The New Jersey courts have been handling a case that squarely addressed a company’s ability to monitor employee email.
Back in April of 2009, I mentioned a New Jersey case that found e-mail, sent during work hours on a company computer, was not protected by the attorney-client privilege: Compliance Policies and Email. That later was overturned: Workplace Computer Policy and the Attorney Client Privilege.
The New Jersey Supreme Court has ruled on the appeal and found that the employee
“could reasonably expect that e-mail communications with her lawyer through her personal, password-protected, web-based e-mail account would remain private, and that sending and receiving them using a company laptop did not eliminate the attorney-client privilege that protected them.”
The court went a step further and chastised the company’s lawyers for reading and using privileged documents.
The court’s decision focused on two areas: the adequacy of the company’s notice in its computer use policy and the importance of attorney-client privilege.
Computer use policy
The court was not swayed by the company’s arguments about its computer use policy. The company took the position that its employees have no expectation of privacy in their use of company computers based on its Policy. The court found that the policy did not address personal email accounts at all and therefore had no express notice that the accounts would be subject to monitoring. Also, the policy did not warn employees that the contents of the emails could be stored on a hard drive and retrieved by the company.
Attorney Client Communication
The bigger problem was that the communications between attorneys and their client are held to a higher standard. They were not “illegal or inappropriate material” stored on the company’s equipment that could harm the company. The e-mails warned the reader directly that the e-mails are personal, confidential, and may be attorney-client communications.
In my opinion, the nature and content of these emails made this an easy decision for the court.
The decision does not mean that a company cannot monitor or regulate the use of workplace computers.
- A policy should be clear that employees have no expectation of privacy in their use of company computers.
- A policy needs to explicitly not address the use of personal, web-based e-mail accounts accessed through company equipment.
- A policy should warn employees that the contents of e-mails sent via personal accounts can be forensically retrieved and read by the company.