Privacy, Privilege, and the Cloud, Oh My: Taking LovingCare to Heart
What does workplace privacy have to do with the cloud? Everything. On Tuesday, the New Jersey Supreme Court issued its opinion in Stengart v. LovingCare Agency, Inc., --- A.2d ----, 2010 WL 1189458 (N.J. March 30, 2010), and came out on the side of protecting employee privacy and the attorney-client privilege in personal Yahoo! webmail (a cloud service) even though the employee used a company computer. While everyone has been busy writing about the implications of LovingCare for company policies governing employee expectations of privacy (and for good reason), few have stopped to note that LovingCare is a cloud case. LovingCare is one of only a few published opinions addressing the difficult issues surrounding employee use of webmail and other cloud services on company computers where the attorney-client privilege is at stake, and the impact of the LovingCare decision will undoubtedly be felt for years to come by nearly every employer across the country, both in crafting policies for employee use of company computer systems and in conducting discovery in nearly every employment-related litigation.
The machine may be the employer's, but, in the post-LovingCare world, the data may be the employee's - at least where the cloud and the attorney-client privilege are involved. You can read my detailed case analysis below.
What Happened Here?
LovingCare involved employee Marina Stengart's use of a company-issued laptop to exchange e-mails with her lawyer through her personal, password-protected, web-based Yahoo! e-mail account. “On several days in December 2007, Stengart used her laptop to access a personal, password-protected e-mail account on Yahoo's website, through which she communicated with her attorney about her situation at work. She never saved her Yahoo ID or password on the company laptop.”
How did LovingCare get access to those materials without a password? “Unbeknownst to Stengart, certain browser software in place automatically made a copy of each web page she viewed, which was then saved on the computer's hard drive in a ‘cache’ folder of temporary Internet files. Unless deleted and overwritten with new data, those temporary Internet files remained on the hard drive.” Stengart filed an employment discrimination lawsuit against LovingCare. “In anticipation of discovery, LovingCare hired a computer forensic expert to recover all files stored on the laptop including the e-mails, which had been automatically saved on the hard drive. LovingCare's attorneys reviewed the e-mails and used information culled from them in the course of discovery.” LovingCare easily found the personal email. “Among the items retrieved were temporary Internet files containing the contents of seven or eight e-mails Stengart had exchanged with her lawyer via her Yahoo account.”
Interestingly, Stengart's lawyer demanded that his communications with Stengart, which he considered privileged, be identified and returned. LovingCare’s counsel disclosed the documents to Stengart’s lawyer, but argued that the company had the right to review them. Stengart sought relief.
LovingCare's Electronic Communications Policy
LovingCare's Electronic Communication policy was part of its “Administrative and Office Staff Employee Handbook.” The Policy at issue provided that LovingCare
reserves and will exercise the right to review, audit, intercept, access, and disclose all matters on the company's media systems and services at any time, with or without notice. . . . E-mail and voice mail messages, internet use and communication and computer files are considered part of the company's business and client records. Such communications are not to be considered private or personal to any individual employee. The principal purpose of electronic mail (e-mail ) is for company business communications. Occasional personal use is permitted; however, the system should not be used to solicit for outside business ventures, charitable organizations, or for any political or religious purpose, unless authorized by the Director of Human Resources.
The Policy prohibited “‘[c]ertain uses of the e-mail system’ including sending inappropriate sexual, discriminatory, or harassing messages, chain letters, ‘[m]essages in violation of government laws,’ or messages relating to job searches, business activities unrelated to LovingCare, or political activities" and provided that “‘[a]buse of the electronic communications system may result in disciplinary action up to and including separation of employment.’”
