When is an employer allowed to read your email?

When is an employer allowed to read your email?

Summary: Is email privileged when you communicate with your lawyer using employer-supplied laptop? Two cases, two different outcomes.


When a person uses a company-supplied laptop, it's well understood the company maybe may be monitoring your email messages. The company has an interest in ensuring that company intellectual property or other privileged information s not public. So far the courts have decided two cases with different outcomes. In Boise, Idaho, U.S. District Judge Shira A. Scheindlin rejected a claim that attorney - client privilege should NOT apply when using an employer's laptop to email an attorney, even when using a third party email provider, which in this case was Yahoo.

In Discovery Law's website, the analysis and report of the court's finding in this case summarizes the crux of the issue;

Quickly dismissing any work product protection because Charney represented only non-parties to the action, the court turned to the question of whether the emails were protected by attorney-client privilege.  Specifically, the court presented the question:  "Does the use of work e-mail waive any privilege?"  To answer the question, the court turned first to the four factor test established by other jurisdictions:

(1) Is there a company policy banning personal use of e-mails?; (2) Does the company monitor the use of its e-mail?; (3) Does the company have access to all e-mails?; and (4) Did the company notify the employee about these policies?  See In re Asia Global Crossing, LTD., 322 B.R. 247, 257 (S.D.N.Y.2005).

The court rejected Kirkpatrick's "bare assertion" that she did not "subjectively intend to waive the privilege" of the emails as "insufficient" in the face of her employer's policies regarding electronic communications.  Specifically, her employer's policies stated that employee emails would:  "(1) become company property, (2) be monitored, stored, accessed and disclosed by [the employer], and (3) should not be assumed to be confidential."  Additionally, the court reasoned:  "It is unreasonable for any employee in this technological age--and particularly an employee receiving the notice Kirkpatrick received--to believe that her e-mails, sent directly from her company's e-mail address over its computers, would not be stored by the company and made available for retrieval."

Accordingly, the court found that Kirkpatrick had waived the privilege as to those messages sent from work. Addressing emails sent from Charney to Kirkpatrick's work address, the court found that they were also unprotected:

[T]here is no question that her address--"xxxx@IHFA.org"--clearly put Charney on notice that he was using her work e-mail address.  Employer monitoring of work-based e-mails is so ubiquitous that Charney should have been aware that the IHFA would be monitoring, accessing, and retrieving e-mails sent to that address.  Given that, the Court finds that Charney's e-mails sent to Kirkpatrick's work e-mail are likewise unprotected by any privilege.

But yesterday, the New Jersey Supreme Court in a unanimous decision declared in a similar case involving email sent using an employer's computer and sent to an attorney is considered privileged. In this case, it was damning since the case involved the employer purposely tracking the employees email because it had found out that the employee was going to file a discrimination complaint against the company and promptly planned a defense using the contents of the email as a source of information.

HELD: Under the circumstances, Stengart could reasonably expect that e-mail communications with her lawyer through her personal, password-protected, web-based e-mail account would remain private, and that sending and receiving them using a company laptop did not eliminate the attorney-client privilege that protected them. By reading e-mails that were at least arguably privileged and failing to promptly notify Stengart about them, Loving Care's counsel violated RPC 4.4(b).

1. To determine the reasonableness of Stengart's expectation of privacy, the Court first examines the meaning and scope of the Policy. It does not give express notice to employees that messages exchanged on a personal, password protected, web-based e-mail account are subject to monitoring if company equipment is used. Although the Policy states that Loving Care may review matters on "the company's media systems and services," those terms are not defined. The prohibition of certain uses of "the e-mail system" appears to refer to company e-mail accounts, not personal accounts. The Policy does not warn employees that the contents of personal, web-based e-mails are stored on a hard drive and can be forensically retrieved and read. It also creates ambiguity by declaring that e-mails "are not to be considered private or personal," while also permitting "occasional personal use" of e-mail. (pp. 12-14)

2. The attorney-client privilege encourages free and full disclosure of information from the client to the attorney.

To be protected, a communication must initially be expressed by a client in connection with receiving legal advice, with the expectation that its contents remain confidential. The e-mails between Stengart and her lawyer contain a standard warning that their contents are personal and confidential and may constitute attorney-client communications. The subject matter of those messages appears to relate to Stengart's anticipated lawsuit against Loving Care. (pp. 14-15)

3. In this case, the source of the reasonable-expectation-of-privacy standard is the common law tort of "intrusion on seclusion." Under the Restatement (Second) of Torts, a person who "intentionally intrudes" upon the "seclusion of another or his private affairs" is liable for invasion of privacy "if the intrusion would be highly offensive to a reasonable person." Reasonableness has both subjective and objective components. Whether an employee has a reasonable expectation of privacy in a particular work setting must be addressed on a case-by-case basis. (pp. 15-17)

