Is Your e-Mail at Work Private?

Is “Big Brother” watching? Is your employer monitoring your online activities? Do employers have such a right? In the United States, the standard rule of conventional legal wisdom for the past several years has been that anything an employee does on company-provided computers is owned by and subject to review by the employer. This means that employees should have a very low expectation of privacy, as that term has evolved from the jurisprudence of the Fourth Amendment to the U.S. Constitution in the confidentiality of communications to or from the workplace.¹ 

Nearly every pharmacist employed in a medium- to large-size organization has had to sign an acknowledgement that he or she has received and read an employee handbook or similar document. Undoubtedly, somewhere in that policy manual, there is a section that addresses “electronic privacy” or prohibitions on the use of company property for personal communications. In almost all cases, there is a warning to the effect that the organization can and will access employee e-mail and other activities conducted on corporate computers or other equipment. The question is: How enforceable are those edicts? 

Electronic Privacy

There have been a few exceptions to the standard doctrine of electronic privacy where courts have recognized rights of privacy to e-mail communications. In perhaps the first case of its kind, the Sixth Circuit Court of Appeals ruled that the federal government cannot access e-mail stored with an Internet service provider (ISP) like Yahoo unless it notifies the sender first or shows that the individual does not consider the e-mail private. The ruling was based on the conclusion that most people think e-mail, like letters or phone conversations, is private and protected under the Fourth Amendment against unreasonable government searches and seizures.² 

The case arose after the federal government brought a criminal suit against the owner and operator of a company that sells herbal supplements, including diet and penis-enlargement pills. The owner was indicted in 2006 on 107 counts of wire fraud, bank fraud, and other crimes allegedly connected with the sale of the dietary supplements. He pleaded not guilty to the charges. While investigating the company in 2005, the government obtained a court order for Yahoo and another communications corporation to turn over e-mails in defendants’ accounts. The order was issued under the 1986 Stored Communications Act, which said the government just has to show that the e-mails are relevant to an investigation—no need to notify the e-mail sender or to get a warrant based on probable cause that the sender did something wrong. The theory is that the sender has voluntarily disclosed the e-mails to the ISPs and thus given up any claim that they are private. But when the owner found out what the ISPs had done, he filed a lawsuit in which he argued that he did not give the ISPs permission to read them any more than we give the phone company permission to listen in on phone calls. He claimed that he reasonably expected that the contents of the e-mails were private, and if the government wanted them, it would have to prove otherwise or get a warrant. The appeals court agreed and blocked the government from seizing any more e-mails.³ 

Facts of the Case

In a more recent case from the New Jersey Court of Appeals, a trial court ruling holding that the defendant company had a right to examine data on its own computers was reversed because the plaintiff had not been told of the employer’s policy on computer use.⁴ In that case, the executive director of nursing for a home health care agency⁵ used her company-issued laptop to exchange e-mails with her attorney using her personal ISP password-protected account. She resigned her position and sued the company for discrimination under New Jersey law.⁶ The e-mails pertained specifically to her anticipated lawsuit against the company. 

During the discovery phase of the trial, it was learned that a computer forensic expert hired by the defendant recovered several personal e-mails from the former employee’s laptop. After the defendant’s attorney made reference to those e-mails, the plaintiff’s counsel objected and demanded that they be returned as part of an attorney-client privileged work product. The trial court refused to order the return of the e-mails, ruling that attorney-client privilege had been waived because the defendant owned the computer on which the messages were generated. The trial court based its ruling, in part, on the defendant’s written policy of banning use of its computers for personal communications. That policy, ruled the trial court judge, should have put the plaintiff on notice that her e-mails would be viewed as company property.⁷ 

The plaintiff argued that the company failed to demonstrate it had ever adopted or distributed such a policy, that she was unaware of an electronic communications policy that applied to executives such as herself, and that if such a policy existed, the company had not previously enforced it. In response, the company asserted that it had disseminated a handbook containing the policy, that the policy was finalized approximately 1 year before the plaintiff sent the e-mails in question, and that the policy’s provisions applied to all employees, including executives, without exception. 

