Posted by: GuyPardon
compliance, cyberlaw, Electronic Communications Privacy Act, email, online privacy, precedent, privacy, Security, social media, Stengart v Loving Care
The Stengart v. Loving Care case that Alexander Howard wrote about in ”The Web of social media and compliance: The ECPA and online privacy” is a very interesting one and merits closer examination. In that case, a New Jersey appellate court held that an employee did not waive her attorney-client privilege in communications with her lawyer that she sent through her personal Yahoo email account using a work computer, despite the employer’s attempts to argue that its electronic communications policy made the emails its property.
While the court’s opinion contains some lofty language about how an employer’s right to regulate its workplace is not limitless, the case actually turned on several key facts. Therefore, like the Pietrylo case discussed in my article on employee social media use policy, it can be seen as a case study in botched compliance.
The first half of the opinion deals with questions about the following:
- Whether the electronic communications policy was even in force and applied to the plaintiff.
- Whether or not it was disseminated and the plaintiff had notice of it.
- Which version (of several) was the applicable one.
- How the policy was to be interpreted in light of its rather shoddy drafting and contradictory statements regarding the allowance of personal communications.
The appellate court found that the lower court had not conducted a proper evidentiary inquiry concerning these issues. In particular, how a policy is drafted and how it should objectively be interpreted has a huge impact on what sort of online privacy expectations it is reasonable for an employee to have. The court also specifically noted that the employer had not followed the customary practice of obtaining from its employees a signed acknowledgment of the policy.
The policy also took the position that communications made using work computers became the “property” of the employer, which clearly rubbed the court the wrong way. To sum up, if:
- The policy had been limited to specifying a right to monitor;
- Had linked this right to a clear, unambiguous and customary set of prohibitions regarding personal communications;
- Had been consented to in writing by the plaintiff;
It might not have been so offensive to the court.
Last but not least, despite the lofty statements about privacy in the workplace that I referred to earlier, these have no significant effect as precedent. As the court itself admitted, the real issue in the case was not defining the scope of the restrictions on an employer’s ability to access personal employee communications made using corporate IT resources. Instead, it was whether the plaintiff, in the particular facts and circumstances of the case, should lose her attorney-client privilege in certain emails.
The attorney-client privilege is sacred, particularly in New Jersey, as I know from past experience there. Courts will strain to avoid finding that a waiver has occurred, except in situations where a litigant behaves as if it doesn’t care whether its communications with an attorney are intercepted or not. In Stengart, the court effectively concluded that, despite the electronic communications policy, the plaintiff had not exhibited that level of indifference. The defendant’s law firm also seems to have behaved badly by reading the attorney-client emails and not alerting the plaintiff’s counsel that it had possession of these emails.
So, a small victory for employee online privacy at best, but one that contains important lessons for corporate compliance officers and counsel.