Can an employer lawfully monitor personal e-mail messages sent by an employee through the employee’s personal, password-protected web-based account if such messages are sent using the employer’s computer? Court decisions over the past few months suggest problems for employers who attempt to do so, though the decisions do suggest a recommended course of action for employers to avoid potential exposure.
To be clear: The issue at the moment is not whether an employer can monitor communications sent or received using the company’s e-mail over the company’s computer system. At the moment, the discussion involves personal e-mails sent through a personal (non-company) e-mail account, albeit accessed or sent on a company’s computer system. Two cases this summer found that an employee does not automatically waive all rights in all cases simply because he or she communicates using an employer’s computer.
On July 16, 2010, the Wisconsin Supreme Court decided the case of Schill v. Wisconsin Rapids School District, and held that a public school teacher’s personal e-mails are not necessarily deemed to be government “records” under the Public Records Law merely because they may have been sent and received on computer systems owned by the government, if the messages are not related to a governmental function. Five days later, on July 21, 2010, a California appellate court held in Mimi Shanahan v. Superior Court that a bank executive did not waive his right to privacy of a confidential document when he e-mailed it to his personal secretary. The court there noted that the executive had given the document to his one assigned secretary in confidence to print or proofread, as opposed to sharing it generally and openly with a secretary pool or the secretary of another employee.
Critical to the outcome of these cases is the precise nature of an employer’s communicated policy, and the extent to which the employee had an expectation of privacy in the e-mail being sent. Recent decisions in New Jersey and New York highlight the importance of the employer’s particular policy. For example, on March 30, 2010, the Supreme Court of New Jersey issued a decision in Stengart v. Loving Care Agency, Inc. that also landed on the side of the employee’s privacy rights. In Stengart, the employee sent e-mail messages to an attorney over a work-issued laptop computer, though using the employee’s personal web-based and password-protected account. The court found that the employee did not waive the attorney-client privilege under those circumstances, relying on the employer’s policy:
[T]he policy does not address the use of personal, web-based e-mail accounts accessed through company equipment. It does not address personal accounts at all. Nor does it warn employees that the contents of e-mails sent via personal accounts can be forensically retrieved and read by the company. Indeed, in acknowledging that occasional personal use of e-mail is permitted, the policy created doubt about whether those e-mails are company or private property.
One can contrast that New Jersey opinion with the 2007 decision by the New York County Supreme Court in Scott v. Beth Israel Medical Center, Inc., where a physician exchanged e-mail with an attorney over the hospital’s computer system. The court held that the employee did waiver the attorney-client privilege, finding that the confidential nature of the communications no longer existed. In stark contrast to the policy in Stengart, the employer’s policy in Scott apparently prohibited all personal use of e-mail and at the same time expressly provided for employer monitoring.
Employer Take Away: What should every employer take away from this development? As these recent cases suggest, the mere fact that an employee communicates through a personal e-mail account using a company-owned system does not by itself eliminate all expectation of privacy to which the employee is entitled. Thus, employers should at a minimum:
(1) Make sure to understand and consider the law in the particular jurisdiction in which the employer operates its business to determine whether, and to what extent, searching or monitoring employee electronic communications may expose the employer to liability; and
(2) Create effective policies that account for potential social media permutations that may occur, and reduce employee privacy expectations by obtaining appropriate employee acknowledgments that expressly recognize the employer’s right to monitor and retrieve even personal web sites and messages accessed through company-owned systems.