On appeal from the Superior Court, Appellate Division, whose opinion is reported at 408 N.J. Super. 54 (2009).
(This syllabus is not part of the opinion of the Court. It has been prepared by the Office of the Clerk for the convenience of the reader. It has been neither reviewed nor approved by the Supreme Court. Please note that, in the interests of brevity, portions of any opinion may not have been summarized).
This case presents novel questions about the extent to which an employee can expect privacy and confidentiality in e-mails with her attorney, which she sent and received through her personal, password-protected, web-based e-mail account using an employer-issued computer.
This appeal arises out of anemployment discrimination lawsuit that plaintiff Marina Stengart filed against her former employer, defendant Loving Care Agency, Inc. Stengart had been provided a laptop computer to conduct company business. From the laptop, she could send e-mails using her company e-mail account; she could also access the Internet through Loving Care's server. Unbeknownst to Stengart, browser software automatically saved a copy of each web page she viewed on the computer's hard drive in a "cache" folder of temporary Internet files. In December 2007, Stengart used her laptop to access a personal, password-protected e-mail account on Yahoo's website, through which she communicated with her attorney about her situation at work. She never saved her Yahoo ID or password on the company laptop. Not long after, Stengart left her employment with Loving Care and returned the laptop. In February 2008, she filed the pending complaint.
In anticipation of discovery, Loving Care hired experts to create a forensic image of the laptop's hard drive, including temporary Internet files. Those files contained the contents of seven oreight e-mails Stengart had exchanged with her lawyer via her Yahoo account. At the bottom of the e-mails sent by Stengart's lawyer, a legend warns readers that the information "is intended only for the personal and confidential use of the designated recipient" of the e-mail, which may be a "privileged and confidential" attorney-client communication.
Attorneys from the law firm (the "Firm") representing Loving Care reviewed the e-mails and used the information in discovery. Stengart's lawyer demanded that the e-mails be identified and returned. The Firm disclosed the e-mails but argued that Stengart had no reasonable expectation of privacy in files on a company-owned computer in light of the company's policy on electronic communications (Policy). The Policy states that Loving Care may review, access, and disclose "all matters on the company's media systems and services at any time." It also states that e-mails, Internet communications and computer files are the company's business records and "are not to be considered private or personal" to employees. It goes on to state that "occasional personal use is permitted." The Policy specifically prohibits "certain uses of the e-mail system," such as discriminatory or harassing messages.
Stengart's attorney requested the return of the e-mails and disqualification ofthe Firm. The trial court denied the application, concluding that in light of the Policy, Stengart waived the attorney-client privilege by sending e-mails on a company computer. The Appellate Division reversed, finding that the e-mails were protected by the attorney-client privilege and that, given the Policy's language, an employee could "retain an expectation of privacy" in personal e-mails sent on a company computer. Stengart v. Loving Care Agency, Inc., 408 N.J. Super. 54 (App. Div. 2009). The panel also found that Loving Care's counsel had violated RPC 4.4(b) by failing to alert Stengart's attorneys that it possessed the privileged e-mails before reading them. The panel remanded for a hearing to determine whether disqualification of the Firm or some other sanction was appropriate. The Court granted Loving Care's motion for leave to appeal and ordered a stay pending the outcome of this appeal. 200 N.J. 204 (2009).
HELD: Under the circumstances, Stengartcould reasonably expect that e-mail communications with her lawyer through her personal, password-protected, web-based e-mail account would remain private, and that sending and receiving them using a company laptop did not eliminate the attorney-client privilege that protected them. By reading e-mails that were at least arguably privileged and failing to promptly notify Stengart about them, Loving Care's counsel violated RPC 4.4(b).