Not surprisingly, LovingCare’s attorneys argued that Stengart had no reasonable expectation of privacy in files on a company-owned computer in light of the company's policy on electronic communications. The trial court found that, as a result of LovingCare’s written policy, Stengart waived the attorney-client privilege by sending e-mails on a company computer. The Appellate Division reversed, holding that LovingCare's counsel violated New Jersey Rule of Professional Conduct 4.4(b) by reading and using the privileged documents. Rule 4.4(b) states that “[a] lawyer who receives a document and has reasonable cause to believe that the document was inadvertently sent shall not read the document or, if he or she has begun to do so, shall stop reading the document, promptly notify the sender, and return the document to the sender.”
The New Jersey Supreme Court's Conclusion
In a ruling based on these very particular factual circumstances, the New Jersey Supreme Court held that Stengart could reasonably expect that e-mail communications with her lawyer through her personal, password-protected, web-based email account, accessed on a company laptop, would remain private, and that sending and receiving them via a company laptop did not eliminate the attorney-client privilege that protected them. The Court further found that, by reading e-mails that were at least arguably privileged and failing to notify Stengart promptly about them, LovingCare's counsel breached New Jersey's Rule of Professional Conduct 4.4(b) The Court remanded to the trial court to determine what, if any, sanctions should be imposed on counsel for LovingCare.
How Did the Court Get There?
In resolving the LovingCare matter, the New Jersey Supreme Court looked to both privacy and privilege concerns:
Our analysis draws on two principal areas: the adequacy of the notice provided by the Policy and the important public policy concerns raised by the attorney-client privilege. Both inform the reasonableness of an employee's expectation of privacy in this matter.
Subjective and Objective Expectations of Privacy
In this case, the reasonable-expectation-of-privacy standard derived from the common law:
The common law source is the tort of “intrusion on seclusion,” which can be found in the Restatement (Second) of Torts § 652B (1977). That section provides that “[o]ne who intentionally intrudes, physically or otherwise, upon the solitude or seclusion of another or his private affairs or concerns, is subject to liability to the other for invasion of his privacy, if the intrusion would be highly offensive to a reasonable person.” Restatement, supra, § 652B. A high threshold must be cleared to assert a cause of action based on that tort. . . . A plaintiff must establish that the intrusion “would be highly offensive to the ordinary reasonable man, as the result of conduct to which the reasonable man would strongly object.” Restatement, supra, § 652B cmt. d.
. . . the reasonableness of a claim for intrusion on seclusion has both a subjective and objective component. . . . Moreover, whether an employee has a reasonable expectation of privacy in her particular work setting “must be addressed on a case-by-case basis.” O'Connor v. Ortega, 480 U.S. 709, 718, 107 S.Ct. 1492, 1498, 94 L. Ed.2d 714, 723 (1987) (plurality opinion) (reviewing public sector employment).
Stengart had a subjective expectation of privacy because she “plainly took steps to protect the privacy of those e-mails and shield them from her employer. She used a personal, password-protected e-mail account instead of her company e-mail address and did not save the account's password on her computer.” She had an objective expectation of privacy because the Policy said nothing about such personal emails and her communications were protected by the attorney-client privilege.
It is not clear from that language whether the use of personal, password-protected, web-based e-mail accounts via company equipment is covered. The Policy uses general language to refer to its “media systems and services” but does not define those terms. Elsewhere, the Policy prohibits certain uses of “the e-mail system,” which appears to be a reference to company e-mail accounts. The Policy does not address personal accounts at all. In other words, employees do not have express notice that messages sent or received on a personal, web-based e-mail account are subject to monitoring if company equipment is used to access the account.
The Policy also does not warn employees that the contents of such e-mails are stored on a hard drive and can be forensically retrieved and read by LovingCare.
The Policy goes on to declare that e-mails “are not to be considered private or personal to any individual employee.” In the very next point, the Policy ac-knowledges that “[o]ccasional personal use [of e-mail] is permitted.” As written, the Policy creates ambiguity about whether personal e-mail use is company or private property.
Split in Authority
The Court noted a split in authority in other jurisdictions under the factual circumstances of the case.
