The Case: The opinion of the New Jersey appellate court in Stengart v. Loving Care Agency, Inc., No. A-3506-08T1 (Appellate Division/Superior Court, N.J. 2009) is must reading for an employer who provides e-mail access to its employees (practically all employers!), since it deals specifically with whether personal (non business) e-mail messages exchanged by an employee and his or her lawyer over the employer’s computer system may be accessed and read by the employer, and it discusses generally the enforceability of company policy pertaining to employee privacy.
In Stengart, the employer had provided the employee with a laptop computer, a work e-mail address and a personal, web-based, password-protected Yahoo e-mail account. Prior to her resignation and in anticipation of suing the employer for discrimination, the employee communicated with her attorneys about this suit-a personal matter-by e-mail using this laptop and e-mail account. After her resignation and filing this suit, the employer extracted and created a forensic image of the hard drive from the computer the employee had been given. In using this image to review the employee’s Internet browsing history, the employer’s attorneys discovered and read the e-mail communications between the employee and her attorneys. Upon learning that the employer’s attorneys had those e-mail communications, the employee’s attorneys demanded, among other things, that the communications be returned to the employee. This request found its way to the New Jersey appellate court.
The employee claimed that the e-mail communications were protected by attorney-client privilege. The employer countered that, according to company policy, the employer had the right to access and review any e-mail sent or received over equipment it provided. The Court stated that it needed to review the enforceability of the company policy, and this review requires a balancing of the company’s right to create and obtain enforcement of reasonable rules for conduct in the workplace against the need to maintain the attorney-client privilege.
The Court started its review by saying that New Jersey courts have recognized that employers may unilaterally disseminate company rules and policies through handbooks or manuals and impose their contents on employees. However, an employer’s rules and policies must be reasonable, in that they must concern the terms of employment and reasonably further the legitimate business interests of the employer, to be enforceable by the courts. Here, the company policy reflects the entirely proper imposition of the employer’s right to own and possess communications made by the employee in the furtherance of the employer’s business. As interpreted by the employer, however, the policy purports to reach into the employee’s personal life without a sufficient nexus to the employer’s legitimate interests. The employer’s claimed right to the employee’s personal information seems to be based principally on the fact that the computer used to make personal communications is owned by the employer. The Court stated that it does not accept the employer’s ownership of the computer as the sole determinative fact in determining whether to enforce a policy by which an employee’s personal e-mails may become the company’s property. Such a policy furthers no legitimate business interest. Individuals possess a reasonable expectation that personal communications will remain private.
The Court continued its review by noting that, under New Jersey law, communications between a lawyer and client in the course of their relationship and in professional confidence are privileged. The Court weighed the need to maintain the attorney-client privilege, which applies to the e-mails exchanged between the employee and her attorneys in this case, against the employer’s claimed interest in ownership of or access to those e-mails based on company policy, and held that the latter must give way. Accordingly, the Court ruled that those e-mails were protected by the attorney-client privilege, and that the copies of the e-mails held by the employer’s attorneys should be returned to the employee.
Thoughts for Employers: We may not have heard the last of this case, since the Court’s decision is still subject to review in New Jersey. Also, it is not clear how the courts in other states would handle the issues presented. But while we are waiting for further judicial developments, we can note that the language of the Court’s opinion provides instruction on what is required for company policy on personal use of employer-provided computers and media systems, and probably on any other matter pertaining to employee privacy in the workplace, to be enforceable. To obtain enforceability, such company policy needs to be:
— clearly written and reasonable;
— concerned with the terms and conditions of employment; and
–consistent with the employer’s legitimate interests, e.g., the need to have an employee spend the workday focusing on his or her job, rather than attending to personal matters.
As to the policy pertaining to personal use of employer-provided computers and media systems, the policy may permit personal use-given that it is almost impossible to enforce a policy permitting no personal use-so long as the personal use does not interfere with providing sufficient attention to and the timely completion of work. The policy could have additional restrictions on personal use, e.g., allowing personal use only during lunch time and other designated work breaks. It should emphasize that an employee is not entitled to an expectation of privacy in any messages exchanged over the employer’s computers and media systems. The policy should allow the employer to access and review all personal messages exchanged on its computers and media systems, except where the law requires otherwise. To avoid violating the law, e.g., when the communication being reviewed is subject to the attorney-client privilege, the policy can identify one person, such as the human resource director, as the only person who can access and review any employee messages, and mandate that if any such message appears to be confidential by law, the message be discarded and its contents not revealed to any other person or used for any purpose.
In any event, Stengart provides an impetus for an employer to review and revise its policies on an employee’s personal use of employer-provided computers and media systems, and on other matters pertaining to employee privacy in the workplace, or to develop and disseminate such policies if the employer does not already have them.