Workplace Communications and Employee Privacy Rights: Stengart v. Loving Care Agency and City of Ontario v. Quon

April 25, 2010

Consider this typical scenario:  an employer makes available to its employees computer and other communications devices to enable its employees to perform their roles for the employer.  The company adopts a broad computer use policy, which sets forth restrictions on the use of the employer’s equipment for non-company business, including a right by the company to review communications that pass through the company’s computer network.  Are there (or should there be) any exceptions to the employer’s right to review the communications made through mobile communications devices?  Or stated another way, when does an employee have a reasonable expectation of privacy with respect to such communications?  In the past month there were two notable case developments wrestling with these very issues.

Stengart v. Loving Care Agency

 In Stengart v. Loving Care Agency, A-16, Sept. Term 2009 (N.J. Mar. 30, 2010), the New Jersey Supreme Court addressed the issue of whether an employee that used a company-issued laptop computer to access an e-mail account maintained with a third party e-mail service (a Yahoo e-mail account) had a reasonable expectation of privacy with respect to communications she had with her attorney.  This court answered that question in the affirmative.  The plaintiff, Ms. Stengart, anticipated filing a claim against her employer, the Loving Care Agency, prior to her resignation from the company and engaged a lawyer to review potential claims that she might bring against her employer.  She filed an employment discrimination claim shortly after her departure and her employer hired a forensics expert to record all files contained on the laptop she had been using.  Among the files recovered were hard disk copies of numerous messages between Ms. Stengart and her legal counsel, which the company’s counsel used in preparing its defense of the company and who divulged access to the e-mails only after routine discovery requests in the case.

In evaluating the contrary positions of employee and employer, the New Jersey Supreme Court engaged in a thorough analysis of the developing case law of employee privacy with respect to workplace communications, including, in passing, considerations under the Fourth Amendment to the U.S. Constitution, which addresses the individual right to be free from unreasonable governmental searches.  The opinion is worth reading for this discussion alone.  What seemed most relevant to the court, perhaps because it was looking for a narrow ground upon which to decide the case, were two facts:  (i) the communications at issue were subject to the attorney-client privilege, which could not be considered under these facts (particularly with attorney-client privilege notices posted in each e-mail) to have been waived, and (ii) the employer’s policy did not directly address use of third party e-mail accounts in any way.  The court seemed to suggest that but for the attorney-client privilege issue an employee might not have a reasonable expectation of privacy in a non-work-related personal e-mail account merely because an employer’s computer was used to access the e-mail account over the Internet.

City of Ontario v Quon

On April 19, 2010, the U.S. Supreme Court heard oral arguments in the City of Ontario v Quon(08-1332), a case in which some of the salient facts resemble those in the Stengart case.  In Quon, a SWAT team sergeant in the city of Ontario, California used a text pager issued by the police force to send numerous personal messages, including many that were of a sexual nature.  As in Stengart, the city, as the employer had a broad electronic communication policy prohibiting usage of city-issued communications devices for personal use.  However, the policy was not clear about whether pagers were covered and when an official announced that they were the official also noted that so long as any personal usage was paid for by the individual officer that such uses would not be subject to review for whether they were personal uses, it not being clear whether the city was more concerned with issue of cost as opposed to personal pager usage.  So, during a subsequent audit of the phone messages of sergeant Quon it was revealed that his usage was in violation of the city’s policy both for the personal use and because of the sexual nature of his messages.  Quon and several of the message recipients subsequently sued the city for a violation of their rights.

Just as in Stengart, the principal issue was whether the individual officer and those with whom he communicated using the pager had a reasonable expectation of privacy in the messages sent through the pager.  Because the employer is a city government, the issue of Fourth Amendment coverage was invoked.  Although the trial court found for the city, the U.S. Court of Appeals for the Ninth Circuit, found for Quon and the other plaintiffs on the grounds that the city’s policy had in effect been countermanded or modified by the contrary statements made by the police official who first announced that pager use would now be within the scope of the city’s communications policy.

It is almost always difficult to discern case outcomes from the tenor of oral arguments in the Supreme Court.  The Justices appear to enjoy the opportunity to engage in as much devil’s advocate type questioning as you will see in any court.  However, to read the transcript of the oral arguments, it is fair to note that counsel for Quon and the other plaintiffs had a greater challenge keeping their arguments and responses consistent throughout the questioning.

The Takeaway

Both Stengart and Quon provide good examples of how the law frequently has to race to keep up with technology.  It is likely that the Supreme Court’s eventual decision in Quon will have implications beyond the government employment context and will be one that will be instructive to private employers as well.  However, regardless of how the Court decides that case, the situations presented by both these cases should cause employers and employees alike to pause and exercise even greater care with respect to workplace communications and how they should interact in that arena.  An employer should reexamine its policies to ensure they are sufficiently broad top cover the types of communications used by its employees and that these policies are not unintentionally undermined by those speaking out of school.  Employees should also be cautious about their expectations of privacy in the face of such broad business communications policies and exercise an extra degree of common sense in such matters.

Links:

Copy of N.J. Supreme Court Opinion in Stengart v. Loving Care Agency:  Stengart v. Loving Care Agency

Link to Transcript of Oral Argument in City of Ontario v. Quon:  http://www.supremecourt.gov/oral_arguments/argument_transcripts/08-1332.pdf


Computer Fraud and Abuse Act Construed Narrowly Against Employer

October 20, 2009

Consider this common enough scenario:  a senior executive, having resolved to shortly leave his current employer to establish a potentially competing business, uses his employer’s e-mail system to send confidential company documents and data to his personal e-mail account.  Has the executive accessed his employer’s computer resources without authorization and thereby violated a key provision of the federal Computer Fraud and Abuse Act (the “CFAA”)?  According to the Ninth Circuit’s recent decision in LVRC Holdings v. Brekka, No. 07-17116 (9th Cir. Sept. 15, 2009), in the absence of a written agreement with the employee or a computer use policy clearly prohibiting such activity, merely acting contrary to an employer’s interest is insufficient to justify an unauthorized access claim for liability under the CFAA.

LVRC Holdings found itself in the above scenario when it learned that its former employee, Brekka, had sent sensitive company materials to his personal e-mail account prior to his resignation.  Interestingly, before any thought of leaving had arisen, Brekka routinely sent company materials to his personal e-mail account with his employer’s tacit consent.  LVRC only sought to hold Brekka liable for unauthorized access to a protected computer once Brekka decided to start a competing business while still employed by LVRC.  LVRC contended that under those circumstances Brekka was no longer authorized to access the company’s e-mail or other computer resources.

The district court and the Ninth Circuit believed that LVRC’s approach to the CFAA was inconsistent with the idea that as both a civil and civil statute, the CFAA’s prohibitions should be read liberally by analyzing any ambiguities in favor of the defendant under the rule of lenity.  The history of the CFAA as a means of addressing concerns over third party hacking into a company’s computer systems also supported the view that an employee exceeding his authority was not the type of harm the “without authorization” prong of the CFAA sought to address.

In addition, while a claim might have been sustained under a separate part of the CFAA dealing with liability for exceeding one’s authority, such a claim requires convincing proof, and the failure of LVRC to have even adopted an acceptable use policy for company computer resources or to produce acceptable evidence of access after Brekka’s resignation doomed LVRC’s claim.

Among other important lessons, this case highlights the need for employers to have either written agreements with their employees on acceptable computer use practices or at least a well publicized company policy statement to the same effect.

Link to Decision:  http://www.ca9.uscourts.gov/datastore/opinions/2009/09/15/07-17116.pdf