How Far Can Employers Go in Reading Employee E-mail?
Employers routinely face situations where they must investigate an employee suspected of misconduct. Such investigations increasingly – if not always – involve email. But do employers become guilty of misconduct or otherwise risk liability if they access an employee’s email account? Does it matter if the company has a policy regarding email privacy? What if the policy is inconsistent or not enforced? Does it matter if the the email account is a company provided account or accessed using company computers/Internet connections? While the answers to these questions will, unfortunately, depend upon the circumstances, a great overview of issues employers should consider prior to investigating employee email is found at Investigating Personal Web-Based E-Mail.
When it comes to investigating employees and email, employers will often feel as if they are shooting at a moving target in the dark when it comes to “getting it right.” That is because court opinions addressing employee email investigation often become very fact specific and reach conflicting results.
For example, in Stengart v Loving Care Agency, Inc. (New Jersey 2009), the employer provided plaintiff with a laptop computer and a work email address. Prior to plaintiff’s resignation, she communicated with her attorneys about her anticipated suit against her employer. These email communications were sent from plaintiff’s work-issued laptop but through her personal, web-based, password-protected Yahoo email account. After plaintiff filed suit, the company created a forensic image of the hard drive from plaintiff’s computer. In reviewing plaintiff’s Internet browsing history, the employer’s attorney discovered and read numerous communications between plaintiff and her attorney.
The trial judge found in favor of the employer noting that the company’s policy put employees on sufficient notice that electronic communications, “whether made from her company E-mail address or an Internet based E-mail address would be subject to review as company property.”In reaching this conclusion, the judge stated that the company policy “specifically place[d] plaintiff on notice that all of her Internet based communications [we]re not to be considered private or personal” and that the policy “put employees on notice that the technology resources made available to employees were to be used for work related purposes, particularly during business hours.”
The Court of Appeals, however, reversed this decision noting that “there is much about the language of the policy that would convey to an objective reader that personal emails, such as those in question, do not become company property when sent on a company computer, and little to suggest that an employee would not retain an expectation of privacy in such emails.” The Court further based its decision on the “important societal considerations that undergird the attorney-client privilege.” This opinion is available here and is worth reviewing for its interesting discussion of the competing interests between employers’ interest in maintaining its business operations and employee privacy against the backdrop of digital communication (yes, I’ve been told I’m a dork for finding this stuff interesting).
In contrast to Stengart, the court in Scott v. Beth Israel Med. Center Inc., (N.Y. Sup. Ct. 2007) sided in favor of the employer and decided that email communications between plaintiff and his attorney exchanged over the employer’s email system was not protected by attorney-client privilege or work product doctrine. The emails in question were were all sent over the employer’s email server. And the employer’s email policy stated, among other things, that the electronic mail systems were the property of the employer and should be used for business purposes only, that employees “have no personal privacy right in any material created, received, saved or sent using [employer’s] communication or computer systems,” and that the employer reserved the right to access and disclose such material at any time without prior notice.
The take away for employers is that it takes planning to bench the judicial-Monday-morning quarterback scrutinizing your investigation decisions. This planning starts with a well-written policy clearly advising employees of how company computers, Internet resources, and email will be treated. An employer should obtain the employee’s signed acknowledgement that the policy was received and understood. And, the policy must be enforced. See Privacy in the Digital Workplace – Oxymoron? Maybe Not, where an employer had such a policy in place, but represented it would not be enforced, which – under the facts of that case – created an “expectation of privacy” for the plaintiff employee.