E-discovery is a constantly developing topic in the legal world, and the word, “world,” should be taken literally.  Across the globe, different nations and their legal system are formulating new rules to tackle new discovery issues that can arise almost as quickly as new technology and means of communication can develop.  The only problem with this, however, is that different nations are addressing their e-discovery issues with different solutions.  This problem usually rears its ugly head when one of the parties in a lawsuit is a multinational company.  What is a British company supposed to do when it’s sued in an American because of a foul-up by its French Subsidiary?  Do they supply all of the e-discovery materials required by American courts?  What if e-discovery that the American court requires no longer exists because it never needed to be stored in the first place by   French or British?

The European Commission, the executive arm of the European Union (“EU”), responsible for proposing legislation and implementing decisions in addition to running the EU on a day-to-day basis and upholding EU treaties, recently took steps toward untangling this e-discovery web of confusion and contradiction.  The European Commission had previously established the working party, an independent advisory board charged with handling issues relating to data protection and privacy in the EU.

The working party recently addressed the issue of transborder e-discovery relating to data held in Europe that was required to be produced as a result of legal proceedings occurring in the United States.   It recognized that a certain tension had mounted as a result of disclosure obligations under American legal rules differing with data protection requirements in the EU,  the working party also recognized that this was particularly relevant to European affiliates of multinational companies that were getting caught while trying to balance their obligations as a result of American e-discovery demands in connection to litigation and the various data protection and privacy laws governing the transfer of personal information that also varied among the different countries within the EU.  The working party saw that there was a need to reconcile the U.S. litigation requirements and EU data protection provisions and as a result, recommended a set of guidelines to be followed by EU data controllers.  These guidelines were eventually adopted in February 2009.  Among the guidelines adopted were a number of provisions applicable to lawsuit parties, businesses, lawyers, courts, & governments.

One conflict addressed by the working party that is likely the most applicable to e-discovery problems is what is to be done when a foreign company has to concern itself with American document retention rules that may conflict with the rules in the country where the company operates.   Due to the fact that different countries each have different time limits for potential litigants to bring a claim, it was not practical for the working party to establish a particular uniform period of time for data to be stored.  Thus, the guidelines provide as a solution that data controllers in the EU should have a clear policy on data storage, management, and retention.   So as long as the policy comports with local applicable guidelines and the policy is adhered to, the data controller will not be found to be at fault with US law because US rules of civil procedure merely require that existing information be disclosed to the adverse party.   An exception to this, however, is that if there is data relevant to a specific, imminent litigation process, it should be stored even such storage would not otherwise be required by the data storage policy in order to prevent spoliation of evidence.  The guidelines also address the process to be followed when an American court, a “litigation hold of pre-emptive requirement that information be retained.  In such scenarios, the data storage policy and/or and data destruction policy for documents that may be relevant to the legal claim is to be suspended.

This is just one of many problems addressed by the working party.  Their recently adopted guidelines also resolve globally conflicting laws relating to e-discovery issues that include, but are not limited to disclosure of sensitive personal data, consent, proportionality, transparency, rights of access and erasure, data security, and transferring data to third parties.  As a result, any company that does business in the U.S. as well as the EU would be best served by familiarizing itself with the working party’s recently adopted guidelines.

Frank received his B.a. from Wesleyan University.  In addition to being an award winning gardener, he is a third-year law student at Seton Hall University School of Law and can be contacted at fgiantomasi@gmail.com.  After graduating, he will clerk for a New Jersey Superior Court judge.

According to the 9^th circuit, the answer is a NO!

In Quon v. Arch Wireless Operating Co., 529 F.3d 892 (9^th Cir. 2008), the City of Ontario Police Department (“OPD”) had a formal policy governing city-owned computers and associated equipment that limited its use to City related business.  It also warned that the users should have no expectation of privacy or confidentiality when using these resources.  When the OPD issued pagers to its employees, it clarified that the policy also applied to the use of pagers.  Under the OPD’s contract with its service provider, each pager was allotted 25,000 characters, after which it incurred overage charges.

Quon’s supervisor informally allowed employees to pay for their overages thereby avoiding the need to audit the messages.  Accordingly, employees paid their share when they exceeded the character limit and avoided an audit.  Quon’s repeated overages, however, frustrated the supervisor, who pursuant to the formal policy requested an audit to determine if the exceedances were due to city related business.  The audit revealed that many of the messages were personal in nature and often sexually explicit.  It also revealed that at least in one instance the pagers were used to undermine a narcotics investigation.

