About Us  |  Contact Us

Employees have no reasonable expectation to privacy for materials viewed or stored on employer-owned computers or servers

November 24th, 2011  |  Ron Miller

Apparently, it bears repeating that employees have no reasonable expectation to privacy to materials they consider confidential if those items are viewed or stored on a company-owned computer or server. Recent court rulings have reiterated that employees have no privacy right to view sexually explicit photos on private email using an employer’s computer; there is no attorney-client privilege for e-mail sent from employer’s computer or files created or received on a company laptop; and employees cannot maintain the confidentiality of privileged documents stored on an employer-owned computer.

While the impropriety of viewing sexually explicit on company-owned computers may be an easy concept for even the average employee to grasp, even individuals who might otherwise be regarded as sophisticated, have difficulty with the privacy concept as it relates to legal documents.

Sexually explicit photographs. An employee who was terminated for using his employer’s computer to show coworkers sexually explicit photographs of a female coworker could not prevail in his wrongful termination lawsuit alleging, among other claims, violation of a privacy right, ruled a federal district court in Ohio (Moore v Univ Hosps Cleveland Med Ctr, November 15, 2011, Gwin, J). The employee had no right to privacy when he used the employer’s computer, ruled the court in granting the employer’s motion for summary judgment.

After his romantic relationship with the coworker ended, the employee’s ex-girlfriend filed a criminal complaint of phone harassment against him. Apparently to retaliate, he showed two male coworkers sexually explicit photos of her on a computer in one of the employer’s hospital units. The woman’s complaints to management were substantiated by the male coworkers and the computer was identified. A search of the computer revealed that on the date in question, 23 photos had been viewed within a three-minute time span. Some of the photos contained the employee’s name in the file name and included sexually explicit images of women, including his ex-girlfriend. The employee admitted to using the computer to access his personal email account; that he had a folder in his account that contained sexually explicit pictures; and that the pictures on the hospital’s computer were identical to those in his folder. However, he denied sharing the photos with coworkers. Nonetheless, the hospital fired him.

Invasion of privacy. Because the employee claimed that the employer had “broken into” his email account, the court concluded that the only cause of action that might fit was intrusion of seclusion. In the Ohio Supreme Court decision, in Sustin v Fee, the court explained that for an intentional intrusion into another’s private affairs or concerns, “[t]he key language is that the affairs or concerns must be private to rise to be actionable as an invasion of privacy.”

In this instance, the employee failed to understand modern technology and how files are saved to computer hard drives. He did not understand that investigating his “illicit activity” did not involve the hospital accessing or hacking into his personal email account. Because the employee had accessed his personal email account on the hospital’s computer, the images he viewed were automatically stored on the computer’s hard drive.

The hospital’s code of conduct stated that there was no right to privacy for any employee who used the hospital’s computers to access personal email accounts, the Intranet, or the Internet. Furthermore, the hospital “‘reserve[d] the right to access, monitor and disclose the contents of Internet, email and voice mail messages or other communications made through [hospital] Communication systems, consistent with [hospital] policies.’”

In ruling for the employer, the court stated that there is no expectation of privacy when a hospital employee accesses “a hospital-owned computer sitting in the middle of a hospital floor within the easy view of both patients and other staff-members.”

Attorney-client privilege.  A California appeals court ruled that e-mails sent by an employee to her attorney on an employer’s computer were not “confidential communications between a client and lawyer,” for purposes of the state evidence code (Holmes v Petrovich Dev Co, January 13, 2011, Scotland, A). The appeals court explained that the employee used a computer belonging to her employer to send the e-mail, despite having been advised — and agreeing — that communications using electronic means were not private, might be monitored, and could only be used for business. Thus, the employee’s argument that her e-mail would be private was contrary to the employer’s firmly entrenched policy that employees had no right to privacy in information sent over company computers.

Similarly, an employer was granted a protective order declaring that emails and other allegedly privileged communications on an employee’s company-owned laptop were not subject to the attorney-client privilege where the employee relinquished the computer without asserting the privilege or taking any precautions to protect the privacy of the materials saved (Aventa Learning, Inc v K12, Inc, November 8, 2011, Robart, J). Despite a second employee’s attempt to protect the privacy of communications on his laptop prior to relinquishing it, the court determined that the attorney-client privilege did not attach to documents created and sent or received after he began his employment. Further, the court concluded that the employee waived the privilege with respect to documents created before his employment, but stored on the company laptop.

After the employees began their employment they were issued company laptop computers, and each transferred privileged attorney-client communications that had been created prior to their employment onto the computers. Moreover, both men continued to produce attorney-client privileged communications in the form of emails on these laptops during their employment.

Electronic communications policy. As part of its employee handbook, the employer had an electronic communications policy which provided that such communications were not private. The company regularly enforced this policy, and employee laptops had been reviewed and employees disciplined for violations. Following his termination, one of the employees returned his laptop, but made no claim with regard to any privileged documents until nearly 18 months later. The second employee initially refused to return his laptop because he asserted that he had saved years’ worth of privileged communications. Ultimately, he returned the laptop after the defendant agreed to “review protocol” that would require it to sequester the asserted privileged material prior to reviewing the remainder of the laptop’s contents.

The employees had the burden of proving that the attorney-client privilege attached to the communications at issue, and that they did not waive the privilege with regard to materials that they saved on their company laptops.