4. No reported New Jersey decision offers direct guidance for this case. A Massachusetts decision, National Economic Research Associates v. Evans, is most analogous to the facts here. In Evans, an employee used a company laptop to communicate with his attorney through his personal, password-protected Yahoo account. The emails were automatically stored in a temporary Internet file on the laptop's hard drive and were later retrieved by a forensic expert. A company manual permitted personal use of e-mail, to "be kept to a minimum," but warned that computer resources were the "property of the Company" and that e-mails were "not confidential" and could be read "during routine checks." The court denied the company's request to use the e-mails. The court reasoned that, while the manual warned that e-mails sent on the network could be read, it did not expressly state that the company would monitor the content of e-mail communications made from an employee's personal e-mail account when they were viewed on a company-issued computer. Also, the company did not warn employees that the content of such e-mails is stored on the hard drive and capable of being read by the company. The court found that the employee had a reasonable expectation of privacy in e-mails with his attorney. (pp. 17-19)

The New Jersey Court's decision in its entirety is available here. The Supreme Court of the United States is set to consider employee privacy in City of Ontario v. Quon, in which EPIC submitted a "friend of the court brief."

Additional resources:

What's inside your home is yours, except computer files

Internet vs. US Constitution

Are the MPAA and RIAA out of their minds?

Warner Bros. recruiting students to spy on file sharers

The FCC should be the regulator of ACTA treaty

Online piracy laws: Is it just about the money?

Canadian MP: Tax media devices to pay for copyright infringement

British Telecom chief: File share users should be fined, not disconnected

British wireless internet users - you're guilty

Net Neutrality: Why the Internet will never be free. For anything. So get used to it

AT&T to FCC: Open to Net Neutrality ideas - with conditions

Net Neutrality: You own the Internet - make sure it becomes Law

Internet: A threat to government or the other way around?

Electronic Frontier Foundation links net neutrality to copyright

United Kingdom National Archives

French solution to illegal download and copyright infringement - tax Google and Yahoo

Google loses book copyright case in France

Lobbyist: Canada cans copyright deal in exchange for U.S. dropping Buy America

European Parliament notice to ACTA negotiators: Open up discussion and be transparent to the public

EPIC: Workplace Privacy

Topics: Collaboration, Laptops

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • My Organization Monitors Email

    Now no one is sitting there reading every single message but we do have some keyword and message type alerts set up and we have repremanded people for extensive use of company mail for personal uses. We do not monitor if they use their web based personal email but we do keep tabs on who uses personal email a lot and have the ability to read the messages by extracting the data at the packet level if necessary.

    I firmly believe that company computers and company resources should be used for company/organization reasons. There can be some soft rules but excessive abuse of those soft rules should be taken seriously.
    • Yes - that's the assumption

      In the two circumstances I've demonstrated as examples, the email messages are from employee to employee legal counsel. That brings up a few sticky issues "how" a IT can monitor employees and when it has been determined to be attorney / client, how is IT supposed to know - they aren't lawyers. Yet IT can't play dumb either...

      It will be interesting to see what the outcome of the U.S. Supreme Court decision is.

      Thanks for writing.
      • Not a gray area at all

        The employee is using company's assets to perform personal communication. The fact that the person on the other side is a lawyer, makes absolutely no difference.

        Employers have the right to monitor 100% of the data going through their networks. There are no exceptions to the rule.
        • It would appear...

          That the Supreme Court of New Jersey disagrees with you and a Judge in Idaho concurs with your view.

          That said, what I didn't read, is any context, was a 'rule' offering what is and isn't illegal.

          I'm not a lawyer, but I'll investigate further. In my opinion a company can monitor email and collect it. What it can't do is read it and use it against an employee if it's found to be within the context of Attorney - Client Privilege. What it may have to do is sub contract any review of information to a third party. The contracted vendor could assess if any information gathered in an investigation is in conflict with the law - at least in the State of New Jersey.

          There maybe an appeal of the case, but I doubt it.

          Thanks for writing.
          • Hmmm....

            I'm not sure the two rulings are contradictory.
            One refers to an email address owned by the
            company, the other referred to a third-party email
            address. I don't think the rulings specifically
            addressed the issue raised by the previous poster.
            Now, if the second company had a statement in its
            usage policy that all data entered into websites
            would be tracked and archived, then the ruling may
            have been different.
          • Agreed...

            I agree, I don't find the two rulings particularly contradictory. In the Idaho case, the employee was using their company email address, which reasonably one would think an employee (to say nothing of his or her lawyer) would know are going to potentially be monitored by the company, quite aside from the explicit warnings that emails are stored and can be read by the company. Frankly, that just seems foolish on both the employee's and lawyer's part not to recognize that.

            In the NJ case, while the employee is using the company's computer and or network, they are using a private, web-based email service, protected by a password, and probably reasonably expect that their session is a private communication, and moreover, one not likely to be monitored and recovered - few average PC users would even understand that browser data is usually cached and can be recovered.

            It will be interesting to see if employers begin to explicitly spell out in policies that ALL communications on all company equipment and networks may be monitored and recorded - and if the courts accept that as valid on the part of employers to do so.
          • Where is the end of that?