Quon filed suit against the OPD, alleging breach of privacy among other claims.  The ninth circuit held that despite the OPD’s formal anti-privacy policy warning users not to expect privacy or confidentiality when using OPD-issued resources, Quon’s expectation of privacy in his text messages was reasonable.  According to the court, the supervisor’s informal policy not to audit text messages if the employee paid the additional charges, trumped OPD’s formal policy because the supervisor was in charge of the pagers and his statements carried a great deal of weight.

This serves as an important lesson for the employers.  Make sure that your managers and supervisors are strictly enforcing the policies that you have in place.  Any deviation could leave you open to unnecessary lawsuits.  Strict enforcement might be difficult depending on the operational realities of the department, but it is nonetheless critical to ensure the effectiveness of the existing policies.  If the supervisor had simply enforced the policy it already had in place every time there was an overage, this lawsuit would probably not have arisen.

Another interesting aspect of Quon is the 9^th circuit’s application of the Stored Communications Act or the SCA.  The Congress enacted the SCA (as part of the Electronic Communications Privacy Act) to address access to stored wire and electronic communications and transactional records arising from the advent of the Internet.  It prohibits providers of either “an electronic communication service” (ECS) or a “remote computing service” (RCS) from knowingly divulging the contents of a communication while in electronic storage or any other information pertaining to a subscriber or customer of that service.

There are exceptions.  If the provider is an ECS, then the information stored by it may be disclosed, with the lawful consent of only the author, the addressee or the intended recipient of that communication.  In the case of a RCS, the information may be disclosed with the lawful consent of the subscriber of the service.

This distinction was critical in Quon because along with the City of Ontario, the plaintiffs sued the wireless service provider for divulging the contents of their text messages to the City.  Since the City was the subscriber of the service, its authorization to release the content of the messages would be sufficient to absolve only a RCS of any liability.

This begs the question: what determines whether a provider is an ECS or a RCS?  The SCA defines a RCS as the provision to the public of computer storage or processing services by means of an electronic communication system.  Whereas, an ECS is any service which provides to its users the ability to send or receive wire or electronic communications. Under the SCA, an ECS could temporarily store the electronic communication incidental to its transmission or for the purposes of backup protection.

Reviewing the legislative history and plain language of the SCA, the 9^th Circuit concluded that the City’s provider, Arch Wireless, was merely an ECS.  Arch Wireless provided Quon and other users the ability to send or receive text messages and therefore fell squarely within the definition of an ECS.  It did archive those messages and therefore “store” them on its server, but Congress contemplated this exact function as one an ECS could perform.  Therefore, any information stored on Arch Wireless’ server after delivery was deemed by the court to be for backup protection.  The type of “storage” required by a RCS is akin to that of a virtual filing cabinet, such as when physicians and hospitals maintain medical files in offsite databanks.

The 9^th Circuit did hint that if a provider were to retain a permanent copy of the text messages (beyond the underlying message’s expiry in the normal course) or stored them for the benefit of the subscriber, it could become an RCS.

This decision could have far-reaching implications for many, including any employers that provide pagers or subscribe to communication services for their employees.  If the employer does not itself store the messages sent and received on the pagers, then despite any anti-privacy policy, the employer may be unable to monitor those messages.  As only a subscriber, it would not have the lawful authority to authorize its provider to release those messages.

The decision is also a warning to Internet Service Providers (ISPs) to enact and enforce policies that ensure that its employees do not release information simply upon the authority of their subscriber, whether in connection with litigation or otherwise.  It is certainly possible that an ISP could be an ECS to one client and a RCS to another if it also provides storage and processing services.  Therefore, any analysis of a request for information from a subscriber must begin by determining the ISPs relationship to the subscriber.  If, and only if, the ISP is an RCS for that particular client, can the ISP release the information upon the subscriber’s authority.  Enterprising ISPs may use this opportunity to broaden their relationship with their subscribers by offering storage and processing services and thereby converting the relationship to a RCS.

It is likely that employers could just avoid all this uncertainty by requesting the employee to sign a written consent authorizing the ISPs to disclose any information transmitted or received by that pager or associated with it prior to supplying that employee with a pager or communication service.

