Memo
To: Tom
From: Karen
Date: 11/5/2014
Re: Employee Expectation of Privacy in Personal Emails
Summary: An employee’s expectation of privacy in personal emails sent from or stored in her workplace computer depends upon the employer’s written and verbal policies regarding whether an employee is permitted to engage in personal activity on a work computer and employer-inspection of such work computers. The inquiry is fact-sensitive and depends upon whether the employee was put on notice of these policies. However, it appears that an employee has a much greater expectation of privacy in personal emails if those emails are not actually downloaded to the work computer.
It is difficult to find many cases involving requests for personal emails during discovery. Thus, most of the cases cited below involve situations where the employer actually searched the employee’s computer. However, it seems to me that the same principles apply. If an employee is permitted to search the employee’s computer for personal e-mails, then those could similarly be compelled in discovery.
In general, it seems that an employee has a strong expectation of privacy in her personal (not employer-provided email account), even if she checks her email from work, at least as long as particular e-mails are not actually sent from or downloaded to the work computer. If the e-mails are actually sent from or downloaded to the work computer, the more in depth analysis regarding company policy and the employee’s notice of company policy will come into play.
Employees are advised to avoid using their work computers for personal email, including their personal (non work) email accounts, especially if their companies have polices against personal use or policies that allow employers to inspect work computers. These policies may be either verbal or written and may appear in a variety of places, such as Employee Handbooks and on their computer screen when they first turn on their computer. While it is unlikely that a Court would hold that a client waived attorney client privilege by sending an email from a personal account on a work computer, it is possible and probably better for clients to avoid emailing us (their attorneys) from work. On the other hand, if opposing counsel seeks personal emails, especially personal emails from the employee’s personal email account, I think we would have a good argument that they are not entitled to those emails based upon general principles of expectations of privacy, state tort law, and/or the Stored Communications Act.
Detailed Analysis:
- Government Employers and Physical Files and Desks
The seminal Supreme Court case regarding an employee’s expectation of privacy in the workplace is O’Connor v. Ortega, 480 U.S. 709 (1987). Ortega involved a state hospital whose personnel searched an employee’s desk and file cabinets without his knowledge or consent. Because there was state action involved, the employee filed a lawsuit under 42 U.S.C. § 1983 alleging violations of his Fourth Amendment rights. The Court held that an employee’s expectation of privacy in his office, desk and files “may be reduced by virtue of actual office practices and procedures, or by legitimate regulation.” Id. at 717. Further, “in light of the variety of work environments, whether the employee has a reasonable expectation of privacy must be decided on a case-by-case basis.” In re Asian Global Crossing, Ltd., 322 B.R. 247, 257 (U.S.B.C. S.D.N.Y. 2005) (citing Ortega, 480 U.S. at 718). Ultimately, the Ortega Court held that the particular employee had a reasonable expectation of privacy in his desk and file cabinets, because he did not share them with other employees, he had been keeping personal items in them for over seventeen years, and there was no evidence that the employer had established any reasonable regulation or policy discouraging employers from keeping personal papers or effects in their desks or file cabinets. 480 U.S. at 719.
- Private and Public Employers and Computer Files and Email
Courts have applied the same basic standard in cases involving both private and public employers searching employees’ computer files and emails. In In re Asia Global Crossing, Ltd., the court set forth a four-factor test regarding the “reasonable expectation of privacy” determination in the context of email transmitted over and maintained on a company server:
(1) does the corporation maintain a policy banning personal or other objectionable use,
(2) does the company monitor the use of the employee’s computer or e-mail,
(3) do third parties have a right of access to the computer or e-mails, and
(4) did the corporation notify the employee, or was the employee aware, of the use and monitoring policies?
This four-part test has since been widely adopted in cases involving both public and private employers.
