foods and owner thereof via a separate company and his trust. The other SSC Third Parties are entities owned by Salyer's children that grow vegetable and tomato products processed by the debtor. The Trustee had taken possession and control of all records located at the debtor SK Foods following his appointment, including electronic records stored on the company's computer servers. The SSC Third Parties maintained their own records on the debtor SK Foods' premises, but did so pursuant to a joint cost sharing arrangement to maximize operational efficiency. Hmmm, sounds a little like a multi-tenancy cloud.
The Bankruptcy Court found, as a matter of law based on a determination that the facts were undisputed, that the SSC Third Parties had waived any privacy rights associated with their records by failing to remove them from the debtor SK Foods' premises before involuntary bankruptcy proceedings were commenced. However, the Bankruptcy Court explicitly noted that, in the absence of undisputed facts, the question of whether a reasonable expectation of privacy exists is a mixed one of law and fact (citing Hill v. Nat'l Collegiate Athletic Ass'n, 7 Cal.4th 1, 39-40 (1994)).
The Trustee's Argument re Shared Servers and Intermingling
The Trustee argued that debtor SK Foods had custody and control over the records because all the entities functioned as a single operational and economic enterprise, because the records were intermingled, because SK Foods' employees had access to the SSC Third Party records, and because all of the entities shared servers and an email system owned by debtor SK Foods.
The District Court's Ruling: Facts in Dispute-Evidence Suggests No Intermingling on Servers, so Privacy Rights May be Preserved
The District Court stayed the Bankruptcy Court's order pending appeal, noting that there remains a reasonable expectation of privacy in financial personal, and other related documents even if such documents are stored or left on a third party's premises (citing U.S. v. Fultz, 146 F.3d 1102, 1105 (9th Cir. 1998)). The court further held that intermingling of documents, alone, does not waive a third party's constitutional rights (citing U.S. v. Comprehensive Drug Testing, 579 F.3d 989, 1004-1005 (9th Cir. 2009)).
Significantly, the court noted that the Trustee had cited no authority for the proposition that privacy interests are waived merely because companies may have shared storage and access capabilities, and may not have immediately segregated and taken their own materials once the debtor's bankruptcy filing took place.
Most importantly, the District Court noted that the facts were in dispute because the SSC Third Parties had identified (via declaration) evidence "suggesting that electronic data for each non-debtor entity was maintained in separate folders and was not intermingled with data belonging to other entities"; that the servers used to store the data were not owned by the debtor SK Foods; that debtor SK Foods' access to documents and information pertaining to the SSC Third Parties required authorization; and that the SSC Third Parties immediately demanded the return of their own private and confidential information once the Trustee intervened.
Implications for the Cloud?
In many ways, SK Foods raises more questions than it answers for purposes of the cloud. Is the court's analysis too simplistic? What exactly is "intermingling" on a third party server or in a cloud? Is there any such thing as data that is not intermingled in a public cloud? Is there an equivalent to "separate folders" in a multi-tenancy cloud?
Then again, SK Foods is perhaps merely an acknowledgment, in a very different context, of the following sentiment expressed by Chief Judge Kozinski in the Ninth Circuit's en banc opinion in Comprehensive Drug Testing, supra:
The advent of fast, cheap networking has made it possible to store information at remote third-party locations, where it is intermingled with that of other users. For example, many people no longer keep their email primarily on their personal computer, and instead use a web-based email provider, which stores their messages along with billions of messages from and to millions of other people. Similar services exist for photographs, slide shows, computer code, and many other types of data. As a result, people now have personal data that are stored with that of innumerable strangers. Seizure of, for example, Google’s email servers to look for a few incriminating messages could jeopardize the privacy of millions.
Some might suggest that sharing a computer server and email systems (or a cloud, for that matter) by numerous businesses presents a closer case. The court in SK Foods thought, at a minimum, it was worth an evidentiary hearing, and suggested that a finding of "segregation" of some sort might preserve Fourth Amendment rights.
All of this raises important questions for all companies, but especially companies doing or considering doing business in the cloud:
- Do you know where your records reside?
