October 10, 2007

Many employers have policies that limit use of the company’s e-mail system and Internet access to company business. Despite these policies, employees routinely use their employer’s e-mail system and Internet access for personal business, including shopping or playing games on the Internet, sending digital pictures to relatives and personal e-mail messages to friends, and even communicating with their attorneys. Courts have ruled that, if the employer has a clear policy reserving the use of company-owned computers and Internet access for business reasons only, employees have no right to privacy in their e-mail messages or Internet access logs that used company hardware and software.

Some employees, perhaps attempting to avoid employer monitoring, are careful not to use the company e-mail system for personal communications, but use company equipment, such as laptop computers issued to the employee, to send messages to their attorneys through personal accounts such as Yahoo®, Google®, or AmericaOnline®. When the relationship between the employee and the company sours and the employee leaves, does the company have the right to search the employee’s computer (either laptop or desktop) for personal messages, especially if they were not sent or received through the company’s e-mail system? And what if some of those messages involved communications between the employee and his or her private attorney? Normally such communications would be privileged, but if they are on the employer’s computer or e-mail system, has the employee/client waived the privilege? 

What is the attorney-client privilege and how can it be waived?
The attorney-client privilege is important in that it encourages clients to be candid with their legal advisors, and the substance of communications between an attorney and a client is protected from disclosure even if the communications did not result in litigation. Attorneys and their clients have found e-mail to be an efficient and effective way to communicate. If an employer is engaged in litigation with a current or former employee and information relevant to that litigation is discovered on the employer’s computer system, the employer has a clear interest in the substance of that information. Courts have been asked to determine whether the employee’s use of company e-mail systems or computer equipment for confidential communications with an attorney constitutes either a voluntary or a careless involuntary waiver of the privilege.

The attorney-client privilege may be waived voluntarily by the client, or it may be waived involuntarily if the client’s conduct was “so careless as to suggest that it was not concerned with the [protection] of the asserted privilege.”²  The courts have developed four factors to determine whether careless involuntary waiver of attorney client privilege has occurred:

1. The reasonableness of the precautions taken by the producing party to prevent inadvertent disclosure of privileged documents;
2. The volume of discovery versus the extent of the specific disclosure at issue;
3. The length of time taken by the producing party to rectify the disclosure; and
4. The overarching issue of fairness.³

Most courts have ruled that if an employer states specifically in its computer and electronic communications policy that all employee communications may be monitored and that employee use of these services is limited to work-related communications, then the employee has no general expectation of privacy in e-mails or Internet use related to the employer’s systems. But several courts have made an exception for communications between employees and their private attorneys, particularly if the employee used his or her private Internet service provider rather than the employer’s. The cases discussed below are very fact-specific, and are provided as illustrations of how courts evaluate these claims of attorney-client privilege.

When is the privilege waived?
E-mails found to be privileged. Courts have tended to rule that e-mails to an employee’s attorney are privileged if the employee used a private Internet service provider account rather than the employer’s ISP, if the employer had not consistently enforced its computer use policy or if the employee worked from home. For example, in Curto v. Medical World Communications, 2006 U.S. Dist. LEXIS 29387 (E.D.N.Y. May 15, 2006), Curto filed an EEOC charge of sexual harassment and retaliation against her employer after she was discharged. Curto had worked from home and the company had issued her two laptops for business use. She had used both laptops to send e-mails to her attorneys concerning the possibility of suing her employer. Before she returned the laptops to the company, she deleted all personal files and her e-mail communications to her attorneys. During the discovery process for her lawsuit, the company hired a consultant to examine the laptops used by Curto; the consultant was able to reconstruct the deleted communications between Curto and her attorneys. The company notified Curto’s attorneys and they demanded that these communications be returned to the plaintiff as privileged communications.

The magistrate judge supervising the discovery process ruled that the e-mails were privileged, and the defendants appealed to the trial court. In particular, the defendants objected to the magistrate judge’s use of a fifth factor (in addition to the four listed above) to evaluate whether an involuntary waiver of the privilege should be found. The magistrate judge had reviewed the consistency of the employer’s enforcement of its computer use policy, noting that this employer had rarely exercised its right to inspect employee computer files and thus had “lulled [the employees] into a ‘false sense of security’” with respect to personal use of company equipment and Internet access. He also noted that the employee had worked from home, which made it even less likely that the employer would monitor her e-mail use because it did not have access to her laptop. The trial court upheld the magistrate judge’s ruling, extending the privilege to the e-mail communications.