1. To determine the reasonableness of Stengart's expectation of privacy, the Court first examines the meaning and scope of the Policy. It does not give express notice to employees that messages exchanged on a personal, password-protected, web-based e-mail account are subject to monitoring if company equipment is used. Although the Policy states that Loving Care may review matters on "the company's media systems and services," those terms are not defined. The prohibition of certain uses of "the e-mail system" appears to refer to company e-mail accounts, not personal accounts. The Policy does not warn employees that the contents of personal, web-based e-mails are stored on a hard drive and can be forensically retrieved and read. It also creates ambiguity by declaring that e-mails "are not to be considered private or personal," while also permitting "occasional personal use" of e-mail. (pp. 12-14)
2. The attorney-client privilege encourages free and full disclosure of information from the client to the attorney. To be protected, a communication must initially be expressed by a client in connection with receiving legal advice, with the expectation that its contents remain confidential. The e-mails between Stengart and her lawyer contain a standard warning that their contents are personal and confidential and may constitute attorney-client communications. The subject matter of those messages appears to relate to Stengart's anticipated lawsuit against Loving Care. (pp. 14-15)
3. In this case, the source of the reasonable-expectation-of-privacy standard is the common law tort of "intrusion on seclusion." Under the Restatement (Second) of Torts, a person who "intentionally intrudes" upon the "seclusion of another or his private affairs" is liable for invasion of privacy "if the intrusion would be highly offensive to a reasonable person." Reasonableness has both subjective and objective components. Whether an employee has a reasonable expectation of privacy in a particular work setting must be addressed on a case-by-case basis. (pp. 15-17)
4. No reported New Jersey decision offers direct guidance for this case. A Massachusetts decision, National Economic Research Associates v. Evans, is most analogous to the facts here. In Evans, an employee used a company laptop to communicate with his attorney through his personal, password-protected Yahoo account. The e-mails were automatically stored in a temporary Internet file on the laptop's hard drive and were later retrieved by a forensic expert. A company manual permitted personal use of e-mail, to "be kept to a minimum," but warned that computer resources were the "property of the Company" and that e-mails were "not confidential" and could be read "during routine checks." The court denied the company's request to use the e-mails. The court reasoned that, while the manual warned that e-mails sent on the network could be read, it did not expressly state that the company would monitor the content of e-mail communications made from an employee's personal e-mail account when they were viewed on a company-issued computer. Also, the company did not warn employees that the content of such e-mails is stored on the hard drive and capable of being read by the company. The court found that the employee had a reasonable expectation of privacy in e-mails with his attorney. (pp. 17-19)
5. In In re Asia Global Crossing, Ltd., a federal bankruptcy court considered whether a trustee could force the production of e-mails sent by company employees to their personal attorneys on the company's e-mail system. The court developed a four-part test to measure an employee's expectation of privacy in his e-mail: (1) does company policy ban personal or other use, (2) does the company monitor the use of the employee's e-mail, (3) do third parties have a right of access to the e-mails, and (4) did the company notify the employee, or was the employee aware, of the use and monitoring policies? Because the evidence was "equivocal" about the existence of a corporate policy banning personal use of e-mail and allowing monitoring, the court could not conclude that the employees' use of the company e-mail system eliminated any applicable attorney-client privilege. In applying the Asia Global factors, the fact-specific nature of the inquiry affects the outcome. According to some courts, employees have a lesser expectation of privacy when they communicate with an attorney using a company e-mail account as compared to a personal, web-based account. Some courts have found that the existence of a clear policy banning personal e-mails can diminish the reasonableness of a claim to privacy in e-mail messages with the employee's attorney. (pp. 20-23)
6. Under all of the circumstances, Stengart could reasonably expect that e-mails exchanged with her attorney on her personal, password-protected, web-based e-mail account, accessed on a company laptop, would remain private. By using a personal e-mail account and not saving the password, Stengart had a subjective expectation of privacy. Her expectation was also objectively reasonable in light of the ambiguous language of the Policy and the attorney-client nature of the communications. (p.23-25)
7. In concluding that the attorney-client privilege protects the e-mails, the Court rejects the claim that the attorney-client privilege either did not attach or was waived. The Policy did not give Stengart, or a reasonable person in her position, cause to anticipate that Loving Care would be watching over her shoulder as she opened e-mails from her lawyer on her personal, password-protected Yahoo account. Similarly, Stengart did not waive the privilege under N.J.R.E. 530. She took reasonable steps to keep the messages confidential and did not know that Loving Care could read communications sent on her Yahoo account. (pp. 25-27)
8. Employers can adopt and enforce lawful policies relating to computer use to protect the assets and productivity of a business, but they have no basis to read the contents of personal, privileged, attorney-client communications. A policy that provided unambiguous notice that an employer could retrieve and read an employee's attorney-client communications, if accessed on a personal, password-protected e-mail account using the company's computer system, would not be enforceable. (pp. 28-29)
9. The Firm's review and use of the privileged e-mails violated RPC 4.4(b). That Rule provides that a "lawyer who receives a document," which includes an e-mail, and who "has reasonable cause to believe that the document was inadvertently sent shall not read the document or, if he or she has begun to do so, shall stop reading the document" and promptly notify and return the document to the sender. Stengart did not leave the e-mails behind; the Firm retained a forensic expert to retrieve e-mails that were automatically saved on the hard drive. To be clear, the Firm did not maliciously seek out attorney-client documents or rummage through personal files. The record does not suggest any bad faith in the way the Firm interpreted the Policy. Instead, while legitimately attempting to preserve evidence, the Firm erred in not setting aside arguably privileged messages once it realized they were attorney-client communications, and failing to notify its adversary or seek court permission before reading further. (pp. 29 -30)
10. The matter is remanded to the trial court to decide whether disqualification of the Firm, screening of attorneys, the imposition of costs, or some other remedy is appropriate. In so doing, the court should evaluate the seriousness of the breach in light of the nature of the e-mails, the manner in which they were reviewed and used, and other considerations noted by the Appellate Division. The court should also weigh the need to maintain the highest standards of the profession against a client's right to freely choose his counsel. (pp. 30-32)
The judgment of the Appellate Division is AFFIRMED AS MODIFIED and the matter is REMANDED to the trial court to determine what, if any, sanctions should be imposed on counsel for Loving Care.
