Protecting Privacy and Privilege in the Digital Workplace
Mobility is the status quo for the corporate world – the more portable the “workplace” becomes, the more productive employees can be. Employees also enjoy the quick accessibility and connectivity that advanced technology provides, and often use company equipment to conduct personal business. However, the convenience of using work-issued devices interchangeably for personal communications comes with the risk of losing privacy, especially if employees choose to use company equipment to exchange privileged e-mails with their private attorneys. Several courts have tackled this delicate balance between an employer’s right to monitor use of company-issued equipment with an employee’s right to privacy.
One example of company policy overriding the attorney-client privilege is highlighted in Alamar Ranch, LLC v. County of Boise.[1] In this case, the District of Idaho found that an employee waived the attorney-client privilege when she used her work e-mail address to exchange privileged information with her attorney. An important factor in the court’s decision was the company’s adherence to an airtight privacy policy, which unambiguously reserved “the right to review, audit, intercept, access, and disclose all messages created, received, or sent over the email system for any purpose.” Responding to the plaintiff’s claim that she was unaware her computer e-mails were monitored, the court emphatically stated, “It is unreasonable for any employee in this technological age...to believe that her e-mails, sent directly from her company’s e-mail address over its computers, would not be stored by the company and made available for retrieval.”
However, there appears to be fine line between the scope of legitimate business interests and an employee’s privacy rights. With a slight – but critical – twist of the facts from Alamar Ranch, the New Jersey Supreme Court concluded in Stengart v. Loving Care Agency[2] that a plaintiff did not waive her attorney-client privilege when those communications landed in the hands of her former employer. Like the plaintiff in Alamar Ranch, Stengart communicated with her attorney using her work-issued computer, but she did so via her private, password-protected Yahoo! account rather than her work e-mail. Moreover, Loving Care’s usage policy was ambiguously worded such that Stengart was not properly notified that the company might access and monitor her personal communications. Ultimately, the court held that an employee has a substantive right to privacy in password-protected e-mails, with heightened protection when attorney-client communications are at stake, and that such communications are outside the scope of employment.
For the time being, the United States Supreme Court has passed on issuing a broad ruling addressing an employee’s reasonable expectation of privacy with regard to company-issued equipment. However, in City of Ontario, California v. Quon,[3] the Supreme Court narrowly addressed an employer’s right to monitor the content of employees’ personal communications via company-issued equipment. At issue were text messages sent by a police officer, Jeff Quon, using his work-issued pager (privilege was not an issue). The Ontario Police Department reviewed transcripts of Quon’s text messages to determine whether the officers were allotted sufficient character amounts since Quon had exceeded the limit several times. Finding the City of Ontario possessed a “legitimate interest” for the search, the Supreme Court determined the method of text message transcript review was reasonable.
The Quon decision highlights the importance of a well-drafted, clearly communicated technology and network use policy. The City of Ontario created and implemented such a policy and communicated the policy requirements to all employees. Although the policy did not address pager text messages specifically, the City conveyed to all employees that text messages would be treated in the same manner as e-mail messages. The documented steps the City undertook helped overcome Quon’s argument that text messages were not a designated part of the use policy and thus could not be monitored.
As demonstrated by these cases, different courts may emphasize different factors, but a valuable lesson for companies is that establishing and adhering to a comprehensible company privacy and usage policy is essential. Because each case is fact-specific, an employer raises the likelihood of success if it is demonstrated that an unambiguous policy was established and clearly conveyed to all employees. Policies must also be frequently reviewed and updated to include new and emerging technology, such as social networking.