- Public Employers and Fourth Amendment
In cases involving the government as employer, the analysis is under the Fourth Amendment. See, e.g., United States v. Simons, 206 F.3d 392, 398 & n. 8 (4th Cir.2000)(employee had no reasonable expectation of privacy in office computer and downloaded Internet files (including pornographic images) where employer had a policy allowing it to audit, inspect, and monitor employees’ Internet usage, including “all e-mail messages”). In Leventhal v. Knapek, 266 F.3d 64, 73–74 (2d Cir.2001), the Court applied the Asian Global Crossing factors and concluded that a state agency employee had a reasonable expectation of privacy in personal computer files stored on his work computer, where the agency (1) had no policy regarding the confidentiality of personal email or other electronically stored information maintained on agency computers; (2) “did not prohibit the mere storage of personal materials in [agency] computer[s]”; (3) did not have a “general practice of routinely conducting searches of office computers”; and (4) had not “placed [the employee] on notice that he should have no expectation of privacy in the contents of his office computer”); see also Haynes v. Office of the Attorney General, 298 F.Supp.2d 1154, 1161–62 (D.Kan.2003)(granting preliminary injunction based upon finding that employee had reasonable expectation of privacy in private computer files and personal email, despite computer screen warning that there shall be no expectation of privacy in using employer’s computer system, where employees were allowed to use computers for private communications, were advised that unauthorized access to user’s e-mail was prohibited, employees were given passwords to prevent access by others and no evidence was offered to show that the employer ever monitored private files or employee e-mails)
- Private Employers and State Law Tort Claims
In cases involving private employers, courts have sometimes based their analysis on a state law invasion of privacy claim (specifically, intrusion upon seclusion). See, e.g., Thygeson v. U.S. Bancorp, No. CV–03–467, 2004 WL 2066746, at *20 (D.Or. Sept. 15, 2004). A common law intrusion upon seclusion claim generally requires the plaintiff to prove “(1) an intentional intrusion, physical or otherwise, (2) upon the plaintiff’s solitude or seclusion or private affairs or concerns, (3) which would be highly offensive to a reasonable person.” Id. (dismissing state law invasion of privacy claim based upon the third factor, because no reasonable expectation of privacy in computer files and e-mail where employee handbook explicitly warned of employer’s right to monitor files and e-mail). In Thygeson, the employer accessed the website addresses that the employee visited, including his personal e-mail account, but not the actual content of the employee’s e-mails. The Court found that given that the Employee Handbook specifically warned employees that they were not to use their work computer for personal use and that the employer accessed only the addresses and not the content, the employer’s behavior was not “highly offensive to the reasonable person” as required by the tort.
The Thygeson Court specifically distinguished Fischer v. Mt. Olive Lutheran Church, 207 F. Supp.2d 914 (W.D.Wis.2002), on the basis that the employer in that case actually accessed the content of the employees’ personal emails on his personal Hotmail account that he had used while at the work. In Fischer, the Court held that it was a question of fact whether the employee had a reasonable expectation of privacy in the content of his personal emails. However, in Fischer, there was no discussion of employer-policies prohibiting personal e-mail use at work or regarding computer inspection.
In Miller v. Blattner, 676 F.Supp.2d 485, 497 (E.D.La.2009), the Court held that a plaintiff had no expectation of privacy in his personal emails where the company had an express policy providing that all emails, personal or professional, that were contained on company computers were the property of the company.
- Private Employers and The Stored Communications Act
In some cases involving private employers (including Fischer), courts have analyzed whether employer access to employee computer files and emails violates The Stored Communications Act, 18 U.S.C. § 2701, et seq. See Fischer, 207 F. Supp.2d at 924 (denying employer’s Summary Judgment as to claim under Stored Communications Act where employer accessed employee’s Hotmail Account, that he had accessed at work, after guessing at his password); Pure Power Boot Camp v. Warrior Fitness Boot Camp, 587 F. Supp. 2d 548 (S.D.N.Y. 2008) (see summary below).