            I'm encouraged to take my work PC home and
            remote in. Everyone may be asleep here, but if
            I do five minutes of work it may unblock
            someone in Singapore. So, if I have a
            microphone on this laptop, and in some
            eternally long document the company says that
            if they have any way of collecting data with
            their property they may, I would no longer have
            a reasonable expectation of privacy? Just
            because a company <i>can</i> find someone to do
            something does not make it reasonable or legal.
          • @tkejlboom: there's two edges to that sword

            "...Everyone may be asleep here, but if
            I do five minutes of work it may unblock
            someone in Singapore. So, if I have a
            microphone on this laptop, and in some
            eternally long document the company says that
            if they have any way of collecting data with
            their property they may, I would no longer have
            a reasonable expectation of privacy?"

            That's almost complete nonsense. I mean .. wt?

            Are you suggesting that you have *no obligation* to your employee for having the use of their wares? Aside from being downright audacious and arrogant, what you're implying is the opposite extreme. Effectively, you're saying that you should have open slather on company property - and up the flag pole with ethical use of the same.

            If company policies surrounding the use of computing h/w & s/w is as stringent as he (i.e. the guy you're replied to) states, that [i]should be good enough[/i] (as far as precedents go) for legislators to pass into law across as many states and other jurisdictions and countries as possible.

            With all due respect .. and after all's said and done, wt* is stopping you from using your own PC at home??

            Geez Wayne!
          • laptop microphone

            "So, if I have a
            microphone on this laptop, and in some
            eternally long document the company says that
            if they have any way of collecting data with
            their property they may, I would no longer have
            a reasonable expectation of privacy?"

            This is referring to the possibility of a company remotely enabling the computer microphone, and recording audio, in the employee's home.
        • Not so fast....

          Does that mean that an employer has the right to casually intercept and listen to a private telephone conversation between an employee and their attorney when company owned telco assets are being used? I believe there are federal laws against that. Isn't this somewhat the same thing?
          • For private phones

            I cannot speak for all organizations but we can access logs on any data coming in and out of our system including phone calls and yes we have the ability to place a record flag on certain extensions. We do not record all phone calls as that would be lots of audio data but in our phone system we can selectively enable the recording option. This is clearly stated in our AUP (Acceptable Use Policy) that this can be done. The phone you are using is not private.
          • Thank You!

            You've made perfect sense - something many on these forums (more often than not) struggle and fail to do ..
          • phones

            Federal law, at least 1 party as to know that it may be recorded. State law can vary, in California, both parties must know, so if any of your employees ever call California, or other states with similar law, your company can ind up in some trouble.
          • Ah..

            It says in the Districts Acceptable Use Policy that phone calls can be recorded at any time. This is signed and agreed upon by the user. When an outside caller calls in at the main line the usual disclaimer is posted that says something that phone calls can be recorded for quality control or something like that even though we are not a customer service industry. I forget the exact verbage as the schools lawyers handled it.
        • How can anyone know in advance . . .

          [i]The employee is using company's assets to perform personal communication. The fact that the person on the other side is a lawyer, makes absolutely no difference.[/i]

          How can anyone know in advance that what they are reading is something they should not be reading? If it's confidential, use your own computer and email.
      • Sensible paranoia

        Surely it's possible to use home-based systems or internet cafes?

        These cases seem to be like standing around the water cooler telling people "in confidence" that you are about to attack them. Sooner or later someone might take notice or someone else might over-hear.

        Perhaps in the west we have become to used to the idea of the "Right" to privacy. We increasingly need warnings such as the notices by hot water taps saying "Danger, hot water" or on kitchen knives saying "hold by the handle" or "Warning, may have sharp edges". Is it paranoia that makes me tend to pick up a knife by the handle or stupidity?

        I think some people need to think even just a little bit might help and if they get caught out by things like that then perhaps their genes shouldn't continue to add into the gene pool of humanity

        Good luck and regards to all from
        Tom :)
    • Same here

      I'm asked from time to time to retrieve emails for various reasons for the company.

      All employess read and sign it as part of their hire package, so there's no mistaking it: the company [i]owns[/i] the email, and employees [b]have[/b] to follow the rules, and except the fact that the company can look at them if the wish.

      If they use a private account (hotmail, yahoo, ect) on a company computer, they don't look at that, so go ahead and use that if you want complete privacy. If it gets excessive, we can block access to that site.

      The company supplies email so the employees can conduct company business, but will allow personal stuff, as long as they understand the company can see it, so be sure you know what you're emailing.
      • Most companies block access to web based email


        #1- Viruses. Hotmail use to be the #1 source of corporate computer viruses. Stupid users would click on every attachment and infect their computer, which eventually infected others. Even with the all the safety that most providers include, people are still stupid enough to click on attachments on email inside the "Spam" folders.

        #2- Legal protection. Most people will receive an email or spam at one time or another that is completely inappropriate for the workplace. All it takes is one coworker walking by to generate a harassment lawsuit against the company for having a "hostile environment". BTW, I didn't use the word sexual ... because in the work place harassment can also apply to race, religion, political affiliation and pretty much anything that makes another person uncomfortable.
        • If they're uncomfortable but they're free to leave, what's the problem?

          What basis would there be to press charges on?
          • Ask the people who awarded $$$$ in thousands of cases

            You must not understand harassment law too well.

            Sure, people can walk away .... but the law consider being forced to walk away some kind of harassment.