Some jurisdictions have reached a similar conclusion, that employees retain a reasonable expectation of privacy, in similar factual circumstances. See, e.g., National Economic Research Associates v. Evans, 21 Mass. L. Rptr. No. 15, at 337 (Mass.Super.Ct. Sept. 25, 2006) (employee used a company laptop to send and receive attorney-client communications by e-mail using his personal, password-protected Yahoo account and not the company's e-mail address); In re Asia Global Crossing, Ltd., 322 B.R. 247, 257 (Bankr.S.D.N.Y.2005) (four-part test to “measure the employee's expectation of privacy in his computer files and e-mail”: (1) does the corporation maintain a policy banning personal or other objectionable use, (2) does the company monitor the use of the employee's computer or e-mail, (3) do third parties have a right of access to the computer or e-mails, and (4) did the corporation notify the employee, or was the employee aware, of the use and monitoring policies); Convertino v. U.S. Dep't of Justice, --- F.Supp.2d ----, 2009 U.S. Dist. LEXIS 115050, *33-34 (D.D.C. Dec. 10, 2009) (finding reasonable expectation of privacy in attorney-client e-mails sent via employer's e-mail system); Curto v. Medical World Communications, Inc., 99 Fed. Empl. Prac. Cas. (BNA) 298 (E.D.N.Y. May 15, 2006) (employee working from a home office sent e-mails to her attorney on a company laptop via her personal AOL account).
Of great interest in the cloud context, the Court noted that
[b]oth Evans and Asia Global referenced a formal ethics opinion by the American Bar Association that noted "lawyers have a reasonable expectation of privacy when communicating by e-mail maintained by an [online service provider]” (citing ABA Comm. on Ethics and Prof'l Responsibility, Formal Op. 413 (1999)).
Other courts have found to the contrary, rejecting any expectation of privacy, especially where an employee uses a company email system. See, e.g., Smyth v. Pillsbury Co., 914 F.Supp. 97, 100-01 (E.D.Pa.1996) (finding no reasonable expectation of privacy in unprofessional e-mails sent to supervisor through internal corporate e-mail system); Scott v. Beth Israel Med. Ctr., Inc., 17 Misc.3d 934, 847 N.Y.S.2d 436, 441-43 (N.Y.Sup.Ct.2007) (finding no expectation of confidentiality when company e-mail used to send attorney-client messages).
Limits on Company Policies
Naturally, the Court's decision does not deny employers the ability to restrict personal communications by employees using web-based cloud services on company-owned computers. To the contrary:
Companies can adopt lawful policies relating to computer use to protect the assets, reputation, and productivity of a business and to ensure compliance with legitimate corporate policies. And employers can enforce such policies. They may discipline employees and, when appropriate, terminate them, for violating proper workplace rules that are not inconsistent with a clear mandate of public policy.
However, there are limits – and the Court signaled that an employer will not be able to enforce a policy that prohibits all personal communications and reserve the right to read attorney-client communications:
[E]mployers have no need or basis to read the specific contents of personal, privileged, attorney-client communications in order to enforce corporate policy. Because of the important public policy concerns underlying the attorney-client privilege, even a more clearly written company manual-that is, a policy that banned all personal computer use and provided unambiguous notice that an employer could retrieve and read an employee's attorney-client communications, if accessed on a personal, password-protected e-mail account using the company's computer system-would not be enforceable.
Takeaway One - employers must craft carefully worded computer and social media use policies that are realistic in today's socially networked world of telecommuting, where the professional and personal lives of employees overlap.
Takeaway Two - where cloud technologies allow the integration of work and personal life, and where an employer does not prohibit all personal use, no written policy can deprive an employee of any reasonable expectation of privacy (at least in New Jersey). Instead, employers will have to be sensitive to the peculiar problems raised by discovery of employee information in the cloud (whether they already have access to it or have to seek it from a cloud service provider through third party discovery) and address those issues on a case-by-case basis.