Employee Privacy Gains in the United States
2010 arguably was a breakout year for consumer privacy in the U.S., but the year also brought about significant changes to the legal landscape of employee privacy. Federal and state court decisions, state legislation and agency actions suggest that the U.S. may be moving towards a greater level of privacy protection for employees. Employers are well-advised to consider these developments in reviewing and revising policies that affect the privacy of their employees.
Traditionally, in the U.S., employees have enjoyed little privacy in the workplace. With respect to workplace communications, for example, employees generally are deemed not to have “a reasonable expectation of privacy.” With some limitations, this allows employers to freely monitor and review employee communications. Employees in the U.S. often must abide by company rules that limit or prohibit personal use of workplace email and provide for monitoring of all employee electronic communications. Companies also may impose sanctions on employees for criticizing or disparaging the employer outside of work, including on social networking websites. In another example of limited workplace privacy, employers regularly obtain credit reports regarding job applicants or employees being considered for promotions. While obtaining a credit report for employment purposes requires the consent of the individual, applicants and employees often are reluctant to withhold consent for fear of compromising their chances of landing a job or a promotion. Many employers obtain credit reports regardless of whether financial considerations are relevant to the job.
The recent court decisions, laws and agency actions we recap in this blog post are changing the workplace privacy rules. Employers should consider these developments carefully in evaluating their human resources, information technology, electronic communications and other policies that affect employee privacy.
U.S. Supreme Court Offers Guidance on Employee Privacy in City of Ontario, California v. Quon
On June 17, 2010, the U.S. Supreme Court ruled in City of Ontario, California v. Quon that a police department did not violate an officer’s Fourth Amendment rights when the officer’s supervisor reviewed personal text messages the officer sent using a work-issued pager. The Court held that the search of the messages was reasonable, and did not resolve the question of whether the officer had “a reasonable expectation of privacy” in the text messages. The Court stated that it was reluctant to wade into employee privacy debate in light of the novelty of the issue, the implications of opining on emerging technology before its role in the society has become clear, and the risk of making a ruling that is not fully informed.
The Court, however, set out some of the issues it could have considered had it been inclined to make a ruling on the employee’s privacy expectations. The Court observed that in Quon a finding of an expectation of privacy in text messages could have been supported by the ubiquity of mobile communications that makes the communications essential or necessary instruments for self-expression, even self-identification. On the other hand, the Court suggested that the ubiquity of messaging devices also made them generally affordable, so that employees who need mobile devices for personal use can purchase and pay for their own. The Court observed that employee communications policies shape the reasonable expectations of their employees, especially when such policies are clearly communicated to the employees. The Court left open, however, the possibility that a supervisor’s statement guaranteeing the privacy of an employee’s communications, even if contrary to the company policy, may create an expectation of privacy in the communications by the employee. The court also noted the difference between an employer’s review of workplace communications vs. personal communications. Specifically, the Court observed that an audit of messages on an employer-provided device was not nearly as intrusive as a search of an employee’s personal email account or pager would have been.
Lower courts likely will look to the Supreme Court’s views on employee privacy in considering privacy claims. Likewise, employers should consider the Court’s discussion of employee privacy in developing and implementing employee monitoring policies. The key lessons for private employers from Quon are to (i) have a communications policy that is clear and comprehensive in scope and clearly communicated to employees; (ii) train management to follow company policies and not contradict them; (iii) when conducting a review of communications that might be inconsistent with the company’s electronic communications policy, ensure that there is a legitimate business reason for the review and be cautions to review only what is necessary; (iv) stay abreast of changes in privacy laws and relevant court decisions.
New Jersey Supreme Court Upholds Privacy Claims in Stengart v. Loving Care Agency, Inc.
Private employers should pay equal if not greater attention to many state court cases that have dealt with the issue of employee privacy. Unlike Quon, these state court decisions (as well as federal court decisions that apply state law) are directly applicable to private employers. In arguably the most important state decision on employee privacy of 2010, the New Jersey Supreme Court ruled, on March 30, 2010, for the former employee on the employee’s claim that state’s common privacy law protected certain of the employee’s emails from review by her employer.
The New Jersey Supreme Court considered whether the former employee – Ms. Stengart – had a reasonable expectation of privacy in certain emails she exchanged with her attorney. The email exchange took place over Stengart's personal, web-based email account. Stengart, however, used her company-issued computer for the communications. Images of the emails were saved by the employer’s monitoring system, which retained every web page visited on the computer. In the course of subsequent litigation against Stengart, Loving Care – the former employer – retrieved Stengart’s communications with her attorney from the laptop and sought to use the emails in the litigation. Stengart argued that the employer could neither review the emails nor use them in the litigation because she had a reasonable expectation of privacy in the communications. The New Jersey Supreme Court agreed.