Two cases litigated in Massachusetts state court reached similar conclusions.  In National Economic Research Associates, Inc. v. Evans, 21 Mass. L. Rptr. 337 (Mass. Super. 2006), the facts were similar to those in Curto. Evans, an economic consultant for NERA, was planning to resign his position to join another firm. He used his employer-issued  laptop to communicate with his attorney about various details related to his resignation, but used his personal Yahoo® account rather than using the company’s e-mail system. Evans was unaware that the laptop’s system captured a screen shot of every communication onto the computer’s hard drive. Although Evans deleted all of his personal files before returning the laptop to NERA upon his resignation, and even was cautious enough to run a special program to defragment the hard drive, the screen shots survived.  After Evans’ resignation, his former employer retained a computer expert to retrieve information from the laptop he had returned. When NERA’s attorney realized that some of the retrieved files contained communications between Evans and his attorney, he instructed the computer expert to retain the files but not to review them, and sought guidance from the court as to whether they were privileged.

NERA had a detailed computer and Internet use policy that informed employees that their messages could be retrieved by NERA and that, although limited personal use of the company’s equipment and ISP were allowed, “any misuse of Internet resources can be easily traced.” The judge reasoned that this policy gave Evans fair warning that the company had the right to monitor the e-mails he sent and received using the company’s e-mail system, but did not notify Evans that the company could monitor communications sent using a personal e-mail account. The court ruled that Evans could not have recognized that his communications with his attorney using his personal account could be retrieved by NERA, and that the attempts he made to preserve their confidentiality (deleting all personal files and e-mails, using a program to defragment the hard drive) supported the finding that these communications were privileged.

The same trial judge reached a similar conclusion in TransOcean Capital, Inc. v. Fortin, 21 Mass. L. Rptr. 597 (Mass. Super. 2006). Fortin, an employee of TransOcean, used the company’s e-mail system to send a memo to his personal attorney, seeking legal advice about his relationship with his employer. Transocean did not have its own computer use policy, but claimed that the computer use policy of a human resources consulting firm that managed TransOcean’s employment relations and payroll issues applied to Fortin. The consulting firm’s computer use policy stated that all communications using company systems or equipment belonged to the company, and that the company might monitor employees’ computer usage. The court found that TransOcean had not formally adopted the consulting company’s policy, nor had it informed any employees, including Fortin, that they were subject to this policy.  Therefore, since it was not reasonable to expect that Fortin would have understood that personal e-mails sent using his company e-mail address were not confidential, the court ruled that the e-mails to and from Fortin’s attorneys were privileged. The judge ruled that, because Fortin had disclosed one aspect of his attorney’s legal advice to a third party, that particular aspect of the legal advice was not privileged, but the remainder of the communications apart from that aspect were protected. For a case reaching a similar conclusion because the employer lacked a clear policy reserving the right to monitor employee use of its computer system, see In re: Asia Global Crossing, Ltd., 322 B.R. 247 (S.D.N.Y. 2005).

E-mails found unprivileged. Two federal trial judges ruled that a specific company policy prohibiting the personal use of company computers and Internet access notified employees that any use was unprivileged. In Long v. Marubeni America Corporation, 2006 WL 2998671 (S.D.N.Y. Oct. 19. 2006), two employees used the company’s e-mail system and the company’s computers to send to and receive e-mails from their attorney. The company’s computer use policy stated that employees “have no right of personal privacy in any matter stored in, created, or sent over the e-mail… and/or Internet systems” provided by the company. Furthermore, the company sent annual reminders to its employees about its computer use policy.  Calling the policy “clear and unambiguous,” the court ruled that the attorney-client communications were unprivileged.

