Ruling a Reminder to Update E-Communication Policies

Companies may want to tighten up their electronic communications policies in light of a recent court ruling.

Affirming an appellate decision, the New Jersey Supreme Court ruled unanimously in Stengart v. Loving Care Agency Inc. that attorney-client privilege applied to e-mails sent by an employee using a company-issued laptop to her lawyer through a personal Web-based e-mail account, shooting down her employer's contention that its electronic communications policy eliminated her expectation of privacy.

The plaintiff, Marina Stengart, a nursing manager at Loving Care Agency, sent e-mails to her lawyer from her personal Yahoo account using her company-issued laptop to communicate about an employment discrimination lawsuit she later filed against the company.

A computer forensics expert hired by Loving Care in anticipation of discovery recovered some e-mails that were automatically saved to the computer's hard drive by her Web browser. Loving Care's lawyers reviewed the e-mails and used the information during discovery. Stengart's attorney sought to have them returned under the attorney-client privilege.

Loving Care argued that its electronic communications policy eliminated Stengart's expectation of privacy. The policy allowed for incidental personal use, but specified that the company reserved the right to "review, audit intercept, access, and disclose all matters on the company's media systems and services at any time with or without notice."

The court disagreed, and found that Stengart had a reasonable expectation of privacy because she used a personal e-mail account; she didn't store her password on the laptop; the company's policy didn't specifically address use of private Web-based e-mail; and the e-mails were clearly subject to attorney-client privilege, and included a warning to that effect.

"Under the circumstances, Stengart could reasonably expect that e-mail communications with her lawyer through her personal account would remain private, and that sending and receiving them via a company laptop did not eliminate the attorney-client privilege that protected them," Chief Justice Stuart Rabner wrote in the March 30 decision.

Given the public policy concerns underlying the attorney-client privilege, the court said that even a "more clearly written company manual—that is, a policy that banned all personal computer use and provided unambiguous notice that an employer could retrieve and read an employee's attorney-client communications, if accessed on a personal, password-protected e-mail account using the company's computer system—would not be enforceable."

Rabner also held that review of the privileged e-mails by Loving Care's counsel breached professional conduct rules and remanded the case to the trial court to determine what, if any, sanctions should be imposed.

Chris Wolf, co-chair of the privacy and data security group at Hogan & Hartson, says the ruling underscores the importance of a well-drafted electronic communications policy.

"While this case is limited to New Jersey, the issue of reasonable expectation of privacy is one that's nationwide," says Wolf. "There's no reason to think other courts might not give deference to this unanimous and influential decision."

Unfortunately, he says, "Most companies don't have this issue covered." Companies may need to add more specificity to their existing e-communications policies to make it clear that, even where incidental personal use is allowed, there's no expectation of privacy.

Such a policy should also make it clear that the company has the right to monitor all communications sent using company equipment, including those that are attorney-client privileged and personal Web-based e-mails, and should clarify that such e-mails can end up being stored and subject to review. Companies should also prohibit use of company resources for personal attorney-client communications and make it clear that they can sanction violations.

Additionally, Wolf says those tasked with monitoring e-communications should be instructed to return personal attorney-client privileged communications without reviewing them.

While they're at it, he says companies should revise their policies, if they haven't already, to include rules on employees' use of social media Websites, since even personal use of those sites can create major liability for employers.

"Social media isn't typically addressed in companies' e-communication policies, but it ought to be," says Wolf.