online privacy

The impact of Stengart v Loving Care on employee online privacy

This is a guest post from SearchCompliance.com contributor Andrew M. Baer, Esq. You can follow him at @baerbizlaw on Twitter.

The Stengart v. Loving Care case that Alexander Howard wrote about in ”The Web of social media and compliance: The ECPA and online privacy” is a very interesting one and merits closer examination. In that case, a New Jersey appellate court held that an employee did not waive her attorney-client privilege in communications with her lawyer that she sent through her personal Yahoo email account using a work computer, despite the employer’s attempts to argue that its electronic communications policy made the emails its property.

While the court’s opinion contains some lofty language about how an employer’s right to regulate its workplace is not limitless, the case actually turned on several key facts. Therefore, like the Pietrylo case discussed in my article on employee social media use policy, it can be seen as a case study in botched compliance.

The first half of the opinion deals with questions about the following:

• Whether the electronic communications policy was even in force and applied to the plaintiff.
• Whether or not it was disseminated and the plaintiff had notice of it.
• Which version (of several) was the applicable one.
• How the policy was to be interpreted in light of its rather shoddy drafting and contradictory statements regarding the allowance of personal communications.

The appellate court found that the lower court had not conducted a proper evidentiary inquiry concerning these issues. In particular, how a policy is drafted and how it should objectively be interpreted has a huge impact on what sort of online privacy expectations it is reasonable for an employee to have. The court also specifically noted that the employer had not followed the customary practice of obtaining from its employees a signed acknowledgment of the policy.

The policy also took the position that communications made using work computers became the “property” of the employer, which clearly rubbed the court the wrong way. To sum up, if:

1. The policy had been limited to specifying a right to monitor;
2. Had linked this right to a clear, unambiguous and customary set of prohibitions regarding personal communications;
3. Had been consented to in writing by the plaintiff;

It might not have been so offensive to the court.

Last but not least, despite the lofty statements about privacy in the workplace that I referred to earlier, these have no significant effect as precedent. As the court itself admitted, the real issue in the case was not defining the scope of the restrictions on an employer’s ability to access personal employee communications made using corporate IT resources. Instead, it was whether the plaintiff, in the particular facts and circumstances of the case, should lose her attorney-client privilege in certain emails.

The attorney-client privilege is sacred, particularly in New Jersey, as I know from past experience there. Courts will strain to avoid finding that a waiver has occurred, except in situations where a litigant behaves as if it doesn’t care whether its communications with an attorney are intercepted or not. In Stengart, the court effectively concluded that, despite the electronic communications policy, the plaintiff had not exhibited that level of indifference. The defendant’s law firm also seems to have behaved badly by reading the attorney-client emails and not alerting the plaintiff’s counsel that it had possession of these emails.

So, a small victory for employee online privacy at best, but one that contains important lessons for corporate compliance officers and counsel.

What online privacy expectations exist for social media use at work?

If you read Professor Jonathan Zittrain’s rebuttal on cloud computing to Bernard Golden at CIO.com today, you know that both agree that privacy is the No. 1 concern for cloud computing. Compliance officers have to worry about more than just privacy, of course, but protecting the private information of employees and customers alike is a crucial component of any enterprise-class security regimen.

Given, say, Twitter security risks, I knew the premise for SearchCompliance.com contributor Andrew Baer’s recent tips on social media use in the enterprise holds considerable merit: Social media platforms demand a clear employee Internet use policy.

When it comes to the details, however, I was left with more questions than answers. I understand that as a lawyer and e-discovery expert, Baer is naturally risk-averse. Moreover, I recognize that he’s forgotten more about e-discovery and the law than I currently know as a journalist.

That said, Baer’s position on online privacy and the rights of the employer to access the online activity or posts of employees veers into more ambiguous territory. Baer writes that a “policy should also state prominently that employees have no expectation of privacy in anything they store or transmit using corporate IT resources or post on the Internet, and that the enterprise reserves the right to monitor all usage of IT resources and Internet postings without notice and does so periodically.”

I imagine most observers can agree that enterprises need to create a Web 2.0 usage policy that extends existing rules and reminds employees of established guidelines for electronic communications and expectations for online privacy. Such guidance is even more crucial in regulated environments, as explained in ″Compliance concerns dog enterprise 2.0 collaboration software.″

Baer acknowledges the privacy issue: “Monitoring employee Web 2.0 use and terminating or disciplining an employee based on that use can raise legal privacy issues if an enterprise’s Web 2.0 strategy is not well planned and administered.”

