Use Policies to Manage Employees' Privacy Expectations

Business communications are no longer limited to meetings, telephone or mail. Employers routinely provide employees with laptops, cell phones and handheld devices. As employees use such devices for personal communications and employers adopt policies to restrict use to business and preserve the employer’s right to monitor employee use, legal conflicts increasingly arise between employee expectations of privacy and employer control over its technology usage. Recent litigation demonstrates that an employer’s technology usage policies may be the key to tipping the balance in favor of the employer.

A recent New York case, Scott v. Beth Israel Medical Center, 2007 NY Slip Op 27429 (NY Misc., Oct. 17, 2007), addressed these competing interests. In Scott, a terminated employee sued his employer for breach of his employment agreement. During litigation, the employer discovered e-mail correspondence on its computer system between the employee and his attorneys relating to the subject of the litigation. The employee argued that these communications were protected by the attorney-client and work-product privileges. The employer maintained that the privileges did not apply because the communications using the employer’s computer and e-mail systems were not made in confidence or in a manner that would protect them from disclosure to third parties.

The employer’s computer usage policy in Scott provided that its technology, including e-mail and wireless networks, should be used for business purposes only and that all information sent, received or saved on its technology was property of the employer. The policy clarified that employees had no personal privacy right in any such material and that the employer reserved the right to access and disclose the material without prior notice to the employee. The policy was distributed to all employees and was available in hard copy and on the employer’s intranet, and new employees were required to sign an acknowledgment upon receipt.

The court held that the employer’s policy was critical to the outcome of the decision. The court likened the policy to having “the employer looking over your shoulder each time you send an e-mail.” The court concluded that the employee did not have a reasonable expectation of privacy or confidentiality in his communications with his attorney made over the employer’s technology systems, so those communications were not protected by the attorney-client or work-product privileges.

Other cases dealing with similar issues as Scott have had varying results.

For example, in Curto v. Medical World Communications, Inc., No. C06-1412, 2007 U.S. Dist. LEXIS 69568 (W.D. Wash. Sept. 20, 2007), an employee exchanged e-mails with her attorney from her home office, using her personal AOL e-mail account, but using her employer-provided laptop. When the employer issued her a new computer, she deleted personal files before returning her old one. Despite this, her employer was able to retrieve copies of the e-mails sent between the employee and her counsel from her hard drive. The court noted the employer’s computer use policy, but also noted that the company did not actively enforce it, so the employee’s reasonable expectation of privacy was higher. The court also noted that because the e-mails were sent using the employee’s personal e-mail account from her home office, using her home e-mail server, the only way the employer could retrieve the e-mail was by physically examining the laptop. The employer could not have viewed or intercepted any e-mail on its server. Weighing these factors, the court concluded that the attorney-client privilege had not been waived by the employee.

In a similar case, Sims v. Lakeside School, No. C06-1412, 2007 U.S. Dist. LEXIS 69568 (W.D. Wash. Sept. 20, 2007), the court drew a similar line. An employee used his company-provided laptop to exchange e-mails with his attorney over both his personal e-mail account and his employer’s e-mail account. The court held that, in light of the employer’s computer-use policy, the employee had no reasonable expectation of privacy in any communications sent using the employer’s e-mail account or stored on the employer-provided laptop. However, any communication with his attorney using the company laptop sent through a personal e-mail account remained privileged.

While the law in this area continues to develop, a primary focus is whether the employee had a reasonable expectation of privacy in the communications at issue. Clear and unambiguous employer policies on computer usage weigh heavily against such an expectation of privacy. As a result, employers are wise to adopt, publicize and consistently enforce clear, unambiguous technology-usage policies that restrict employees’ personal usage and manage employees’ expectations of privacy.

These policies should include provisions:

• Allowing use for “business purposes only” and restricting personal use;

• Clearly notifying the employee of the employer’s right to monitor computer usage and e-mail;

• Stating that the employee has no reasonable expectation of privacy or confidentiality when using the employer’s computer or communication systems; and

• Providing notice of the policy to all employees and continued access in hard copy or online, including requiring employees to sign an acknowledgement upon receipt of the policy.

Such policies and practices should maximize employer control over employee usage of employer technology.