- Are they hanging out with other companies' records?
- Who owns the servers?
- Where are those servers located?
- Are your files "segregated" in some fashion from other organizations' files?
- Could you prove "segregation" in court?
As you can see, "cloud" jurisprudence is evolving without the word "cloud" ever being uttered in a court order or opinion. We will continue to keep an eye on it. Signing off from the clouds, for today.
Privacy, Privilege, and the Cloud, Oh My: Taking LovingCare to Heart
What does workplace privacy have to do with the cloud? Everything. On Tuesday, the New Jersey Supreme Court issued its opinion in Stengart v. LovingCare Agency, Inc., --- A.2d ----, 2010 WL 1189458 (N.J. March 30, 2010), and came out on the side of protecting employee privacy and the attorney-client privilege in personal Yahoo! webmail (a cloud service) even though the employee used a company computer. While everyone has been busy writing about the implications of LovingCare for company policies governing employee expectations of privacy (and for good reason), few have stopped to note that LovingCare is a cloud case. LovingCare is one of only a few published opinions addressing the difficult issues surrounding employee use of webmail and other cloud services on company computers where the attorney-client privilege is at stake, and the impact of the LovingCare decision will undoubtedly be felt for years to come by nearly every employer across the country, both in crafting policies for employee use of company computer systems and in conducting discovery in nearly every employment-related litigation.
The machine may be the employer's, but, in the post-LovingCare world, the data may be the employee's - at least where the cloud and the attorney-client privilege are involved. You can read my detailed case analysis below.
What Happened Here?
LovingCare involved employee Marina Stengart's use of a company-issued laptop to exchange e-mails with her lawyer through her personal, password-protected, web-based Yahoo! e-mail account. “On several days in December 2007, Stengart used her laptop to access a personal, password-protected e-mail account on Yahoo's website, through which she communicated with her attorney about her situation at work. She never saved her Yahoo ID or password on the company laptop.”
How did LovingCare get access to those materials without a password? “Unbeknownst to Stengart, certain browser software in place automatically made a copy of each web page she viewed, which was then saved on the computer's hard drive in a ‘cache’ folder of temporary Internet files. Unless deleted and overwritten with new data, those temporary Internet files remained on the hard drive.” Stengart filed an employment discrimination lawsuit against LovingCare. “In anticipation of discovery, LovingCare hired a computer forensic expert to recover all files stored on the laptop including the e-mails, which had been automatically saved on the hard drive. LovingCare's attorneys reviewed the e-mails and used information culled from them in the course of discovery.” LovingCare easily found the personal email. “Among the items retrieved were temporary Internet files containing the contents of seven or eight e-mails Stengart had exchanged with her lawyer via her Yahoo account.”
Interestingly, Stengart's lawyer demanded that his communications with Stengart, which he considered privileged, be identified and returned. LovingCare’s counsel disclosed the documents to Stengart’s lawyer, but argued that the company had the right to review them. Stengart sought relief.
LovingCare's Electronic Communications Policy
LovingCare's Electronic Communication policy was part of its “Administrative and Office Staff Employee Handbook.” The Policy at issue provided that LovingCare
reserves and will exercise the right to review, audit, intercept, access, and disclose all matters on the company's media systems and services at any time, with or without notice. . . . E-mail and voice mail messages, internet use and communication and computer files are considered part of the company's business and client records. Such communications are not to be considered private or personal to any individual employee. The principal purpose of electronic mail (e-mail ) is for company business communications. Occasional personal use is permitted; however, the system should not be used to solicit for outside business ventures, charitable organizations, or for any political or religious purpose, unless authorized by the Director of Human Resources.
The Policy prohibited “‘[c]ertain uses of the e-mail system’ including sending inappropriate sexual, discriminatory, or harassing messages, chain letters, ‘[m]essages in violation of government laws,’ or messages relating to job searches, business activities unrelated to LovingCare, or political activities" and provided that “‘[a]buse of the electronic communications system may result in disciplinary action up to and including separation of employment.’”
