Computer Use Policies – Is Yours Enforceable?
It has long been true that companies can and should adopt lawful policies relating to computer use to protect the assets, reputation, and productivity of a business and to ensure compliance with legitimate corporate practices. But the question is often asked: How far can an employer go in controlling and monitoring personal computer use?
In a recent New Jersey case, an employee sued her former employer for employment discrimination. In the course of her employment, her employer gave her a laptop computer to conduct company business. She used that laptop to access a personal, password-protected e-mail account over the Internet, through which she communicated with her attorney about her situation at work. After she left her employment and returned her laptop, the employer made a forensic image of the laptop, which captured her personal e-mail communications, including those with her attorney.
The employer’s computer use policy stated unequivocally that the employer could review, access, and disclose all matters on the company-owned media systems and services at any time. It also stated that e-mails, Internet communications, and computer files were not private. However, it did allow for occasional personal use.
The Supreme Court of New Jersey first found that it was not clear from the policy whether the use of personal, password-protected, web-based e-mail accounts via company equipment was covered by the policy. The court then found that the policy did not adequately warn employees that the contents of such e-mails could be forensically retrieved and reviewed. The vagueness of this policy, combined with the employee’s use of a password-protected e-mail account, was sufficient to give the employee a reasonable expectation of privacy with respect to the content of the e-mails she exchanged with her attorney.
Importantly, the court then went on to hold that, because of the magnitude of the attorney-client privilege, even if the policy had been more clearly written, it would not have been enforceable. The court ruled that even a clear ban on all personal computer use and unambiguous notice that the employer could retrieve and read an employee’s attorney-client communications would be insufficient to outweigh the importance of preserving her right to confidentially communicate with her lawyer. The court stated that this would be the result whether the employee used company e-mail or a personal, password-protected e-mail account using the company’s computer system.
This is a fairly astonishing ruling, considering that the employee could easily have communicated with her attorney by way of a personal cell phone, or from her own computer at home on her own time, and completely avoided the risk of exposing attorney-client privileged communications. The court’s holding is recognition of the ubiquity of e-mail in our society, and a statement that employees have at least some privacy rights in their personal e-mail communications, even if sent over their employer’s technology systems. This case leaves open the question of privacy expectations outside of attorney-client communications. But, it makes it plainer than ever that, if an employer wants to retain the argument that it has the right to read the content of personal e-mails sent by employees using company systems, the employer’s computer use policy must be . . . well, plainer than ever.