The Court found the company’s electronic communications policy to be ambiguous and interpreted the ambiguity against the employer. The policy stated that the company could review any matters on the company’s media systems and services at any time, and that all emails and communications were not to be considered personal or private to employees. The Court found the policy’s disclosure of employee monitoring insufficient because it did not inform employees that the company stored and could retrieve copies of employees’ private web-based emails. The Court also concluded that the policy failed to state expressly that the company would monitor the content of email communications made from employees’ personal email accounts when they were viewed on company-issued computers. The Court held that Stengart had a subjective expectation of privacy in communications she sent using her personal web-based email account, and that the company’s ambiguous boilerplate electronic communications policy did not quash Stengart’s expectation of privacy in the emails.
The Court acknowledged that employers may adopt and enforce lawful policies relating to computer use to protect the assets and productivity of a business. The Court held, however, that an employer may not read the contents of an employee's attorney-client communications sent or received using personal web-based email. The Court held that a policy that allows the employer to review such communications is unenforceable.
Although the decision dealt with attorney-client communications, it also has implications for any personal emails (such as communications regarding health or financial issues) employees send over private web-based email accounts. For example, the court noted that employers that record and review screen shots on workplace computers will need to provide employees with a detailed, specific notice of such monitoring to the extent the screen shots also record emails employees send or receive via private web-based accounts. The Court also cautioned that a policy that permits “occasional personal use” of workplace email systems may create an expectation of privacy by employees with respect to personal emails they send or receive via company email.
NLRB Alleges Firing an Employee for Facebook Comments Violates Federal Law
On November 8, 2010, the National Labor Relations Board (NLRB) filed an administrative complaint against an employer, alleging that the company violated an employee's federal rights by firing her for criticizing her manager on her Facebook page. The NLRB took the position that employees have a right to criticize their employers, management or working conditions, and cannot be punished for engaging in such protected activity. The terminated employee was a union member, but the NLRB asserted that the right to criticize is equally applicable to nonunion employees because it is an extension of the federal right to discuss unionization and form unions.
Employers should consider the NLRB complaint carefully in reviewing their policies regulating social media use and behavior outside of the workplace. In this case, the employer's policy was rather extreme; it barred employees from depicting the company “in any way” on Facebook or other social media sites where the employees posted their pictures, or from making disparaging or discriminatory comments when discussing the employer or management. The NLRB action does not mean that the right to talk about employers on the web or outside of work is absolute. For example, if an employee lashes out against a supervisor, but is not communicating with employees in doing so, the activity may not be protected (in this case, other employees participated in the Facebook discussion of the former employee’s manager). In addition, making false, defamatory statements about the employer or disparaging remarks unrelated to work (for example, about a supervisor's family or personal life) is likely not protected by federal law.
States and Federal Regulators Push to Restrict Use of Credit Reports for Employment Purposes
The drive to limit the use of credit reports for employment purposes is in large part a reaction to the damage the continuing economic downturn has inflicted on individuals’ credit histories, creating a barrier to the individuals’ ability to reenter the workforce.
In 2010, Illinois and Oregon enacted legislation that limits the use of credit reports for employment purposes. Similar laws are in place in Hawaii and Washington and are being considered in Connecticut, Illinois, Maryland, Michigan, Missouri, New Jersey, New York, Ohio, Oklahoma, South Carolina, Vermont and Wisconsin. In addition, the federal Equal Employment Opportunity Commission (EEOC) filed an unusual action accusing an employer of discriminating against black job applicants in the hiring process on the basis of using the applicants’ credit histories.
The Illinois law, the Employee Credit Privacy Act, became effective January 1, 2011. The Act makes it illegal for employers to discriminate against job applicants on the basis of their credit histories and outlaws inquiries about applicants’ and employees’ credit histories. The law permits employers to conduct background investigations that do not include a credit history or report. In addition, the Act allows employers to obtain and consider credit reports in connection with jobs that involve (i) bonding or security under state or federal law; (ii) custody of, or unsupervised access to, $2,500 or more in cash or marketable assets; (iii) signatory power over businesses assets of $100 or more per transaction; (iv) management and control of the business; or (v) access to personal, financial or confidential information, trade secrets, or state or national security information. The law includes a private right of action, including the right to sue for injunctive relief and obtain attorneys’ fees.