The Stored Communications Act is a part of the Wiretap Act and it is a violation for anyone who “intentionally accesses without authorization a facility through which an electronic communication service is provided … and thereby obtains . . . access to a wire or electronic communication while it is in electronic storage in such system” violates the act. 18 U.S.C. § 2701(a). “Electronic storage” is defined as:
(A) any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof; and (B) any storage of such communication by an electronic communication service for purposes of backup protection of such communication …18 U.S.C. §§ 2510(17) and 2711(1). Thus, this Act has been interpreted to prohibit employers from accessing the personal e-mail accounts of employees, even though such employees have accessed their email while at work, provided such emails are not saved to the hard drives of the employee’s employer-provided computer.1
1 Note, the Electronic Communications Privacy Act, also part of the Wiretap Act and sometimes called “the Wiretap Act”, does not apply. This Act prohibits the intentional “interception” of wire, oral or electronic communications. 18 U.S.C. § 2511(1)(a), (c). Thus, if there is no actual interception of an email, this Act does not apply.
In Pure Power Boot Camp, the Court held that an employer violated The Stored Communications Act when it accessed the employee’s personal email account by using a password that automatically populated on the work computer. Although the employee conceded that he read his personal e-mail from his work computer, he denied that he had sent e-mails from the work computer. The Court held that the employer violated the Act, because the employer offered no evidence to show that the particular e-mails accessed were actually sent from the work computer or that the e-mails were stored on the work computer. This was the case, even though the employer had a policy prohibiting Internet access for “shopping or for conducting other transactions or personal business matters” while at work. See also Van Alstyne v. Electronic Scriptorium, Ltd., 560 F.3d 199 (4th Cir. 2009) (plaintiff-employee had claims under Stored Communications Act, where employer accessed his private email account without permission, even though she sometimes used the private email account for work-related communications).
It appears that if an employee’s e-mail is stored by an “electronic communication service,” like Google, Hotmail, or another provider of personal e-mail services, but not actually saved to or stored on the employee’s employer-provided computer or network, the employee generally has an expectation of privacy in such e-mail. If, however, the employee’s email is stored on the work computer or the employee uses the employer’s e-mail system, and the employee has notice that he is either not permitted to engage in personal e-mail use or that the contents of his computer could be inspected by the employer, there is no expectation of privacy. See, e.g., United States v. Etkin, 2008 WL 482281, at *4 (“employees do not have a reasonable expectation of privacy in the contents of their work computers when their employers communicate to them via a flash-screen warning a policy under which the employer may monitor or inspect the computers at any time” (citations omitted)); Haynes v. Attorney General of Kansas, No. 03-CV-4209, 2005 WL 2704956 (D.Kan.2005) (employee did not have a reasonable expectation of privacy in the contents of work computer when employer communicated via a flash-screen warning a policy under which the employer may monitor or inspect the computers at any time)
- Personal E-mail Request on a Motion to Compel
I actually had some trouble finding helpful cases that dealt with a discovery motion/motion to compel personal e-mail by an employer. The following case, albeit unpublished, however, is helpful:
In Sims v. Lakeside School, No. C06–1412(RSM), 2007 WL 2745367, *1 (W.D.Wash. Sept. 20, 2007), a school employee opposed the employer’s motion to compel an examination of the hard drive of the employee’s employer-provided laptop. The employer had a policy, of which the employee was aware, that the employer could inspect the laptops provided to employees. Thus, the Court held that the school was permitted to examine the hard drive of the laptop, including the contents of the employee’s work email, but that the employer could not examine the employee’s “web-based e-mails” (i.e., personal email account) or other material protected by attorney-client privilege or marital privilege.
- Privacy and Attorney Client Privilege
Sometimes the question is whether the employee waived the attorney client privilege by emailing her attorney from work. In In re Asia Global Crossing, for example, the Court held that the fact that an individual emails with an attorney on a work email
system does not automatically waive the attorney client privilege. The court recognized, though, an employee could waive the attorney client privilege if the employee communicates with an attorney on a work email account knowing that there are company policies that prohibit personal communication on such accounts or that limit the privacy of such accounts.