The New Jersey Supreme Court has a long history of affording New Jersey citizens broader privacy protection rights than those offered by the federal government.  For example, the New Jersey Supreme Court has held that citizens have a reasonable expectation of privacy in their bank account records, in their garbage, and in the personal information linked to their IP addresses. Thus, when the question of whether an employee who uses a company computer to access e-mail communications between her and her attorney maintains the confidentiality of those communications, it was no surprise that the Court held that the act of an employee who accesses her attorney-client communications via a company laptop does not destroy the privilege.

In Stengart v. Loving Care Agency, Inc., the Court held that an employee could “reasonably expect that e-mail communications with her attorney through her personal account would remain private, and that sending and receiving them via a company laptop did not eliminate the attorney-client privilege that protected them.”  The Court also held that the company’s attorneys violated an ethics rule by reading the “arguably privileged” e-mails and by failing to alert the employee that they had them.  But the Court did unleash at least one surprise by announcing that even a seemingly bulletproof company policy on workplace computer use that claims the employer could read an employee’s attorney-client communications would not be enforceable if the employee accessed the communication through a personal, password-protected e-mail account.

Ever quickly peek at your web-based personal e-mail account while still at the office?  Yeah, many of us do, too; and we’d be willing to bet a ham sandwich that certain Justices on the New Jersey Supreme Court probably do, as well.  Peeking at her personal e-mail account while still at work is how plaintiff Marina Stengart ended up in front of those same Justices last winter.  After deciding to sue her employer on various employment discrimination charges, Stengart used a company-issued laptop to communicate with her attorney via her personal, password-protected Yahoo e-mail website.  At the time, Stengart had no idea that the laptop was automatically saving copies of each page that she viewed, to a temporary internet file cache folder on the laptop’s hard drive.  After Stengart quit and turned in the laptop, Loving Care forensically imaged the hard drive and discovered images of the e-mails Stengart exchanged with her attorney.  Believing that Stengart had waived any privilege claims, Loving Care’s attorneys cited one of the e-mails in an interrogatory answer.  That belief was supported, initially, by the trial judge who found that Stengart waived the privilege; but the trial court decision was reversed on appeal to the Appellate Division.

On challenge to New Jersey’s highest court, Loving Care argued that the attorney-client privilege did not attach to the e-mails because its company policy regarding computer and internet use at the workplace removed any expectation of privacy that Stengart may have had; and that she waived the privilege because she accessed her e-mail via the company’s computer and server.  The Court disagreed.  After first deeming Loving Care’s Policy “not clear” and as creating “ambiguity about whether personal e-mail use is company or private property,” the Court evaluated case law from other jurisdictions, giving particular attention to (and ultimately following) a Massachusetts case with nearly identical facts.

The Court considered factors by which an employee could be found to have a lesser expectation of privacy in attorney communications.  First, the court distinguished between the use of a company e-mail system as compared to a personal, web-based e-mail account (such as Yahoo or Gmail.)  E-mails transmitted via an employer’s e-mail account might be subject to less privacy than those sent via a personal web-based account.  Second, the Court noted that the physical location of the company’s computer might make a difference in the analysis, suggesting that an employee who works from a home office may be entitled to greater privacy than an employee whose communication is made via the company’s servers.  Third, the Court recognized that other jurisdictions have held that the existence of a clear company policy that prohibits personal computer use may diminish an employee’s expectation of privacy; but, as explained below, the New Jersey Court refused to consider the sufficiency of a company policy as a determination of whether the employer can pierce the attorney-client privilege.

In holding that Stengart’s e-mails were protected by the attorney-client privilege because she could reasonably expect them to remain private, the Court cited three reasons.  First, the Court noted that Stengart had both a subjective and an objectively reasonable expectation of privacy in the e-mails – she had used a password-protected account to access the messages and had not given her password to anyone at Loving Care.  The Court also noted that Stengart had not used the computer to conduct illegal activities.  Third, the Court seemed impressed that the e-mails contained the boilerplate language warning the reader that the information was only intended for the designated recipient and contained privileged attorney-client communications.  But, as mentioned above, the effectiveness of Loving Care’s “Electronic Communications Policy” on workplace computer use was not dispositive.

The Court determined that the Policy was ambiguous, lacked clarity, and failed to warn employees that even web-based e-mails could be forensically retrieved.  But, as the Court stated, even if the Policy were perfectly drafted, it would not be enough to pierce the attorney-client privilege:

[E]mployers have no need or basis to read the specific contents of personal, privileged, attorney-client communications in order to enforce corporate policy.  . . . [E]ven a more clearly written company manual—that is, a policy that banned all personal computer use and provided unambiguous notice that an employer could retrieve and read an employee’s attorney client communications, if accessed on a personal, password protected e-mail account using the company’s computer system—would not be enforceable.

Declining to rely on other states’ case law holding that a clear company policy banning personal e-mails could diminish an employee’s expectation of privacy in attorney-client communications, the Court added that a “zero-tolerance policy can be unworkable and unwelcome in today’s dynamic and mobile workforce and [we] do not seek to encourage that approach in any way.”

What about Loving Care’s attorneys?  Should they have immediately returned the e-mails (which were plastered with the standard “CONFIDENTIAL . . . Attorney-Client communication” language)?  The Court thought so, and ruled that Loving Care’s attorneys violated professional ethics rules by “not setting aside the arguably privileged messages once it realized they were attorney-client communications, and failing either to notify its adversary or seek court permission before reading further.”  Noting the absence of an appearance of bad faith, the Court reiterated that the attorneys “should have promptly notified opposing counsel when it discovered the nature of the e-mails.”

e-Lesson Learned: Attorney-client communications made via personal, password-protected web-based email accounts are still privileged, even if accessed via a company-supplied computer – at least in New Jersey!