A few days ago (on March 30, 2010) the New Jersey Supreme Court handed down a decision that is certain to have significant implications in social media policy circles. In Stengart v Loving Care Agency (2010 N.J. LEXIS 241), Plaintiff Stengart, in anticipation of a lawsuit against her employer, Loving Care Agency, sent several email communications to her lawyer from her company-provided laptop, over the company's Internet server but via her personal Yahoo email account. She did not store her password on the Laptop.
Unbeknownst to Stengart, the company's browser software automatically saved a copy of each web page she viewed on the computer's hard drive in a "cache" folder of temporary Internet files. So her emails from her Yahoo account were actually captured on the company's server. After Stengart left Loving Care and initiated a lawsuit, the company found those attorney-client emails during the discovery process, provided them to Loving Care's lawyers, and the communications were subsequently used in the defense strategy.
What's significant about this case is that Loving Care has an electronic communications policy, which among other things, stated that the company was permitted to access and review all matters on the company's media systems; that e-mails and Internet communications were not to be considered private or personal to employees; and confusingly, that occasional personal use was permitted.
Stengart argued at trial that she had a reasonable expectation of privacy in her confidential attorney communications. The trial court disagreed, saying she waived that right in light of the company policy; the court of appeals reversed that opinion, and hence the appeal to the NJ Supreme Court. The Supreme Court sided with Stengart last week, holding:
Stengart could reasonably expect that e-mail communications with her lawyer through her personal, password-protected, web-based e-mail account would remain private, and that sending and receiving them using a company laptop did not eliminate the attorney-client privilege that protected them...
For those interested in social media law and social media policy, the Stengart finding is significant. Many if not most companies have policies in place that allow, to some degree or another, some level of reasonable personal use of company-issued computers. Increasingly, that use involves using the Internet to access personal, password protected spaces such as personal email, Facebook, Martindale Connected, LinkedIn, Twitter and other accounts. Most employees think that because the data from those accounts do not reside on the company server, that their privacy remains intact and free from the watchful eye of the employer. Stengart agrees in this case - but the court also explains where the line likely would be drawn:
Although the Policy states that Loving Care may review matters on "the company's media systems and services," those terms are not defined. The prohibition of certain uses of "the e-mail system" appears to refer to company e-mail accounts, not personal accounts. The Policy does not warn employees that the contents of personal, web-based e-mails are stored on a hard drive and can be forensically retrieved and read. It also creates ambiguity by declaring that e-mails "are not to be considered private or personal," while also permitting "occasional personal use" of e-mail.
The court said Stengart had a reasonable expectation of privacy because the email account was personal, password protected, and the password was not stored on the laptop - an area where the company policy was silent and ambiguous. After determining that the attorney client privilege protected the emails, the court went even further to hold that even with a clear policy - protecting attorney client communications is still paramount:
... A policy that provided unambiguous notice that an employer could retrieve and read an employee's attorney-client communications, if accessed on a personal, password-protected e-mail account using the company's computer system, would not be enforceable.
What does this mean for social media policy makers within companies - and for users? Here are several takeaways:
- When companies allow reasonable personal use of company-issued systems, absent specific policies to the contrary, employees have a reasonable expectation of privacy to the content and communications they access/contribute via personal, password protected sites (ie personal email)
- This may (and seems logically to) extend beyond email to social networking sites like Facebook, Martindale Connected and Twitter
- The fact that Stengart did not store her password on the computer itself was cited several times as a factor in her reasonable expectation of privacy - which begs the question - if we let our work-issued computers "remember" our passwords (via stored cookies presumably), are we forfeiting our reasonable expectation to privacy to those sites?
- And finally, explicit policies notwithstanding, the court was clearly stating that public policy, such as the attorney-client privilege, cannot be waived by well-crafted policies, and therefore there are certain expectations of privacy that employees have on company-issued computers even if the policy states there are none.
While Stengart is not controlling law outside of New Jersey, it is certainly a novel issue that other states will confront; and they will either cite Stengart favorably or distinguish it. Where this will ultimately lead us in the ever-evolving world of social media law is anybody's guess. But both companies and users should take note.