One can also imagine the impact of Quon’s decision extending to cloud computing.  Although the analysis of its application is beyond the scope of this post, one should be mindful that under the court’s interpretation an example of processing services offered by a RCS include businesses that transmit their records to remote computers to process sophisticated information.

Bridgewater, NJ (April 23, 2010) – Fernando Pinguelo, a Member of Norris McLaughlin & Marcus, P.A., appeared as a guest on Fox News Channel’s live web show, The Strategy Room, hosted by Kimberly Guilfolye.  Pinguelo was interviewed about today’s headlines featuring internet abuse, including the Security and Exchange Commission Office of Inspector General’s 5-year investigation that revealed SEC employees and contractors visiting porn sites and viewing sexually explicit pictures using government computers. Ms. Guilfoyle’s guests today also included Richard “Bo” Dietl and Dr. Kathryn Smerling. 

The Strategy Room airs weekdays from 9 a.m. to 5 p.m. ET for a discussion of the day’s top stories, plus a variety of hour-long shows on topics like business, health, technology, and entertainment.

“Casual use of the internet in the workplace is on the rise.  With up-to-the-minute Facebook statuses and Twitter ‘tweets,’ the use of company time for personal internet use has become common place.  This has become so common that it is obvious employees don’t realize their actions can be tracked and saved.  This new breaking story testifies to the fact that many workers don’t realize the implications of their actions online,” said Pinguelo.

Pinguelo, Co-Chair of the firm’s Response to Electronic Discovery and Information (REDI) Group, devotes his practice to complex litigation with an emphasis on business disputes, electronic discovery, and media and employment matters.  He has experience in all facets of litigation (trial, mediation, arbitration, and appellate) in both federal and state courts. As a former prosecutor, he has tried numerous cases.  Today, Pinguelo handles a broad spectrum of disputes including copyright infringement, misappropriation of trade secrets, fraud, breach of non-compete covenants, discrimination, and business torts, and is able to address a rapidly evolving crisis or emergency.

A leader in the emerging area of electronic discovery, Pinguelo works with business owners, C-level executives, in-house counsel, and human resources, information technology, and risk managers to develop strategies to manage business and legal issues related to electronic documents. He recognizes that complex contract and statutory considerations impact the evolving business environment. This understanding enables him to help clients comply with the broad array of laws that regulate document management. Pinguelo focuses on preventing claims and pursues strategies that enhance a client’s ability to manage electronic documents because he is keenly aware of the financial and public relations fallout that can result from high-profile electronic discovery abuses and negligence.

Notably, Pinguelo was involved in New Jersey’s first case addressing its new electronic discovery rule amendments, and has lectured numerous times on the topic, including at the Judicial College which provides judges with a wide range of academic programs. He has designed a state-of-the-art electronic discovery law course and teaches one of only a handful of such courses in the country at Seton Hall University School of Law.  Recently, the Fulbright Program, the U.S. government’s flagship international exchange program, designated Pinguelo a Fulbright Specialist for his work in eDiscovery, and he will engage in a project at a university in one of over 100 participating countries.  Pinguelo was also invited to be a member of eDiscovery Group of The Sedona Conference® Working Group Series, a prestigious series of think-tanks consisting of leading experts brought together by a desire to address various “tipping point” issues in each area under consideration.

To view the official press release, click here.

Pinguelo earned his J.D. from Boston College Law School in 1997 and his B.A., magna cum laude, from Boston College in 1994.  He is admitted to practice in New Jersey, New York, and the District of Columbia, and is the founder of eLessons Learned.

In Paris Business Products, Inc. v. Genisis Technologies, LLC (“Paris”), Genisis Technologies, LLC, (“Genisis”) was subject to a discovery order requiring it to preserve all relevant data on company-owned computer hard drives.  Despite this order, Genisis’ executive officers allegedly were responsible for: (1) deleting the company hard drives by reformatting them; and (2) physically removing and destroying some hard drives.

The court in Paris found that spoliation does not require a finding that the company officers were responsible for the missing data.  An adverse inference can be applied against a defendant for spoliation when there is merely “negligent destruction of relevant evidence.” Paris Business Products, Inc. v. Genisis Technologies, LLC, 2007 WL 3125184, ¶ 9 (D.N.J. 2007) (citing  Mosaid Technologies Inc. v. Samsung Electronics Co., Ltd., 348 F.Supp.2d 332, 338 (D.N.J. 2004)).

