Before answering the specific question regarding employee privacy policies, here is a summary of the New Jersey...
In the case of Stengart vs. Loving Care Agency, Ms. Marina Stengart (plaintiff) was the Executive Director of Nursing at Loving Care Inc., until she resigned in January 2008. In February 2008, she filed a suit against Loving Care alleging discrimination. (Of note, Ms. Stengart was provided a company laptop computer and a work email address.) Prior to her resignation, Ms. Stengart sent emails to her attorneys using her work-assigned laptop, but did so through her personal, Web-based, password-protected Yahoo email account.
After Ms. Stengart filed her suit, Loving Care created a forensic image of the hard drive from her company-assigned laptop computer. When reviewing Ms. Stengart's Internet browsing history, an attorney for the company discovered that Ms. Stengart had sent and received numerous email communications to and from her attorney prior to her resignation.
There were many conversations between plaintiff and company attorneys regarding whether or not the emails were protected by attorney-client privilege, because Loving Care's electronic communications policy put Ms. Stengart on notice that her emails would be viewed as company property. This resulted ultimately in an appeal to the New Jersey Supreme Court.
In the Supreme Court it was recognized that Ms. Stengart took steps to protect the privacy of her emails. She used a personal, password-protected email account instead of her company's email address and did not save the password on the company computer. Also, the emails bore a standard mark of attorney-client privilege. Basically, the court said, the employee had an expectation of privacy from company review of these emails that was "objectively reasonable."
So, in answer to the question posed by the reader, here are some key considerations for you and your company regarding privacy laws in the workplace:
1. Do you have a written policy in place stating that the employee should have no expectation of privacy when using company telephones, computers and other messaging equipment? If not, put one in place.
2. Do employees sign to verify they have read and understand this policy? If not, it would be wise to institute such a practice in order to have some sort of verifiable evidence that the policy exists and that employees have been given a copy of said policy.
3. Do you have a policy prohibiting or restricting use of Web-based email systems? Strongly consider a restriction here, not only to avoid being in the same situation as the Loving Care Agency, but also because using Web-based email can bypass spam and antivirus filters and, as such, could put the network in jeopardy.
4. What does the policy say about personal use of email, telephones and other messaging systems owned by the company? In this case, it's necessary to determine the corporate position and the unintended consequences that may occur. For instance what would be considered "more than occasional use?" What if the messages were sent using something like Twitter, Facebook or a Web-based email system owned and managed by the employee?
5. What is the policy for saving/retaining computer hard drives and email following resignation or dismissal of an employee or vendor -- especially for cause? Although not specifically stated in the New Jersey case summary, the company may not have been aware that the employee was planning a lawsuit. Hence, if there is no policy/procedure to retain hard drives and email of an employee following his or her departure for subsequent investigations, you could run into problems where evidence is "erased" and lost when a laptop or desktop computer is reassigned to another employee or vendor. Basically, hard drives are fairly inexpensive, and it's worth considering a policy to retain the hard drives and the email files of former employees for a year (minimum) following resignation, until it is ascertained that the employee files are not needed for investigations or other reasons.
6. Has your state attorney general offered any perspective on the New Jersey case and whether there are plans for new legislation in your state, either to uphold the New Jersey privacy rulings or offer companies some added protection for such events? You may want to discuss this with your corporate counsel.
The final advice is essentially as follows:
1. Read the New Jersey Supreme Court case summary and think about how vulnerable your company would be should a similar event happen to you.
2. Read the above questions and determine the actions you need to take at your company regarding corporate employee-privacy policies for using corporate messaging systems.
3. Take action to ensure you can perform forensic analysis of corporate messaging systems either in-house or with the use of competent outside contractors.
Dig Deeper on Data privacy issues and compliance
Related Q&A from Ernie Hayden
Dealing with lawyers is often a challenge. Ernie Hayden offers advice for CISOs dealing with enterprise information security legal issues. Continue Reading
Which will be more likely to further your infosec career: A certification, or an advanced degree? Expert Ernie Hayden weighs in. Continue Reading
While employee termination may be necessary in cases of insecure conduct, most employees are more encouraged by the carrot than the stick when it ... Continue Reading