There are now several decisions determining whether employees can retain attorney-client privilege for e-mails sent to their lawyers using their employer-provided e-mail addresses and computers — reaching apparently inconsistent conclusions. This article compares and seeks to reconcile the cases, and to assist lawyers in advising clients on how to avoid the risks that such communications pose. The first of these cases, Scott v. Beth Israel Medical Center Inc., 2007 WL 3053351 (N.Y. Sup. Oct. 17, 2007), was previously featured in an article in this column (“Abusive Litigation Tactics and Loss of Privilege,” March 3, 2008), but is revisited here because a New Jersey court recently reached a diametrically opposite conclusion on quite similar facts, in Stengart v. Loving Care Agency Inc., 973 A.2d 390 (N.J. Super. A.D. July 29, 2009). The article also reviews other recent decisions in the same general subject area.
Scott v. Beth Israel involved a breach of contract action arising from the defendant’s termination of the plaintiff doctor’s employment, in the course of which certain e-mails between the plaintiff and his lawyer came into the possession of the defendant, because they had been transmitted utilizing the defendant’s e-mail system.
The plaintiff asserted that the e-mails were protected under the attorney-client privilege and under the work-product doctrine. The defendant argued that the communications could not be privileged because they were not made in confidence. The defendant’s position was based on the fact that the communications were subject to the defendant’s e-mail policy, which was known to the plaintiff and to all employees of the defendant. The policy in question stated:
This Policy clarifies and codifies the rules for the use and protection of the Medical Center’s computer and communications systems. This policy applies to everyone who works at or for the Medical Center including employees, consultants, independent contractors and all other persons who use or have access to these systems.
1. All Medical Center computer systems, telephone systems, voice mail systems, facsimile equipment, electronic mail systems, Internet access systems, related technology systems, and the wired or wireless networks that connect them are the property of the Medical Center and should be used for business purposes only.
2. All information and documents created, received, saved or sent on the Medical Center’s computer or communications systems are of the Medical Center. Employees have no personal privacy right in any material created, received, saved or sent using Medical Center communication or computer systems. The Medical Center reserves the right to access and disclose such material at any time without prior notice.
Justice Charles Ramos first rejected the plaintiff’s argument that CPLR 4548 invalidates the defendant employer’s e-mail policy. That provision, the court held, does not preclude employers from adopting so-called “no personal use” policies with respect to e-mails. After reviewing the facts, the court further concluded that the plaintiff either had actual knowledge of the policy, or had constructive knowledge by virtue of his employment. It based that determination on In re Asia Global Crossing, Ltd., 322 B.R. 247 (SDNY 2005), a federal bankruptcy matter which held that there is no attorney-client privilege or work-product protection for e-mails exchanged over the employer’s e-mail system. That court stated that the attorney-client privilege would be inapplicable if
(a) … the corporation maintain[s] a policy banning personal or other objectionable use, (b) … the company monitor[s] the use of the employee’s computer or email, (c) … third parties have a right of access to the computer or emails, and (d) … the corporation notif[ies] the employee, or [the employee was] aware, of any use and monitoring policies.
Determining that all of these tests were met in Scott v. Beth Israel, Ramos held that the e-mails plaintiff sent to his lawyer were not entitled to attorney-client privilege protection because he used the employer’s e-mail system. Justice Ramos reached the same conclusion regarding the plaintiff’s attempt to assert work-product protection.
Finally, Ramos held that the plaintiffs lawyers’ use of a warning notice on all of its e-mails “cannot create a right to confidentiality out of whole cloth.” Citing with approval New York State Bar Association Committee on Professional Ethics, Formal Opinion No. 782 (Dec. 8, 2004), Ramos found that “a lawyer who uses technology to communicate with clients must use reasonable care with respect to such communication, and therefore must assess the risks attendant to the use of that technology and determine if the mode of transmission is appropriate under the circumstances.” Accordingly, while the law firm’s pro forma notice at the foot of its e-mails “might be sufficient to protect a privilege if one existed,” the court said, “[w]hen client confidences are at risk, … the notice at the end of the e-mail is insufficient and not a reasonable precaution to protect its clients.”
In Stengart v. Loving Care, the issue was whether the attorney-client privilege protected a former employee’s e-mails that were sent to her attorney using a company-issued laptop computer through a personal, password-protected, Web-based (Yahoo) e-mail account. The e-mails concerned a lawsuit the former employee contemplated bringing against her employer, and were sent to the employee’s personal attorney prior to her resignation from the company. The company obtained the e-mails after suit was filed by making a forensic image of the computer’s hard drive and extracting them from the plaintiff’s Internet browser history.