All that is required for a court to issue an adverse inference is that “a party has notice that evidence is relevant to an action, and the party either proceeds to destroy that evidence or allows it to be destroyed by failing to take reasonable precautions.”  Id.  Courts may find that the destroyed evidence was probably damaging to the party responsible and issue an adverse inference jury instruction.  Id. (citing Schmid v. Milwaukee Elec. Tool Corp., 13 F.3d 76, 78 (3d Cir.1994).

In Paris, the court found all of the necessary elements were met, and that Genisis destroyed evidence it was on notice to preserve.  As a result, the jury was instructed that they may infer the evidence would have been damaging.  Thus, even when evidence may be damaging to a client, it is important for counsel to inform the client of the serious risks of destroying that evidence.  Adverse inferences make a lawyer’s job more difficult; but more importantly they make a client’s chance of success slimmer – something that all clients should be able to appreciate.

Evan received his B.A. from Washington University, St. Louis. He will receive his J.D. from Seton Hall University School of Law in 2010. After graduation, he will clerk for a Superior Court of New Jersey, Criminal Division judge.

In Stengart v. Loving Care Agency, Inc., the Court held that an employee could “reasonably expect that e-mail communications with her attorney through her personal account would remain private, and that sending and receiving them via a company laptop did not eliminate the attorney-client privilege that protected them.”  The Court also held that the company’s attorneys violated an ethics rule by reading the “arguably privileged” e-mails and by failing to alert the employee that they had them.  But the Court did unleash at least one surprise by announcing that even a seemingly bulletproof company policy on workplace computer use that claims the employer could read an employee’s attorney-client communications would not be enforceable if the employee accessed the communication through a personal, password-protected e-mail account.

Ever quickly peek at your web-based personal e-mail account while still at the office?  Yeah, many of us do, too; and we’d be willing to bet a ham sandwich that certain Justices on the New Jersey Supreme Court probably do, as well.  Peeking at her personal e-mail account while still at work is how plaintiff Marina Stengart ended up in front of those same Justices last winter.  After deciding to sue her employer on various employment discrimination charges, Stengart used a company-issued laptop to communicate with her attorney via her personal, password-protected Yahoo e-mail website.  At the time, Stengart had no idea that the laptop was automatically saving copies of each page that she viewed, to a temporary internet file cache folder on the laptop’s hard drive.  After Stengart quit and turned in the laptop, Loving Care forensically imaged the hard drive and discovered images of the e-mails Stengart exchanged with her attorney.  Believing that Stengart had waived any privilege claims, Loving Care’s attorneys cited one of the e-mails in an interrogatory answer.  That belief was supported, initially, by the trial judge who found that Stengart waived the privilege; but the trial court decision was reversed on appeal to the Appellate Division.

On challenge to New Jersey’s highest court, Loving Care argued that the attorney-client privilege did not attach to the e-mails because its company policy regarding computer and internet use at the workplace removed any expectation of privacy that Stengart may have had; and that she waived the privilege because she accessed her e-mail via the company’s computer and server.  The Court disagreed.  After first deeming Loving Care’s Policy “not clear” and as creating “ambiguity about whether personal e-mail use is company or private property,” the Court evaluated case law from other jurisdictions, giving particular attention to (and ultimately following) a Massachusetts case with nearly identical facts.

The Court considered factors by which an employee could be found to have a lesser expectation of privacy in attorney communications.  First, the court distinguished between the use of a company e-mail system as compared to a personal, web-based e-mail account (such as Yahoo or Gmail.)  E-mails transmitted via an employer’s e-mail account might be subject to less privacy than those sent via a personal web-based account.  Second, the Court noted that the physical location of the company’s computer might make a difference in the analysis, suggesting that an employee who works from a home office may be entitled to greater privacy than an employee whose communication is made via the company’s servers.  Third, the Court recognized that other jurisdictions have held that the existence of a clear company policy that prohibits personal computer use may diminish an employee’s expectation of privacy; but, as explained below, the New Jersey Court refused to consider the sufficiency of a company policy as a determination of whether the employer can pierce the attorney-client privilege.

