Last week, in what appears to be the first instance in which a state supreme court has addressed the issue, the Supreme Court of New Jersey unanimously ruled that the attorney-client privilege applies to email communications between an employee and her personal attorney even when she e-mails her attorney with a personal, password-protected Yahoo e-mail account accessed through a company-provided laptop. This decision should be read carefully when conducting forensic investigations or reviews into company IT systems.
Stengart v. Loving Care Agency, Inc. was an employment discrimination action brought by Stengart, a former employee of Loving Care, a home nursing and health services company. In preparation for discovery, Loving Care’s attorneys conducted forensic analysis of a company-supplied laptop Stengart used in the course of her employment and retrieved several e-mails exchanges between Stengart and her personal attorney, which Stengart had accessed via her private Yahoo e-mail account. When he learned of the e-mails’ retrieval, Stengart’s attorney claimed that they were privileged and demanded that all copies be returned. Loving Care’s attorneys provided copies, but denied that any privilege applied and further reserved their right to use the e-mails. This prompted a motion to compel their return and to disqualify Loving Care’s attorneys. Both motions failed at the trial level based upon the trial judge’s finding that, by sending the e-mails using Loving Care’s computer, Stengart waived the privilege because Loving Care’s computer use policy allowed the company to review, access and disclose all matters on its "media systems."
Holding that the trial court had gotten it wrong, the New Jersey Supreme Court held that Stengart had a reasonable expectation of privacy in the e-mails because (1) Loving Care’s policy provided inadequate notice that personal, password-protected e-mails would be reviewed or were subject being forensically retrieved and (2) our system of justice places a special importance upon preserving the confidentiality of attorney-client communications.
According to the Court, Loving Care’s policy was inadequate to defeat the privilege because: (1) it used general, undefined terms such as "media systems and services" and "the e-mail system;" (2) it did not address personal e-mail accounts at all; (3) it contained a disclaimer that employees should not consider personal e-mails private, but also stated that "occasional" personal use was permitted; and (4) it failed to warn employees that the contents of their personal e-mails would be stored in temporary internet files on their company laptops and could be later retrieved. The Court held that these factors created ambiguity as to whether the policy covered personal, password-protected e-mails.
It also found that Stengart took steps to protect her privacy by using the personal, password-protected account and never having stored her Yahoo password on the company laptop. These actions, combined with the policy’s ambiguity and the attorney-client nature of the e-mails made her expectation of privacy reasonable.
Perhaps in response to arguments made by the Employers Association of New Jersey in amicus briefing, the Court took pains to assuage fears that its ruling would undermine employers’ ability to protect corporate assets by focusing its ruling not on Loving Care’s retrieval of the e-mails, but on the fact that it read the content of the e-mails. Companies can protect their assets, reputation and productivity by enforcing well-written and even strict computer use policies through employee discipline, up to and including termination, but the Court held that "employers have no need or basis to read the specific contents of personal, privileged, attorney-client communications in order to enforce corporate policy." Indeed, in light of this lack of justification, the Court stated, in dicta, that an employer would not be entitled to read the contents of such e-mails even if its policy banned all personal computer use and explicitly reserved its right to retrieve and read such e-mails.
It remains to be seen whether other states will follow New Jersey’s lead on this question and whether courts will use the Loving Care analysis to privacy protections applicable to personal, password-protected e-mails at work to and from others such as medical providers or spouses. However, in order to best address the Court’s concerns, companies may find it useful to make sure their policies explicitly warn employees that they have no expectation of privacy when using company computers and that the company can access, monitor, read and forensically retrieve any information employees access, view and transmit using company computers, including e-mails sent using personal, password-protected e-mail accounts.
 Stengart’s expectation of privacy was also deemed subjectively reasonable because she claimed to be unsophisticated in the use of computers and that she did not know Loving Care could read e-mails sent with her Yahoo account.
 Noting that no bad faith was involved, the Court nevertheless went on to hold that Loving Care’s attorneys had violated Rule 4.4 of New Jersey’s Rules of Professional Conduct by not disclosing the e-mails existence to Stengart’s counsel before reading them. The Court remanded the matter to the trial court to determine whether disqualification or other sanctions were appropriate.