The bottom line, however, is that Baer’s advice to compliance officers would appear to extend far beyond IT compliance into something else that he appropriately calls “Big Brother”-like action. As Baer observes, “Some employers may not want to go this far, since policing what employees say outside of work may seem Orwellian and lead to image problems.”

Image problems may just be the tip of the iceberg. I’m left wondering what other e-discovery experts, attorneys, security experts and compliance officers think about online privacy in this context.

George Moraetes, an independent security consultant for Securityminders Inc. in Illinois, agreed via email with Baer that “employees should have no expectation of privacy in anything they store or transmit using corporate IT resources.”

Moraetes wrote “that is a correct assumption, most companies treat email the same way. Employees have separate accounts using own resources. The only way to assure privacy is to encrypt your transmissions, in addition to using aliases. Most users are not techies and lack sophistication. Many companies do not implement DLP and NAC systems, although this in itself will not stop it.”

Moraetes went on describe the issue further:

“I demonstrated to the IRS a project back in 2004, the ability to leak information and not be caught. They told me they would catch anyone — or so they thought.

“In my demonstration to them, I advised that perimeter firewalls all must have ports 80 and 443 open bi-directionally. Otherwise, how would your staff and external users access resources? Obviously, when someone goes to Gmail or even Playboy their network captures and blocks them, reporting them to security — which is a serious offense. In saying that, I launched OpenVPN, communicating directly to my proxy/VPN server from Washington, D.C., to Chicago. I went anywhere that was prohibited and the internal traffic from their DLP systems could not detect or see me. There was nothing they could do about it. There are more ways to skin a cat to breach and leak out information, including Web 2.0 and using TweetDeck, email and the Web. Funneling encrypted traffic can bypass the majority of corporate systems.”

I’m writing an article about online privacy that will capture more viewpoints of other IT practitioners and e-discovery experts. If you have opinions about the use of social media on corporate systems and the online privacy expectations the surround them that you’d like to share, please comment here, @reply to @ITcompliance on Twitter or relate them directly to ahoward@techtarget.com with instructions on whether you’re willing to see them published.

Online privacy? Principles of self-regulation emerge, feds to follow

Last week, a collection of trade organizations announced the release of a set of privacy principles for the use and collection of behavioral data in online advertising. The public adoption of these principles moves the industry towards self-regulation, though adoption measures that substantially improve protections for the online privacy of consumers will remain an open question for implementation.

Given the vast amount of data that is being collected online daily, the move can’t come soon enough. Whether the move is enough to head off regulation from Congress is likely a moot point; as my colleague Linda Tucci blogged last week, a national data privacy law is coming. As she noted, “the proposed federal electronic data privacy bill, known as H.R. 2221, was introduced in April with little fanfare but is generating a bit more buzz in the wake of recent hearings on Capitol Hill.”

Concern over online privacy is reflected by the relevant regulatory bodies, particularly at the federal level. To whit, as Pamela Jones Harbour, commissioner of the Federal Trade Commission, notes in the release:

“Consumers deserve transparency regarding the collection and use of their data for behavioral advertising purposes. I am gratified that a group of influential associations – representing a significant component of the Internet community – has responded to so many of the privacy concerns raised by my colleagues and myself. These associations have invested substantial efforts to actually deliver a draft set of privacy principles, which have the potential to dramatically advance the cause of consumer privacy. I commend these organizations for taking this important first step. I am hopeful that successful implementation will follow. In the meantime, I encourage the entire privacy community to continue a dialogue that places the interests of consumers first.”

According to the announcement on AAAA.org, these principles were developed by a “cross-industry self-regulatory task force” that included the American Association of Advertising Agencies, the Association of National Advertisers, the Direct Marketing Association (DMA) and the Interactive Advertising Bureau. The Council of Better Business Bureaus, has agreed, along with the DMA, to implement accountability programs “to protect consumer privacy in ad-supported interactive media that will require advertisers and websites to clearly inform consumers about data collection practices and enable them to exercise control over that information.”

Such protections are commendable but perhaps somewhat less laudable, in the context of looming regulation. In this case, release of such guidance for the protection of online privacy may help head off potential sanctions or fines under new legislation, demonstrating some good faith by the industry. Adoption is another matter. Electronic publishers used to collecting reams of data about Internet audiences are likely to have a new kind of compliance to address in 2010: privacy.