In holding that Stengart’s e-mails were protected by the attorney-client privilege because she could reasonably expect them to remain private, the Court cited three reasons.  First, the Court noted that Stengart had both a subjective and an objectively reasonable expectation of privacy in the e-mails – she had used a password-protected account to access the messages and had not given her password to anyone at Loving Care.  The Court also noted that Stengart had not used the computer to conduct illegal activities.  Third, the Court seemed impressed that the e-mails contained the boilerplate language warning the reader that the information was only intended for the designated recipient and contained privileged attorney-client communications.  But, as mentioned above, the effectiveness of Loving Care’s “Electronic Communications Policy” on workplace computer use was not dispositive.

The Court determined that the Policy was ambiguous, lacked clarity, and failed to warn employees that even web-based e-mails could be forensically retrieved.  But, as the Court stated, even if the Policy were perfectly drafted, it would not be enough to pierce the attorney-client privilege:

[E]mployers have no need or basis to read the specific contents of personal, privileged, attorney-client communications in order to enforce corporate policy.  . . . [E]ven a more clearly written company manual—that is, a policy that banned all personal computer use and provided unambiguous notice that an employer could retrieve and read an employee’s attorney client communications, if accessed on a personal, password protected e-mail account using the company’s computer system—would not be enforceable.

Declining to rely on other states’ case law holding that a clear company policy banning personal e-mails could diminish an employee’s expectation of privacy in attorney-client communications, the Court added that a “zero-tolerance policy can be unworkable and unwelcome in today’s dynamic and mobile workforce and [we] do not seek to encourage that approach in any way.”

What about Loving Care’s attorneys?  Should they have immediately returned the e-mails (which were plastered with the standard “CONFIDENTIAL . . . Attorney-Client communication” language)?  The Court thought so, and ruled that Loving Care’s attorneys violated professional ethics rules by “not setting aside the arguably privileged messages once it realized they were attorney-client communications, and failing either to notify its adversary or seek court permission before reading further.”  Noting the absence of an appearance of bad faith, the Court reiterated that the attorneys “should have promptly notified opposing counsel when it discovered the nature of the e-mails.”

To learn more about Stengart and its rise to the Supreme Court, visit our exclusive Stengart Watch feature which posts articles (and video) on each of the Stengart decisions and on related cases in other jurisdictions.

The e-discovery mishap arose out of a lawsuit involving a contract dispute between the two companies. Basically, Optowave believed that Nikitin failed to live up to the terms of the contract. One way to get to the bottom of this dispute would be to look at the dozens of emails exchanged between the Vice President of Sales and Marketing at PTG and Optowave. There was only one problem: After firing the Vice President of Sales and Marketing, Nikitin had the company hard drives reformatted. Whether by intentionally deleting the emails, or failing to preserve them prior to reformatting, dozens of documents relating to the contract went missing. The timing, according to the court, was “too coincidental and highly dubious.” Moreover, Nikitin claimed that he preserved all the relevant emails, but that hackers subsequently attacked the company and that all of its emails were lost.

As it turns out, Nikitin probably should have known better. Beyond being a businessman, Nikitin is a bit of a computer wiz. The court noted that he built his own computer from scratch.

There is nothing wrong with reformatting company hard drives as part of a business’ routine document management protocol. The lesson to be learned is NOT to do that when you have notice of a lawsuit or that one appears imminent.  At that point, Nikitin had a duty to preserve, especially because he had explicit notice of the duty to preserve evidence.

“It” (Stengart, the fuss, the Supreme Court of New Jersey, this post, all this blog attention) all boils down to whether this employee had a reasonable expectation of privacy in emails between the employee and her lawyer sent and received (during work hours) using the employer’s computer and IT systems.

According to the trial court, Stengart did not have a reasonable expectation of privacy and the emails were properly retrieved and used by the employer and its lawyers in defense of the lawsuit.  According to the appeals court, not only did she (have a reasonable expectation of privacy), but also the appeals court took issue with the way the company lawyers handled the situation and queried whether the lawyers acted inappropriately when they retrieved and used these emails – and whether they should be sanctioned and/or thrown off the case.  Ouch!

This case is serious stuff, my friends, for lawyers, employees, and employers alike.  For those new to the case, here are some key elements of the Stengart line of cases for you to consider as the whole world (and blogosphere) awaits a ruling by the Supreme Court of New Jersey on the issues both the trial and appeals courts addressed and ruled upon.