The Oregon law came into effect on July 1, 2010. With certain exceptions, the law prohibits Oregon employers from using credit history in making hiring decisions or any decision affecting current employees. The law exempts from the prohibition federally-insured banks and credit unions, businesses required by law to consider employee credit history, and police and other public employers when hiring for law enforcement or airport security positions. In addition, the law permits employers to conduct credit checks for “substantially job-related reasons” provided the reasons are disclosed to the employee in writing. The Oregon law gives individuals the right to file an administrative complaint or a private lawsuit, and allows the recovery of attorneys’ fees.
While there is no federal prohibition against the use of credit reports for employment purposes, it appears that federal regulators may be seeking to curtail the practice. Specifically, in December 2010, the Equal Employment Opportunity Commission sued an employer in connection with use of credit reports in the hiring process. The EEOC alleged that the company used the reports in a way that discriminated against black job applicants. Emphasizing the broader reasons for the suit, the EEOC signaled that it believes that employers are denying jobs to applicants with damaged credit histories in cases where creditworthiness does not appear to be directly relevant to the job. The EEOC noted that credit histories are not complied to evaluate responsibility, are often inaccurate, and may not be a good indicator of an individual's qualifications for a particular job. In the suit, the EEOC alleged that rejecting applicants based on credit histories had a significant disparate impact on black applicants. In addition to other relief, the EEOC is seeking a permanent injunction to stop the employer’s use of credit histories in hiring and other employment decisions.
Additional Information Regarding Workplace Privacy Issues
For more information about privacy issues in the workplace, please join us for a webinar on January 27, 2011. The webinar, offered through Park Avenue Presentations, will focus on workplace privacy in the U.S. and Europe. Please email bsegalis@infolawgroup.com for registration details.
Privacy, Privilege, and the Cloud, Oh My: Taking LovingCare to Heart
What does workplace privacy have to do with the cloud? Everything. On Tuesday, the New Jersey Supreme Court issued its opinion in Stengart v. LovingCare Agency, Inc., --- A.2d ----, 2010 WL 1189458 (N.J. March 30, 2010), and came out on the side of protecting employee privacy and the attorney-client privilege in personal Yahoo! webmail (a cloud service) even though the employee used a company computer. While everyone has been busy writing about the implications of LovingCare for company policies governing employee expectations of privacy (and for good reason), few have stopped to note that LovingCare is a cloud case. LovingCare is one of only a few published opinions addressing the difficult issues surrounding employee use of webmail and other cloud services on company computers where the attorney-client privilege is at stake, and the impact of the LovingCare decision will undoubtedly be felt for years to come by nearly every employer across the country, both in crafting policies for employee use of company computer systems and in conducting discovery in nearly every employment-related litigation.
The machine may be the employer's, but, in the post-LovingCare world, the data may be the employee's - at least where the cloud and the attorney-client privilege are involved. You can read my detailed case analysis below.
What Happened Here?
LovingCare involved employee Marina Stengart's use of a company-issued laptop to exchange e-mails with her lawyer through her personal, password-protected, web-based Yahoo! e-mail account. “On several days in December 2007, Stengart used her laptop to access a personal, password-protected e-mail account on Yahoo's website, through which she communicated with her attorney about her situation at work. She never saved her Yahoo ID or password on the company laptop.”
How did LovingCare get access to those materials without a password? “Unbeknownst to Stengart, certain browser software in place automatically made a copy of each web page she viewed, which was then saved on the computer's hard drive in a ‘cache’ folder of temporary Internet files. Unless deleted and overwritten with new data, those temporary Internet files remained on the hard drive.” Stengart filed an employment discrimination lawsuit against LovingCare. “In anticipation of discovery, LovingCare hired a computer forensic expert to recover all files stored on the laptop including the e-mails, which had been automatically saved on the hard drive. LovingCare's attorneys reviewed the e-mails and used information culled from them in the course of discovery.” LovingCare easily found the personal email. “Among the items retrieved were temporary Internet files containing the contents of seven or eight e-mails Stengart had exchanged with her lawyer via her Yahoo account.”
Interestingly, Stengart's lawyer demanded that his communications with Stengart, which he considered privileged, be identified and returned. LovingCare’s counsel disclosed the documents to Stengart’s lawyer, but argued that the company had the right to review them. Stengart sought relief.