The plaintiff disputed whether the company’s electronic communications policy was in effect or was merely in draft form at the time she sent the e-mails, and whether the policy applied to executives such as the plaintiff. While the New Jersey appellate court noted that the privilege issue should not have been decided absent an evidentiary hearing addressing these points, the court also noted several ambiguities in the company’s electronic communications policy. In its employee handbook, the company reserved “the right to review, audit, intercept and disclose all matters in the company’s media systems and services at any time, with or without notice.” However, the court noted that the policy neither defined nor suggested what was encompassed by the phrase “media systems and services,” and the court concluded that those words alone did not convey “a clear and unambiguous understanding about their scope.”
The court also noted that “[t]hese ambiguities cast doubt over the legitimacy of the company’s attempt to seize and retain personal emails sent through the company’s computer via the employee’s personal email account.” The company policy did clearly provide that: “E-mail and voice mail messages, internet use and communication and computer files are considered part of the company’s business and are not to be considered private or personal to any individual employee.” It further stated, however, that “occasional personal use” of those systems was permitted.
The court observed that the policy made no attempt to explain when such personal use was permitted and ruled that “[a]n objective reader could reasonably conclude … that not all personal emails are necessarily company property because the policy expressly recognizes that occasional personal use is permitted.” Notably, given the factual dispute in the record, the scope of the employer’s policy was not the basis of the court’s holding.
The court instead concluded that the e-mails were privileged on broad public policy grounds, holding that the policy considerations underlying the attorney-client privilege “substantially outweighed” the company’s interest in enforcing its computer use and electronic communications policy. The court summarized its conclusions thus:
Giving the company the benefit of all doubts about the threshold disputes mentioned in earlier sections of this opinion, as well as the broadest interpretation of its electronic communications policy permitted, despite the obvious ambiguities in the policy’s text, we nevertheless are compelled to conclude that the company policy is of insufficient weight when compared to the important societal considerations that undergird the attorney-client privilege. As a result, we conclude that the judge exhibited inadequate respect for the attorney-client privilege when she found that plaintiff ‘took a risk of disclosure of her communications and a risk of waiving the privacy she expected’ when she communicated with her attorney through her work-issued computer, and that plaintiff’s action in the face of the policy ‘constitute[d] a waiver of the attorney client privilege.’ Accordingly, we reverse the order under review and conclude that the emails exchanged by plaintiff and her attorney through her personal Yahoo email account remain protected by the attorney-client privilege.
Three other recent decisions address similar issues. In a recent California appellate decision, People v. Jiang, 131 Cal. App. 4th 1027, 33 Cal. Rptr. 184, 205 (2005), the court held that an employee’s e-mails to his attorney were privileged notwithstanding the fact that they were sent via his employer’s computer. The court determined that the privilege was not lost in view of the employee’s “substantial efforts to protect the documents from disclosure by password-protecting them and segregating them in a clearly marked and designed folder.” Additionally, the policy on electronic communications did not specifically prohibit the employee’s personal use of the company’s computer system.
To similar effect is a recent decision from the U.S. District Court for the Eastern District of New York. In Curto v. Medical World Communications Inc., 2006 WL 1318387 (EDNY 2006), the court also held that the mere fact that a company computer is used by an employee should not result in a loss of the privilege, holding privilege applied to e-mails sent from an employee’s home office on a company-issued laptop that was not connected to the company’s e-mail server.
In a decision from the U.S. District Court for the Southern District of New York, Pure Power Boot Camp Inc. v. Warrior Fitness Boot Camp, LLC, 587 F.Supp.2d. 548 (SDNY 2008), the court addressed the application of the Stored Communications Act, 18 U.S.C. §2701, which prohibits the access of an “electronic communication service” without proper authorization. The court held that the act was violated when a company accessed, without proper authorization, its former employee’s Hotmail account e-mails from the company computer he had purportedly used to view those e-mails. However, the court also recognized that an employee’s implied consent based on clear statements in the employee handbook may provide sufficient authorization under the act to permit an employer’s access to a personal e-mail account.
While the former employee may have been on notice that the company’s computers could be searched for evidence of his personal use, the court found that the former employee was not aware that such a search could include his Hotmail, Gmail or any other Web-based mail accounts. Thus, the company policy was not sufficiently specific to create such an implied waiver, or to avoid a finding that the act had been violated.