The court used similar reasoning in Kaufman v SunGard Inv. System, 2006 WL 1307882 (D.N.J. May 10, 2006). While employed by SunGard, Kaufman used two company laptop computers, and the company’s e-mail system, to communicate with her attorney about litigation against SunGard. She returned the computers to SunGard but deleted certain files. During the discovery process, SunGard’s computer technician retrieved e-mails between Kaufman and her attorney. SunGard told the technician to secure the e-mails but not to disclose them to it until a magistrate judge who was supervising the discovery process could rule as to whether they were privileged. The magistrate judge ruled that they were unprivileged, and the plaintiff appealed to the trial judge. The judge affirmed the magistrate judge’s rulings, stating that the company had an explicit policy that all communications using its computers and e-mail system were subject to monitoring by the employer.

Other issues related to employer monitoring of employee e-mails. Federal law prohibits the interception (wiretapping) or the retrieval of stored e-mail communications under certain circumstances. The Electronic Communications Privacy Act of 1986 (ECPA) ( 18 U.S.C. §§2510-2522) has been used to challenge employers’ retrieval of employees’ messages to their personal attorneys. An exception to the ECPA permits the retrieval of e-mail “by the person or entity providing a wire or electronic communications service,” thus exempting employer-provided e-mail and Internet systems from the provisions of the ECPA, at least for messages sent from the employer’s system. To date, the federal courts interpreting the ECPA have refused to apply it to e-mail created or stored on the company’s system by an employee if the employer provides the Internet system rather than using a commercial Internet Service Provider (such as AOL® or Yahoo®). Fraser v. Nationwide Mutual Insurance Co., 352 F.3d 107 (3d Cir. 2003) is an example of such a case. But another federal court applied the ECPA to an executive who instructed his subordinates to write a program that would intercept customers’ e-mails intended for another company in order to attain a competitive advantage by learning what books they were ordering. In U.S. v. Councilman, 418 F.3d 67 (1st Cir. 2006)(en banc), Councilman’s company, an online listing service for rare and out-of-print books, acted as an e-mail provider for certain customers of Amazon.com. The court ruled that the executive could be indicted under the criminal provisions of the ECPA. While Councilman involved the interception of e-mails from nonemployees, it demonstrates that employers need to be cautious with respect to the requirements of the ECPA, and to seek legal advice before engaging in such practices as those attributed to Councilman.

In addition, some states, such as Connecticut and Delaware, require employers to give employees advance notice that their electronic communications will be monitored, even if the employer is exempt from the provisions of the ECPA. Therefore, employers should confer with counsel before implementing monitoring or retrieval systems.

Suggestions for Employers
While employers usually have neither the time nor the interest to scrutinize their employees’ use of the company’s e-mail system, situations may arise, such as those discussed in this article, in which the employer may need to access otherwise private messages or Internet access logs. Following the suggestions below — and consulting with legal counsel if questions arise about accessing private employee e-mail — should help employers minimize legal problems related to accessing employees’ e-mail.

• Establish a clear policy that stating that any messages created on or sent through the company’s computer network and/or company-owned computers (including laptops and personal data devices issued to an employee) is subject to monitoring, and that employees have no expectation of privacy in such communications. Notify employees at least annually of this policy.
• Consider creating a similar message that appears each time the employee logs onto the company’s Internet or e-mail system.
• Consider including in your policy a statement that the company’s computer system captures screen shots of 1) all communications using the company’s computers, even if not connected to the company’s Internet service system and even if using a personal e-mail account  and 2) all communications using the company’s e-mail system, even if created on a noncompany owned computer.
• Before reviewing allegedly private employee e-mail, go through the following steps:
• review the actual language of the company’s computer use policy
• make sure that the employee received and signed a statement acknowledging receipt and understanding of the policy and that a copy has been retained
• ascertain whether the company has allowed private use of computers by employees without attempting to monitor or halt the practice
• ascertain whether the computer use policy has been enforced
• consult legal counsel concerning the advisability of seeking judicial review of whether the e-mail can lawfully be retrieved

¹With thanks to summer associate Ben Schatz in the Short Hills office for his research assistance.
² SEC v. Cassano, 189 F.R.D. 83, 85 (S.D.N.Y. 1999).
³ Curto v. Medical World Communications, Inc., 2006 U.S. Dist. LEXIS 29387 at *7 (E.D.N.Y) May 15,2006), citing United States v. Rigas, 281 F. Supp. 2d 733, 738 (S.D.N.Y. 2003)