LovingCare's Electronic Communications Policy
LovingCare's Electronic Communication policy was part of its “Administrative and Office Staff Employee Handbook.” The Policy at issue provided that LovingCare
reserves and will exercise the right to review, audit, intercept, access, and disclose all matters on the company's media systems and services at any time, with or without notice. . . . E-mail and voice mail messages, internet use and communication and computer files are considered part of the company's business and client records. Such communications are not to be considered private or personal to any individual employee. The principal purpose of electronic mail (e-mail ) is for company business communications. Occasional personal use is permitted; however, the system should not be used to solicit for outside business ventures, charitable organizations, or for any political or religious purpose, unless authorized by the Director of Human Resources.
The Policy prohibited “‘[c]ertain uses of the e-mail system’ including sending inappropriate sexual, discriminatory, or harassing messages, chain letters, ‘[m]essages in violation of government laws,’ or messages relating to job searches, business activities unrelated to LovingCare, or political activities" and provided that “‘[a]buse of the electronic communications system may result in disciplinary action up to and including separation of employment.’”
Procedural Background
Not surprisingly, LovingCare’s attorneys argued that Stengart had no reasonable expectation of privacy in files on a company-owned computer in light of the company's policy on electronic communications. The trial court found that, as a result of LovingCare’s written policy, Stengart waived the attorney-client privilege by sending e-mails on a company computer. The Appellate Division reversed, holding that LovingCare's counsel violated New Jersey Rule of Professional Conduct 4.4(b) by reading and using the privileged documents. Rule 4.4(b) states that “[a] lawyer who receives a document and has reasonable cause to believe that the document was inadvertently sent shall not read the document or, if he or she has begun to do so, shall stop reading the document, promptly notify the sender, and return the document to the sender.”
The New Jersey Supreme Court's Conclusion
In a ruling based on these very particular factual circumstances, the New Jersey Supreme Court held that Stengart could reasonably expect that e-mail communications with her lawyer through her personal, password-protected, web-based email account, accessed on a company laptop, would remain private, and that sending and receiving them via a company laptop did not eliminate the attorney-client privilege that protected them. The Court further found that, by reading e-mails that were at least arguably privileged and failing to notify Stengart promptly about them, LovingCare's counsel breached New Jersey's Rule of Professional Conduct 4.4(b) The Court remanded to the trial court to determine what, if any, sanctions should be imposed on counsel for LovingCare.
How Did the Court Get There?
In resolving the LovingCare matter, the New Jersey Supreme Court looked to both privacy and privilege concerns:
Our analysis draws on two principal areas: the adequacy of the notice provided by the Policy and the important public policy concerns raised by the attorney-client privilege. Both inform the reasonableness of an employee's expectation of privacy in this matter.
Subjective and Objective Expectations of Privacy
In this case, the reasonable-expectation-of-privacy standard derived from the common law:
The common law source is the tort of “intrusion on seclusion,” which can be found in the Restatement (Second) of Torts § 652B (1977). That section provides that “[o]ne who intentionally intrudes, physically or otherwise, upon the solitude or seclusion of another or his private affairs or concerns, is subject to liability to the other for invasion of his privacy, if the intrusion would be highly offensive to a reasonable person.” Restatement, supra, § 652B. A high threshold must be cleared to assert a cause of action based on that tort. . . . A plaintiff must establish that the intrusion “would be highly offensive to the ordinary reasonable man, as the result of conduct to which the reasonable man would strongly object.” Restatement, supra, § 652B cmt. d.
. . . the reasonableness of a claim for intrusion on seclusion has both a subjective and objective component. . . . Moreover, whether an employee has a reasonable expectation of privacy in her particular work setting “must be addressed on a case-by-case basis.” O'Connor v. Ortega, 480 U.S. 709, 718, 107 S.Ct. 1492, 1498, 94 L. Ed.2d 714, 723 (1987) (plurality opinion) (reviewing public sector employment).
Stengart had a subjective expectation of privacy because she “plainly took steps to protect the privacy of those e-mails and shield them from her employer. She used a personal, password-protected e-mail account instead of her company e-mail address and did not save the account's password on her computer.” She had an objective expectation of privacy because the Policy said nothing about such personal emails and her communications were protected by the attorney-client privilege.
It is not clear from that language whether the use of personal, password-protected, web-based e-mail accounts via company equipment is covered. The Policy uses general language to refer to its “media systems and services” but does not define those terms. Elsewhere, the Policy prohibits certain uses of “the e-mail system,” which appears to be a reference to company e-mail accounts. The Policy does not address personal accounts at all. In other words, employees do not have express notice that messages sent or received on a personal, web-based e-mail account are subject to monitoring if company equipment is used to access the account.
