By Jonathan Yeh

By now, most of us know that emails sent using work email addresses and systems are not private and are subject to review and access by the companies we work for.  Most employers have policies in place explaining this.

These days, most employees do some private business from work computers, including using Webmail accounts such as Gmail and Hotmail to send personal correspondence. Although some employers have blanket prohibitions on personal Internet use, most employers recognize the realities of modern life and permit this to a varying degree.

Most of us don’t run into any problems with this arrangement. However, workplace disputes and misconduct investigations do occur. When they do, important issues regarding the privacy of employee data are raised, particularly with respect to email sent from work computers via the Internet using personal, password-protected Webmail accounts.

Two recent cases show courts grappling with the issues of employee privacy and employers overreaching with respect to Webmail. The cases are cautionary tales for employers who encounter employee Webmail in the course of internal investigations and electronic discovery.

In the first case, Van Alstyne v. Electronic Scriptorium Ltd., the jury awards of punitive damages were upheld against both a company and its president individually. The defendants had used login information obtained from employee computers to repeatedly access an employee’s Webmail account in violation of the Stored Communications Act of 1986.

The lesson for employers from this first case is obvious. Webmail can often seem to be a compelling potential source of evidence in a dispute with a former employee. However, as tempting as it may be to use login and password information found on a former employee’s computer, accessing Webmail accounts without consent is a clear violation of law that can subject an employer to both civil and criminal liability.

Instead, employers who seek to gain access to employee Webmail accounts must follow established court procedures and discovery rules. Since Webmail accounts can often be subject to automatic deletion schedules, this effort should be preceded by an evidence preservation letter sent to the Webmail service provider as early as possible.

In the second case, Stengart v. Loving Care Agency, Inc. et al., the New Jersey State Appellate Division sternly reversed a trial court ruling that an employee had waived attorney-client privilege with respect to Webmail sent using company hardware during work hours.

In doing so, the court strongly rejected the employer’s argument that Webmail saved locally to the employee’s hard drive essentially became the property of the employer pursuant to its Internet use policies, which stated that: “The company reserves and will exercise the right to review, audit, intercept, access and disclose all matters on the company’s media systems and services at any time, with or without notice.”

The lessons from the Stengart case for employers conducting computer investigations and electronic discovery are many. Perhaps the most obvious is respect for the attorney-client privilege. These were not emails that were somehow surreptitiously obtained, but electronic files saved on the employer’s own computers and recovered by employer using basic forensic tools.

Still, the court ruled that the employer was effectively not entitled to review electronic data created and saved on its own property due to the overriding force of the attorney-client privilege.

The lesson: Respect the attorney-client privilege and consider performing a privilege sweep in cooperation with the employee’s attorneys before reviewing the content of employee workstations. If you do run into what appears to be privileged material, treat it like the plague.

Further, the court spoke at length regarding the realities of personal Internet use in the modern workplace, stating:

Today, many highly personal and confidential transactions are commonly conducted via the Internet, and may be performed in a moment’s time. With the touch of a keyboard or click of a mouse, individuals may access their medical records, examine activities in their bank accounts and phone records, file income tax returns, and engage in a host of other private activities…

Regardless of where or how those communications occur, individuals possess a reasonable expectation that those communications will remain private.

The lesson: Respect employee privacy rights in conducting internal investigations and electronic discovery.

Finally, although it wasn’t the major basis for the court’s decision, the court did note that the employer’s reservation of its right to view all communications on its media systems seemed to conflict with its allowance to employees of “occasional personal use.” The court also noted that, among a laundry list of problems, it wasn’t clear if the policies had been finalized, which version had been adopted, the meaning and scope of the policies and whether they applied to the plaintiff employee.

The lesson: Draft your Internet-use policies carefully, finalize and implement them and be sure they have been distributed to and acknowledged by employees.

Jonathan Yeh is an attorney and  principal at Blank Law + Technology PS. Mr. Yeh’s practice includes general commercial transactions and litigation, computer forensics, electronic evidence, electronic data and technology risk management and intellectual property. Mr. Yeh received his J.D. degree, cum laude, from the Seattle University School of Law and his undergraduate degree from the University of Georgia.