Procedural Background
Not surprisingly, LovingCare’s attorneys argued that Stengart had no reasonable expectation of privacy in files on a company-owned computer in light of the company's policy on electronic communications. The trial court found that, as a result of LovingCare’s written policy, Stengart waived the attorney-client privilege by sending e-mails on a company computer. The Appellate Division reversed, holding that LovingCare's counsel violated New Jersey Rule of Professional Conduct 4.4(b) by reading and using the privileged documents. Rule 4.4(b) states that “[a] lawyer who receives a document and has reasonable cause to believe that the document was inadvertently sent shall not read the document or, if he or she has begun to do so, shall stop reading the document, promptly notify the sender, and return the document to the sender.”
The New Jersey Supreme Court's Conclusion
In a ruling based on these very particular factual circumstances, the New Jersey Supreme Court held that Stengart could reasonably expect that e-mail communications with her lawyer through her personal, password-protected, web-based email account, accessed on a company laptop, would remain private, and that sending and receiving them via a company laptop did not eliminate the attorney-client privilege that protected them. The Court further found that, by reading e-mails that were at least arguably privileged and failing to notify Stengart promptly about them, LovingCare's counsel breached New Jersey's Rule of Professional Conduct 4.4(b) The Court remanded to the trial court to determine what, if any, sanctions should be imposed on counsel for LovingCare.
How Did the Court Get There?
In resolving the LovingCare matter, the New Jersey Supreme Court looked to both privacy and privilege concerns:
Our analysis draws on two principal areas: the adequacy of the notice provided by the Policy and the important public policy concerns raised by the attorney-client privilege. Both inform the reasonableness of an employee's expectation of privacy in this matter.
Subjective and Objective Expectations of Privacy
In this case, the reasonable-expectation-of-privacy standard derived from the common law:
The common law source is the tort of “intrusion on seclusion,” which can be found in the Restatement (Second) of Torts § 652B (1977). That section provides that “[o]ne who intentionally intrudes, physically or otherwise, upon the solitude or seclusion of another or his private affairs or concerns, is subject to liability to the other for invasion of his privacy, if the intrusion would be highly offensive to a reasonable person.” Restatement, supra, § 652B. A high threshold must be cleared to assert a cause of action based on that tort. . . . A plaintiff must establish that the intrusion “would be highly offensive to the ordinary reasonable man, as the result of conduct to which the reasonable man would strongly object.” Restatement, supra, § 652B cmt. d.
. . . the reasonableness of a claim for intrusion on seclusion has both a subjective and objective component. . . . Moreover, whether an employee has a reasonable expectation of privacy in her particular work setting “must be addressed on a case-by-case basis.” O'Connor v. Ortega, 480 U.S. 709, 718, 107 S.Ct. 1492, 1498, 94 L. Ed.2d 714, 723 (1987) (plurality opinion) (reviewing public sector employment).
Stengart had a subjective expectation of privacy because she “plainly took steps to protect the privacy of those e-mails and shield them from her employer. She used a personal, password-protected e-mail account instead of her company e-mail address and did not save the account's password on her computer.” She had an objective expectation of privacy because the Policy said nothing about such personal emails and her communications were protected by the attorney-client privilege.
It is not clear from that language whether the use of personal, password-protected, web-based e-mail accounts via company equipment is covered. The Policy uses general language to refer to its “media systems and services” but does not define those terms. Elsewhere, the Policy prohibits certain uses of “the e-mail system,” which appears to be a reference to company e-mail accounts. The Policy does not address personal accounts at all. In other words, employees do not have express notice that messages sent or received on a personal, web-based e-mail account are subject to monitoring if company equipment is used to access the account.
The Policy also does not warn employees that the contents of such e-mails are stored on a hard drive and can be forensically retrieved and read by LovingCare.
The Policy goes on to declare that e-mails “are not to be considered private or personal to any individual employee.” In the very next point, the Policy ac-knowledges that “[o]ccasional personal use [of e-mail] is permitted.” As written, the Policy creates ambiguity about whether personal e-mail use is company or private property.
(Emphasis added).
