A decision from the New Jersey Supreme Court is required reading for any company with a policy setting out acceptable email and online use for its employees.
In Stengart v. Loving Care, the NJ Supreme Court addressed how much privacy and confidentiality an employee could expect when she exchanges personal emails with her attorney via a password-protected, web-based email account accessed on a company computer.
Loving Care provided Stengart with a laptop to use for company business, from which she had access to the Internet through Loving Care's computer server. Stengart used the laptop to access a personal, password-protected Yahoo email account on Yahoo's website, by which she communicated with her attorney about her work situation. Stengart was unware that the computer's browser software automatically saved a copy of each webpage Stengart viewed-- including each email message she exchanged with her attorney-- on the computer's hard drive.
Loving Care had a forensic image created of the computer's hard drive, and that image included several emails exchanged between Stengart and her attorney. Attorneys for Loving Care reviewed those emails and used the information in discovery. Stengart's attorney demanded that the emails be returned, and Loving Care's attorneys argued that Stengart had no reasonable expectation of privacy in files on a company-owned computer based on the company's policy on electronic communications.
The Court determined that the attorney-client privilege protected the emails, and that under the electronic communications policy, an employee retained an expectation of privacy in personal emails sent on a company computer.
In reviewing Loving Care's electronic communications policy, the Court determined that the policy did not explicitly put employees on notice that emails exchanged by means of a web-based email service (e.g. Google, Yahoo, Hotmail) would be monitored by the company. Nor did the policy warn employees that the contents of personal web-based emails are 1) stored on company computers, and 2) can be retrieved and read. In addition, the Court considered the policy ambiguous because on the one hand it stated that emails "are not to be considered private or personal," but on the other hand allowed "occasional personal use" of email.
Takeaways for companies: 1) be specific about what is prohibited use in an electronic communications policy; 2) address the use of web-based email accessed from company computers-- if the company stores or monitors those communications, then the policy should clearly say so; 3) explain that those personal communications are stored on the company's computer, and can be retrieved and monitored; and 4)emphasize that occasional personal email use is not private, even if it is allowed under the policy.