The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee

Leave a comment

Employee e-mails to personal attorney using company e-mail address that is subject to monitoring are not privileged

An employee’s messages to his attorney sent via the employee e-mail system, a practice which was against company policy and subject to monitoring by the employer, are not protected by the attorney-client privilege or work product doctrine. Scott v. Beth Israel Medical Center Inc., No. 602736/06, 2007 N.Y. Misc. LEXIS 7114 (N.Y. Sup. Ct. N.Y. Cty Oct. 17, 2007). The court denied the employee’s motion for a protective order barring the employer from viewing his e-mails concerning the instant lawsuit sent to his attorney from his employee account. In finding that the employee waived privilege, the court concluded that the employer had an e-mail policy banning personal use and that the employee, as an administrator, had constructive notice that the employer had the right to monitor e-mail communications over its network. The court also rejected the employee’s work product doctrine argument based upon his attorney’s confidentiality notice e-mail footer, holding that the attorney’s pro forma confidentiality notice at the end of the e-mails was “insufficient and not a reasonable precaution” that would provide a qualified privilege against disclosure.


This case is likely to add fuel to the fire for attorneys challenging an assertion of the attorney-client privilege. Companies should consider adding to their e-mail policies a statement that the use of corporate e-mail to communicate with personal attorneys could result in a loss of any privilege that might otherwise attach to the communication.

Leave a comment

Software company that provided leads to marketer that sent unsolicited faxes referencing company’s product not liable as “Sender” under TCPA

A software company that gave advertising leads to a training company that sent unsolicited faxes advertising its own services and the software company’s product is not liable as a “sender” under the Telephone Consumer Privacy Act (TCPA) because there was no evidence that the faxes were sent on the behalf of the software company. Hughes v. FrontRange Solutions USA, Inc., No. D049869, 2007 Cal. Unpub. LEXIS 8344 (Cal. Ct. App. Oct. 16, 2007) (unpublished). The court granted the software company’s summary judgment motion, ruling that the evidence was insufficient to prove that the unsolicited faxes sent to the plaintiff by the training company were sent on behalf of the software company. The court found that even if the evidence showed that the software company offered leads to the training company and was aware that some of the leads resulted in faxed solicitations for the training company’s services, such facts do not establish that the faxes were sent on behalf of the software company.


Leave a comment

Insurer has no duty to defend electronic privacy claims under policy containing “Online Activities” exclusion

An insurance policy that covers personal injury liability, with an exclusion for “online activities,” defined, in part, as “providing Internet access to third parties," does not provide coverage for an Web entity’s violations of federal computer privacy laws. Netscape Communications Corp. v. Federal Insurance Co., No. 06-00198, 2007 U.S. Dist. LEXIS 78400 (N.D. Cal. Oct. 10, 2007). The court granted the insurer’s summary judgment motion, ruling that, based upon the policy exclusion, the insurer does not have a duty to defend the insured for lawsuits alleging violations of federal electronic privacy laws stemming from user information gathered for targeted advertising purposes. In construing the policy exclusion, the court determined that the definition of “Internet access” under the exclusion is broader than merely providing an Internet connection and included the plaintiff’s online activities that “facilitated the ability of users to make use of the Internet.”


Leave a comment

Forum selection clause applies to telephone transactions where purchaser accessed seller’s web site privacy policy

A purchaser who accessed a seller’s Web site to view the Privacy Policy in conjunction with a telephone transaction is bound by the forum selection clause contained in the Web site’s Terms of Use, which is explicitly connected to the Privacy Policy and governs the use of the site. Greer v., Inc., No. 07-2543, 2007 U.S. Dist. LEXIS 73961 (S.D. Tex. Oct. 3, 2007). The court granted the seller’s motion to dismiss for improper venue, ruling the purchaser was bound by the forum selection clause mandating a different forum. The court rejected the purchaser’s argument that the forum selection clause was not part of the Privacy Policy, finding unambiguous language that the purchaser was given notice that the Privacy Policy, which forms the basis of the purchaser’s claims, was part of a broader Terms of Use. The court also found that accessing the Web site constitutes an agreement to be bound by the Terms of Use, including the forum selection clause, an application of which would not be unreasonable against the purchaser.


Leave a comment

Authorized computer access by departing employee not CFAA violation

A departing employee, who copied proprietary files while still having full access to his employer’s protected computer databases did not access information “without authorization” or otherwise "exceed authorized access" under the Computer Fraud and Abuse Act (CFAA). Diamond Power Int’l, Inc. v. Davidson, No. 1:04-cv-1708, 2007 U.S. Dist. LEXIS 73032 (N.D. Ga. Oct. 1, 2007). The court granted summary judgment to the defendant on the CFAA claims, but let stand other related trade secret and contract claims based upon the employee’s forwarding of confidential company information to his new employer. The court found that the employee could not be liable under the CFAA because there was no dispute that he was authorized to initially access the company computers and that his level of authorized access included permission to obtain the specific data in question. The court, in reaching its conclusion, recognized a split in the circuits as to the interpretation of this aspect of the CFAA. Nevertheless, the court rejected the plaintiff’s argument, based upon the Seventh Circuit opinion in International Airport Centers, L.L.C. v. Citrin, 440 F.3d 418 (7th Cir 2006), that an employee exceeds his authorized access when he obtains company information for an allegedly improper purpose.


Leave a comment

The sexiest man alive takes a casual view of his medical privacy rights

HIPAA privacy issues rarely make headlines, but when a New Jersey hospital recently suspended 27 employees for violation of HIPAA patient confidentiality requirements, the story received widespread press attention. Not because news outlets care that much about New Jersey hospitals, or suspended employees, or HIPAA, for that matter but because the patient whose privacy was compromised was actor George Clooney. Following a motorcycle accident, Clooney and his companion were treated at the hospital, and the 27 suspended employees allegedly took a look at his medical records, without any reason to do so.

The genesis of the news reports appears to be this story by a local CBS News affiliate, which relates that the suspended employees include doctors and nurses, and that the hospital is further investigating whether any of the suspended employees revealed Clooney’s medical information to the media. The story further relates that Clooney issued a statement questioning the wisdom of the hospital’s response: "…while I very much believe in a patient’s right to privacy, I would hope that this could be settled without suspending medical workers."

In fact, reports of employees disciplined for HIPAA violations are pretty rare, either in the press or in judicial decisions. That doesn’t mean that such incidents don’t occur. But it does suggest that when discipline for a HIPAA violation is meted out, the sanction may be less than what would trigger a corresponding appeal or complaint by the employee. And certaintly likely to be less than the suspensions related in the Clooney matter. Perhaps blog readers would like to respond with their experience regarding the incidence and severity of employee discipline for HIPAA violations. And regarding HIPAA violations that don’t involve patients whose livelihood depends on the attention of the public.

Perhaps it is not surprising that Clooney has thus far taken a rather relaxed attitude about the incident. Unlike most Hollywood stars, Clooney earlier this year freely admitted to undergoing plastic surgery. Clooney’s response when he was asked about the surgery: "I had my eyes done. Can you tell? I think it’s important to look awake."