Split in Authority
The Court noted a split in authority in other jurisdictions under the factual circumstances of the case.
Some jurisdictions have reached a similar conclusion, that employees retain a reasonable expectation of privacy, in similar factual circumstances. See, e.g., National Economic Research Associates v. Evans, 21 Mass. L. Rptr. No. 15, at 337 (Mass.Super.Ct. Sept. 25, 2006) (employee used a company laptop to send and receive attorney-client communications by e-mail using his personal, password-protected Yahoo account and not the company's e-mail address); In re Asia Global Crossing, Ltd., 322 B.R. 247, 257 (Bankr.S.D.N.Y.2005) (four-part test to “measure the employee's expectation of privacy in his computer files and e-mail”: (1) does the corporation maintain a policy banning personal or other objectionable use, (2) does the company monitor the use of the employee's computer or e-mail, (3) do third parties have a right of access to the computer or e-mails, and (4) did the corporation notify the employee, or was the employee aware, of the use and monitoring policies); Convertino v. U.S. Dep't of Justice, --- F.Supp.2d ----, 2009 U.S. Dist. LEXIS 115050, *33-34 (D.D.C. Dec. 10, 2009) (finding reasonable expectation of privacy in attorney-client e-mails sent via employer's e-mail system); Curto v. Medical World Communications, Inc., 99 Fed. Empl. Prac. Cas. (BNA) 298 (E.D.N.Y. May 15, 2006) (employee working from a home office sent e-mails to her attorney on a company laptop via her personal AOL account).
Of great interest in the cloud context, the Court noted that
[b]oth Evans and Asia Global referenced a formal ethics opinion by the American Bar Association that noted "lawyers have a reasonable expectation of privacy when communicating by e-mail maintained by an [online service provider]” (citing ABA Comm. on Ethics and Prof'l Responsibility, Formal Op. 413 (1999)).
Other courts have found to the contrary, rejecting any expectation of privacy, especially where an employee uses a company email system. See, e.g., Smyth v. Pillsbury Co., 914 F.Supp. 97, 100-01 (E.D.Pa.1996) (finding no reasonable expectation of privacy in unprofessional e-mails sent to supervisor through internal corporate e-mail system); Scott v. Beth Israel Med. Ctr., Inc., 17 Misc.3d 934, 847 N.Y.S.2d 436, 441-43 (N.Y.Sup.Ct.2007) (finding no expectation of confidentiality when company e-mail used to send attorney-client messages).
Limits on Company Policies
Naturally, the Court's decision does not deny employers the ability to restrict personal communications by employees using web-based cloud services on company-owned computers. To the contrary:
Companies can adopt lawful policies relating to computer use to protect the assets, reputation, and productivity of a business and to ensure compliance with legitimate corporate policies. And employers can enforce such policies. They may discipline employees and, when appropriate, terminate them, for violating proper workplace rules that are not inconsistent with a clear mandate of public policy.
However, there are limits – and the Court signaled that an employer will not be able to enforce a policy that prohibits all personal communications and reserve the right to read attorney-client communications:
[E]mployers have no need or basis to read the specific contents of personal, privileged, attorney-client communications in order to enforce corporate policy. Because of the important public policy concerns underlying the attorney-client privilege, even a more clearly written company manual-that is, a policy that banned all personal computer use and provided unambiguous notice that an employer could retrieve and read an employee's attorney-client communications, if accessed on a personal, password-protected e-mail account using the company's computer system-would not be enforceable.
Takeaways
Takeaway One - employers must craft carefully worded computer and social media use policies that are realistic in today's socially networked world of telecommuting, where the professional and personal lives of employees overlap.
Takeaway Two - where cloud technologies allow the integration of work and personal life, and where an employer does not prohibit all personal use, no written policy can deprive an employee of any reasonable expectation of privacy (at least in New Jersey). Instead, employers will have to be sensitive to the peculiar problems raised by discovery of employee information in the cloud (whether they already have access to it or have to seek it from a cloud service provider through third party discovery) and address those issues on a case-by-case basis.