Expectation of privacy. With respect to the first employee who returned his laptop without asserting privilege or taking any precautions to protect the privacy of materials he had saved, he no longer had any reasonable expectation of confidentiality with regard to those materials. Any privilege that may have existed was extinguished by his unconditional relinquishment of the laptop and could not be resurrected. Thus, the employee waived any privilege that may have been applicable and the waiver encompassed all of the materials placed or saved from any source on his company-owned laptop.

Even though the second employee took steps to preserve the privileged status of documents stored on his computer before he relinquished it back to the company, those efforts failed. Because the company’s electronic communications policy clearly stated that communications were not private, the employee could not have had a reasonable expectation of confidentiality with respect to communications created or received on his company laptop following the acquisition of his company. Thus, the court found that the attorney-client privilege never attached to communications created or stored on the laptop or company servers.

Moreover, the court held that the employee waived any privilege that may have previously attached to materials that were transferred to the company laptop. In evaluating whether the employee waived the attorney-client privilege, the court applied the four-factor test initially set forth in In re Asia Global. Although company policy did not place an outright ban on personal use of electronic resources, it warned that communications are not private. The company, in fact, monitored communications, and the policy expressly allowed the company to access information and to disclose it. Finally, the employee had both actual and constructive notice of the company’s policies. Because the employer met the Asia Global factors, the court concluded that the employee waived any privilege to any files or communications when he stored them on his company laptop.

Criminal matters. A former bank president who was being sued along with the bank for various claims, including fraud and conspiracy, could not rely on the attorney-client privilege to protect emails exchanged with his attorney, ruled a federal court in West Virginia, in ordering the bank to produce the communications (Hanson v First Nat’l Bank, October 31, 2011, VanDervort R). As a general matter, stated the court, when an employee emails his or her attorney from a workplace computer, the employee may be deemed to have impliedly waived the confidentiality afforded by the attorney-client privilege if the employer had a policy that eliminated any expectation of privacy.

A business owner sued the bank, as well as the former president in their individual capacities, alleging fraud and conspiracy, among other claims. The bank president had pled guilty in separate criminal proceedings. During discovery, the business owner sought to discover from the bank electronic communications pertaining to another co-conspirator in the criminal case. The business owner filed a motion to compel disclosure of emails exchanged between the president and his criminal attorney. The attorney objected to disclosure of the content of the emails based on the attorney-client privilege.

Waiver of privilege. Although the court observed that the former president’s email communications with his attorney passed the “classic test” for privilege because they were communications between an attorney and his client about matters that were the subject of the attorney’s representation, it found that the privilege was subject to waiver under the four-factor test of Asia Global.

Here, the bank had a policy concerning employees’ use of its computer system that provided occasional personal use of company computers and electronic mail systems was permitted but information would be treated no differently than other business-related information. The policy also provided that the bank maintained the right to enter any of the computers or electronic mail systems to inspect and review any and all data recorded on those systems, and that “employees should not assume that such messages are private and confidential.”

The court did not require evidence that the bank actually monitored employees’ use of the computer system, finding that the reservation of the right to do so was sufficient to conclude there was no reasonable expectation of privacy. It also put employees on notice that third parties, including bank representatives, might access their communications. Further, the president’s acknowledgement that he was aware of the bank’s monitoring policy satisfied the fourth factor. For these reasons, he waived the attorney-client privilege by using bank’s computer system to communicate with his criminal attorney and the motion to compel was granted.

Protective order. In one final case, a discharged executive was denied his motion for a protective order that would compel his former employer to return privileged and confidential documents, such as emails with his attorneys, that the employer acquired after it suspended and terminated him and then seized his work computer (Pacific Coast Steel v Leany, September 29, 2011, Leen, P). A federal magistrate judge in Nevada ruled the former executive had waived the privilege by making no effort to protect the documents after they were initially acquired, by the employer in an acquisition of his company, or at any time thereafter. Thus, the magistrate refused to compel the employer to return the executive’s emails, and other electronic documents, or to bar his former employer from using those documents in its fraud action against him.

The employee began working for the employer, as an executive vice president, after it acquired his business pursuant to an asset purchase agreement (APA). He was given his own private office and used the same computer he had been using before the acquisition. After the employee was terminated, the employer confiscated his computer and uncovered the documents at issue which, the employer alleged, showed that the former executive misappropriated company funds.

Here, the executive claimed that certain privileged communications on his work computer involved his personal property and assets, including tax records. He also asserted that he had sent and received emails from his attorneys, his accountants, his wife, and members of his church congregation. Further, he alleged that, when he was terminated, he was not given an opportunity to remove the confidential and privileged information from his computer emails or from his office. Consequently, he sought a protective order prohibiting the employer from inquiring into matters that involved privileged and confidential documents that it obtained when it seized his computer. The executive also sought an order requiring the employer to return any documents that were privileged and confidential, and precluding the employer from using those documents in this litigation.

Reasonable expectation of privacy. The magistrate denied the motion, finding that the executive simply could not have a reasonable expectation of privacy in the emails that he failed to remove, or otherwise protect from disclosure, after the acquisition of his company’s assets by the employer. The court noted that the executive did not attempt to segregate or password-protect any of the communications. The emails in question were migrated to the company’s server and were not maintained solely on the executive’s office PC.

Again, the employer had a stringent, written corporate policy allowing the company to monitor the use of its employees’ computers or emails — a policy that the executive in fact was involved in implementing, and had been adopted from a policy that was in place at the time of the acquisition. Because the executive failed to take reasonable steps to preserve the confidentiality of the allegedly privileged matter, the court denied his motion for a protective order and for the return of the privileged documents was denied. , the magistrate found the executive had waived any expectation of privacy and privilege he might otherwise have had.