The Facts (in a nutshell)

Loving Care Agency (the defendant in the case) is in the business of providing home care services for children and adults. The plaintiff, Maria Stengart, was its Director of Nursing for all of Loving Care’s branches as well as the Branch Manager at Loving Care’s Fort Lee office. Ms. Stengart was also one of the first two employees when Loving Care first opened for business in 1994.

Loving Care maintains an employee handbook which is distributed to all employees and which is also available to employees electronically via Loving Care’s servers. During Ms. Stengart’s tenure as Director of Nursing and Branch Manager for Loving Care, she assisted in the creation and distribution of the employee handbook. Among other things, the handbook governs an employee’s use of Loving Care’s computers and other technology resources. Under a section entitled “Electronic Communications,” the handbook provides, among other things:

• Technology resources are considered company assets.
• Email and voicemail messages, internet use and communication, and computer files are considered part of the company’s business and client records. Such communications are not to be considered private or personal to any individual employee.
• The principal purpose of email is for company business communications. Occasional personal use is permitted; however, the system should not be used to solicit for outside business ventures.
• Certain uses of the email system are specifically prohibited, including but not limited to job searches or other employment activities outside the scope of company business.

During her employment at Loving Care, Ms. Stengart was provided with a company-issued laptop computer and assigned a Loving Care email account for business use. She also maintained a personal email account through Yahoo. Ms. Stengart occasionally accessed her password-protected Yahoo account to write emails during work hours on her company-issued laptop.

In December 2007, Ms. Stengart resigned from Loving Care. Two months later, she filed a lawsuit against Loving Care alleging that the hostile work environment had led to her constructive discharge. In April 2008, Loving Care’s attorneys in the employment lawsuit caused to have made an image of Ms. Stengart’s company laptop computer hard drive. The image preserved the electronic information contained on her employer-issued laptop. The hard drive was then sent to a company that could restore and recover deleted information located on the hard drive.

The Legal Path

eDiscovery: In October 2008, Loving Care served plaintiff its Answers to Ms. Stengart’s first set of interrogatories. In response to an interrogatory, Loving Care stated that it had obtained information contained in “email correspondence from Ms. Stengart’s office computer on December 12, 2007 at 2:25 p.m.” between plaintiff and her lawyer. This email was uncovered by the company hired to restore and recover deleted information located on the hard drive of plaintiff’s employer-issued laptop. The email in question was sent from Ms. Stengart’s password protected Yahoo account to her lawyer.

Loving Care’s answer to this interrogatory prompted Ms. Stengart to demand that all emails between her and her lawyer held by Loving Care be returned or destroyed. She claimed that the attorney-client privilege protected all such emails. Loving Care refused to return or destroy the emails, claiming that the content of the emails was not protected by the attorney-client privilege because Ms. Stengart waived the privilege by using Loving Care’s computer and server during business hours to make the communication. Ms. Stengart thereafter filed an Order to Show Cause alleging Loving Care’s attorneys breached her attorney-client privilege when Loving Care recovered and retained email correspondence made between her and her lawyer.

The trial court: The court determined that Loving Care’s policy (as detailed above) placed plaintiff on notice that all of her internet-based communications are not to be considered private or personal. In addition, Loving Care’s policy put employees on notice that the technology resources made available to employees were to be used for work-related purposes, particularly during business hours. The court found that the company’s policy adequately warns employees that there is no reasonable expectation of privacy (not outright prohibition of use) with respect to any communication made on company issued laptop computers and servers, regardless of whether the email was sent from Ms. Stengart’s work email account or her personal web-based email account. It was with Loving Care’s technology resources, laptop computer, and company time that Ms. Stengart communicated with her lawyer.

Thus, the court found that when Ms. Stengart decided to use company time, equipment, and resources to communicate with her lawyer, she did so with knowledge that such use would not be personal or private to her. Ms. Stengart’s choice of using her employer’s resources to communicate with her lawyer was her voluntary choice; and the court held that it constitutes a waiver of her attorney-client privilege.

The appeals court: The appeals court reversed the trial court and remanded the case.  The appeals court held that employees have a reasonable expectation of privacy in personal communications on a company owned computer. In sum, it held that a policy purporting to transform all private communications into company property “merely because the company owned the computer used to make private communications“ furthers no legitimate business purpose.