The Policy also does not warn employees that the contents of such e-mails are stored on a hard drive and can be forensically retrieved and read by LovingCare.
The Policy goes on to declare that e-mails “are not to be considered private or personal to any individual employee.” In the very next point, the Policy ac-knowledges that “[o]ccasional personal use [of e-mail] is permitted.” As written, the Policy creates ambiguity about whether personal e-mail use is company or private property.
(Emphasis added).
Split in Authority
The Court noted a split in authority in other jurisdictions under the factual circumstances of the case.
Some jurisdictions have reached a similar conclusion, that employees retain a reasonable expectation of privacy, in similar factual circumstances. See, e.g., National Economic Research Associates v. Evans, 21 Mass. L. Rptr. No. 15, at 337 (Mass.Super.Ct. Sept. 25, 2006) (employee used a company laptop to send and receive attorney-client communications by e-mail using his personal, password-protected Yahoo account and not the company's e-mail address); In re Asia Global Crossing, Ltd., 322 B.R. 247, 257 (Bankr.S.D.N.Y.2005) (four-part test to “measure the employee's expectation of privacy in his computer files and e-mail”: (1) does the corporation maintain a policy banning personal or other objectionable use, (2) does the company monitor the use of the employee's computer or e-mail, (3) do third parties have a right of access to the computer or e-mails, and (4) did the corporation notify the employee, or was the employee aware, of the use and monitoring policies); Convertino v. U.S. Dep't of Justice, --- F.Supp.2d ----, 2009 U.S. Dist. LEXIS 115050, *33-34 (D.D.C. Dec. 10, 2009) (finding reasonable expectation of privacy in attorney-client e-mails sent via employer's e-mail system); Curto v. Medical World Communications, Inc., 99 Fed. Empl. Prac. Cas. (BNA) 298 (E.D.N.Y. May 15, 2006) (employee working from a home office sent e-mails to her attorney on a company laptop via her personal AOL account).
Of great interest in the cloud context, the Court noted that
[b]oth Evans and Asia Global referenced a formal ethics opinion by the American Bar Association that noted "lawyers have a reasonable expectation of privacy when communicating by e-mail maintained by an [online service provider]” (citing ABA Comm. on Ethics and Prof'l Responsibility, Formal Op. 413 (1999)).
Other courts have found to the contrary, rejecting any expectation of privacy, especially where an employee uses a company email system. See, e.g., Smyth v. Pillsbury Co., 914 F.Supp. 97, 100-01 (E.D.Pa.1996) (finding no reasonable expectation of privacy in unprofessional e-mails sent to supervisor through internal corporate e-mail system); Scott v. Beth Israel Med. Ctr., Inc., 17 Misc.3d 934, 847 N.Y.S.2d 436, 441-43 (N.Y.Sup.Ct.2007) (finding no expectation of confidentiality when company e-mail used to send attorney-client messages).
Limits on Company Policies
Naturally, the Court's decision does not deny employers the ability to restrict personal communications by employees using web-based cloud services on company-owned computers. To the contrary:
Companies can adopt lawful policies relating to computer use to protect the assets, reputation, and productivity of a business and to ensure compliance with legitimate corporate policies. And employers can enforce such policies. They may discipline employees and, when appropriate, terminate them, for violating proper workplace rules that are not inconsistent with a clear mandate of public policy.
However, there are limits – and the Court signaled that an employer will not be able to enforce a policy that prohibits all personal communications and reserve the right to read attorney-client communications:
[E]mployers have no need or basis to read the specific contents of personal, privileged, attorney-client communications in order to enforce corporate policy. Because of the important public policy concerns underlying the attorney-client privilege, even a more clearly written company manual-that is, a policy that banned all personal computer use and provided unambiguous notice that an employer could retrieve and read an employee's attorney-client communications, if accessed on a personal, password-protected e-mail account using the company's computer system-would not be enforceable.
Takeaways
Takeaway One - employers must craft carefully worded computer and social media use policies that are realistic in today's socially networked world of telecommuting, where the professional and personal lives of employees overlap.
Takeaway Two - where cloud technologies allow the integration of work and personal life, and where an employer does not prohibit all personal use, no written policy can deprive an employee of any reasonable expectation of privacy (at least in New Jersey). Instead, employers will have to be sensitive to the peculiar problems raised by discovery of employee information in the cloud (whether they already have access to it or have to seek it from a cloud service provider through third party discovery) and address those issues on a case-by-case basis.