Noting that there were at least five different draft versions of the handbook under various degrees of completion before the plaintiff left her position, the Court of Appeals expressed doubt whether the policy cited by the company had ever been finalized, formally adopted, or disseminated to employees. The court stated in its opinion:  

In short, although the matter is not free from doubt, there is much about the language of the policy that would convey to an objective reader that personal e-mails, such as those in question, do not become company property when sent on a company computer, and little to suggest that an employee would not retain an expectation of privacy in such e-mails.…We reject the company’s ownership of the computer as the sole determinative fact in determining whether an employee’s personal e-mails may become the company’s property. 

The court then referred to another case that had ruled that “a computer is little more than a file cabinet for personal communications.”⁸ Using this analogy, it wrote:  

Property rights are no less offended when an employer examines documents stored on a computer as when an employer rifles through a folder containing an employee’s private papers or reaches in and examines the contents of an employee’s pockets; indeed, even when a legitimate business purpose could support such a search, we can envision no valid precept of property law that would convert the employer’s interest in determining what is in those locations with a right to own the contents of the employee’s folder of private papers or the contents of his pocket. 

Although plaintiff’s e-mails to her attorney related to her anticipated lawsuit with the company, the company had no greater interest in those communications than it would if it had engaged in the highly impermissible conduct of electronically eavesdropping on a conversation between plaintiff and her attorney while she was on a lunch break. 

Certainly, the electronic age—and the speed and ease with which many communications may now be made—has created numerous difficulties in segregating personal business from company business. Today, many highly personal and confidential transactions are commonly conducted via the Internet, and may be performed in a moment’s time.…Regardless of where or how those communications occur, individuals possess a reasonable expectation that those communications will remain private.⁹ 

In perhaps a broader connotation to other situations, the court said: 

When an employee, at work, engages in personal communications via a company computer, the company’s interest…is not in the content of those communications; the company’s legitimate interest is in the fact that the employee is engaging in business other than the company’s business. Certainly, an employer may monitor whether an employee is distracted from the employer’s business and may take disciplinary action if an employee engages in personal matters during work hours; that right to discipline or terminate, however, does not extend to the confiscation of the employee’s personal communications. 

Potential Outcomes

The New Jersey Supreme Court has agreed to review this case.¹⁰ The outcome of that opinion could have a dramatic effect on any of the language, rulings, and policies adopted by the Court of Appeals. It should be noted that the court might have ruled otherwise had the defendant company produced convincing evidence that it had disseminated a complete and finalized electronic privacy policy prohibiting the use of company computers for personal communications. In other words, a company may be able to prohibit the use of its equipment for personal business, but the burden is on the employer to show that it has communicated such policies to employees in clear and unambiguous terms. 

What the court did is shift the burden of proof from a presumption that the company owns all of the information on its computers to a requirement that the company prove it has full ownership policies in place before an employee attempts to use the equipment for personal reasons. That is certainly a major change from conventional wisdom. It will be interesting to see how other courts review similar questions. 

REFERENCES

1. According to the Fourth Amendment to the U.S. Constitution: “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”
2. Holding R. E-mail privacy gets a win in court. Time. June 21, 2007. www.time.com/time/nation/ article/0,8599,1636024,00.html . Accessed November 24, 2009.
3. Id.
4. Stengart v. Loving Care Agency, Slip Op No A-3506-08T1 (June 26, 2009). www.employerlawreport.com/ uploads/file/Steingart%20v_% 20Loving%20Care.pdf. Accessed November 24, 2009.
5. Loving Care Agency, Inc. www.lovingcareagency.com. Accessed November 24, 2009.
6. The New Jersey Law Against Discrimination. NJSA 10:5-1 to 10:5-49.
7. The entire policy is available online. See note 2, supra.
8. See Thyroff v. Nationwide Mutual. Ins. Co., 864 NE2d 1272 (NY 2007).
9. Citations omitted. See note 2, supra.
10. New Jersey Appeals Court broadly construes employee’s “right to privacy” using company computers. Workplace Privacy Counsel. June 30, 2009. http://privacyblog.littler. com/2009/06/articles/email- communications/new-jersey- appeals-court-broadly- construes-employees-right-to- privacy-using-company- computers/. Accessed November 24, 2009. 

To comment on this article, contact rdavidson@uspharmacist.com.