The appeals court concluded reversal of the trial court by addressing the issue of attorney discipline for the company’s law firm that uncovered and kept the emails. The appeals court determined that the law firm violated New Jersey Rule of Professional Conduct 4.4(b) because the lawyers failed to cease reading and examining the emails upon discovery and failed to notify plaintiff’s lawyer promptly of their discovery. The appeals court ultimately determined that whether the company’s attorneys should be disqualified is a matter for resolution upon remand to the trial court.

Where The Case Stands, Today

On July 29, 2009, the Supreme Court of New Jersey granted a motion for leave to appeal the appellate division ruling.  See 200 N.J. 204 (2009).  On December 2, 2009, the Court heard oral argument on the case.  You may view the oral argument webcast at:   http://njlegallib.rutgers.edu/supct/args/A_16_09.php (click on Video Feed )

A decision is expected any day.  Click here for immediate notification of the Supreme Court of New Jersey’s decision and other eDiscovery posts.

eLessons Learned has been following the Stengart case closely since its inception.  Read our past blog posts and coverage of this important case here.

The court iterated that whether an employee had a reasonable expectation of privacy in his/her emails transmitted through an employer’s server should be determined on a “case-by-case basis.”

In finding that Aguiar had no reasonable expectation of privacy, the court adopted the four factors used In re Asia Global Crossing, Ltd., 322 B.R. 247, 257 (S.D.N.Y. 2005) to determine whether an employee has an expectation of privacy in emails generated at the workplace.  The factors consider whether:

(1) the company maintains a policy banning personal or other objectionable use, (2) the company monitors the use of the employee’s computer or email, (3) third parties have a right of access to the computer or emails, and (4) the company notifies its employees, or was the employee aware, of the company’s use and monitoring policies.

Id.

Here, these factors were easily satisfied by the employer’s generic information technology policy stated in its employee handbook that it sufficiently promulgated.  As long as an employer adheres to its own established policy, its employees have no expectation of privacy in emails transmitted through the employer’s server.   The court noted that “sending a message over [an] e-mail system was like placing a copy of that message in the company files.” Id. The court may have gone farther than its holding citing Black v. State, which found attorney-client privilege inapplicable for a telephone call when the party was warned that telephone conversations were monitored and taped.  920 So.2d 668 (Fla. 5^th DCA 2006).  Thus, it is reasonable to infer that any communication made at work that is monitored or recorded could lose privacy protection if the employee was aware of the company’s monitoring and recording policies.

Generally, the court holds that there is no expectation of privacy in emails sent from work under these circumstances; thus, an employee waives the attorney-client privilege for communications sent through an employer’s server.   To protect the attorney-client privilege, it is the responsibility of the attorney and the client to be vigilant and aware of the medium of the communication, and ensure that third parties do not have access to one’s confidential information.

Increasingly, our society devotes a lot of time and energy to the use of smartphones. Whether it is a BlackBerry or an iPhone, it is the craze, and many now feel that they need to access their emails from the palm of their hands. And the corporate world is no different. Executives spend as much time focusing on the best ways to read emails, send and receive instant messages, and access the Web as the rest of us.

However, executives (and the corporations they work for) who use company intranets, also need to worry about the possibility of unintentional data distribution — meaning they should concern themselves with the fact that confidential information may be disseminated unintentionally or unexpectedly to the public. For example, if an employee-owned smartphone was reported lost or stolen, what would a company do to make any relevant data on the device unreadable? Maintaining mobile communication security is an important issue that companies need to address, now.

In his article, John Sawyer recommends that the key to solving the problem of mobile communication security is to provide “support” for such devices. Why does that mean? Whenever a company releases a new device, or software, it is bound to encounter inquiries from employees if some malfunction occurs. Typically, IT receives the calls for any technical issue and works to fix the problems.  Sometimes outside service providers supply this support. Sawyer suggests that corporations handle the support in-house because it is simply too difficult to try and manage a wealth of devices from different service providers and have them fit under a single security system. Providing employees with a uniform service will help ease a company’s problems. Still, it is important to note that there are some options for managing multiple outside service providers, including Zenprise and BoxTone.

Other security suggestions include having employees use a single computing platform or encrypt company-issued devices. This will help when creating policies specifically for the correct use of these smartphones.