PUBLIC POLICY ARGUMENTS
As every reader is only too well aware, today many highly personal and confidential transactions are commonly conducted via the Internet, and may be performed in an instant. Individuals may access their medical records, examine activities in their bank accounts and phone records, file income tax returns — or e-mail their attorney regarding confidential matters. Even under the law as articulated in Scott v. Beth Israel, the starting point of the analysis is that individuals possess a reasonable expectation that those communications will remain private. However, the approach of the court in Scott v. Beth Israel may be seen as viewing the attorney-client privilege as a rule of evidence to be narrowly interpreted as an exception to the general rule requiring the admission of all relevant evidence. Thus, the outcome in Scott v. Beth Israel may be understood as an implied waiver of confidentiality by the employee, in the context of a very clearly expressed, all-encompassing and widely communicated company policy.
Despite the differing outcomes of the cases, and the differing approaches to public policy that contributed to the results, there are a series of lessons to be learned from these cases, both for lawyers who represent employees and those who represent employers with (or with a need for improved) privacy policies regarding the use of the organizations’ technology.
Where a company prohibits personal use of company equipment and advises its employees that it reserves the right to monitor and review their electronic communications and does so, then the employee will have difficulty claiming that the communications sent to an attorney were made in confidence. Collectively, these cases therefore send an important message to lawyers about the need to give all clients explicit advice at the outset of every representation regarding the use of e-mails for communications which the client or the lawyer wish to have treated as confidential.
If the risks of loss of privilege are to be avoided entirely, then neither the client nor the lawyer should be using e-mails through any server or site as to which there is no reasonable expectation of confidentiality. In particular, the cases suggest the need to add a paragraph to all engagement letters to alert individual clients of this issue, and to provide advice as to the methodologies to be used for communications between them in order to preserve confidentiality and the privilege.
These cases hold two clear lessons for counsel for employers. First, employers need to have very carefully formulated, broadly worded policies regarding employees’ lack of expectation of privacy, that are diligently and repeatedly circulated to all employees. This will maximize the likelihood that it will be permissible to capture and use employees’ personal communications both for internal administrative, disciplinary and, if necessary litigation purposes — and will minimize the risk of an allegation of violation of the Stored Communications Act.
The second lesson to be learned from these cases by lawyers representing entities is that whenever an attorney receives potentially privileged or confidential information relating to the opposing party, that attorney should carefully consider how that information was obtained. Notably, in Stengart v. Loving Care, after concluding that the privilege in the e-mails had not been lost, the court remanded for an evidentiary hearing to determine whether the company’s attorneys should be disqualified or if some other sanction should be imposed as a result of their failure to comply with Rule 4.4(b) of the New Jersey Rules of Professional Conduct. The New Jersey rule, like New York’s Rule 4.4(b), requires that whenever a lawyer has reasonable cause to believe that a document was inadvertently produced, the lawyer must promptly notify the sender.
Unlike New Jersey’s version of this rule, New York’s rule does not also contain the requirement that the lawyer in these circumstances must not read, or continue to read the document once the lawyer realizes that it was inadvertently produced. However, Comment 2 to New York’s rule states in part that “a lawyer who reads or continues to read a document that contains privileged or confidential information may be subject to court-imposed sanctions, including disqualification and evidence-preclusion.” It may therefore be assumed that New York lawyers who incorrectly rely on the assertion of a waiver of privilege in such a situation may also face the same consequences.
Accordingly, and despite the apparent encouragement provided by the decision in Scott v. Beth Israel to go ahead and read and use an employee’s e-mails, given the array of other cases finding that the employer’s polices were not clear or broad enough to justify such conduct, counsel who receives, or is given the opportunity to review an employee’s e-mails should carefully consider the applicable rules of professional conduct and establish the scope of applicable ethical duties under the circumstances presented.
The safest course of action may be to promptly notify opposing counsel about a lawyer’s receipt of any confidential or privileged information. When the issue cannot be informally resolved with opposing counsel, it may be appropriate to bring the matter to the court’s attention and allow the court to resolve the issue before using or further disclosing the information. Failure to take these steps may result in disqualification or sanctions, including a directed adverse outcome in the underlying dispute.
Anthony E. Davis a partner of Hinshaw & Culbertson, is a past president of the Association of Professional Responsibility Lawyers.