JUSTICES LONG, LaVECCHIA, ALBIN, WALLACE, RIVERA-SOTO and HOENS join in CHIEF JUSTICE RABNER's opinion.
The opinion of the court was delivered by: Chief Justice Rabner
In the past twenty years, businesses and private citizens alike have embraced the use of computers, electronic communication devices, the Internet, and e-mail. As those and other forms of technology evolve, the line separating business from personal activities can easily blur.
In the modern workplace, for example, occasional, personal use of the Internet is commonplace. Yet that simple act can raise complex issues about an employer's monitoring of the workplace and an employee's reasonable expectation of privacy.
This case presents novel questions about the extent to which an employee can expect privacy and confidentiality in personal e-mails with her attorney, which she accessed on a computer belonging to her employer. Marina Stengart used her company-issued laptop to exchange e-mails with her lawyer through her personal, password-protected, web-based e-mail account. She later filed an employment discrimination lawsuit against her employer, Loving Care Agency, Inc. (Loving Care), and others.
In anticipation of discovery, Loving Care hired a computer forensic expert to recover all files stored on the laptop including the e-mails, which had been automatically saved on the hard drive. Loving Care's attorneys reviewed the e-mails and used information culled from them in the course of discovery. In response, Stengart's lawyer demanded that communications between him and Stengart, which he considered privileged, be identified and returned. Opposing counsel disclosed the documents but maintained that the company had the right to review them. Stengart then sought relief in court.
The trial court ruled that, in light of the company's written policy on electronic communications, Stengart waived the attorney-client privilege by sending e-mails on a company computer. The Appellate Division reversed and found that Loving Care's counsel had violated RPC 4.4(b) by reading and using the privileged documents.
We hold that, under the circumstances, Stengart could reasonably expect that e-mail communications with her lawyer through her personal account would remain private, and that sending and receiving them via a company laptop did not eliminate the attorney-client privilege that protected them. By reading e-mails that were at least arguably privileged and failing to notify Stengart promptly about them, Loving Care's counsel breached RPC 4.4(b). We therefore modify and affirm the judgment of the Appellate Division and remand to the trial court to determine what, if any, sanctions should be imposed on counsel for Loving Care.
This appeal arises out of a lawsuit that plaintiff-respondent Marina Stengart filed against her former employer, defendant-appellant Loving Care, its owner, and certain board members and officers of the company. She alleges, among other things, constructive discharge because of a hostile work environment, retaliation, and harassment based on gender, religion, and national origin, in violation of the New Jersey Law Against Discrimination, N.J.S.A. 10:5-1 to -49. Loving Care denies the allegations and suggests they are an attempt to escape certain restrictive covenants that are the subject of a separate lawsuit.
Loving Care provides home-care nursing and health services. Stengart began working for Loving Care in 1994 and, over time, was promoted to Executive Director of Nursing. The company provided her with a laptop computer to conduct company business. From that laptop, Stengart could send e-mails using her company e-mail address; she could also access the Internet and visit websites through Loving Care's server. Unbeknownst to Stengart, certain browser software in place automatically made a copy of each web page she viewed, which was then saved on the computer's hard drive in a "cache" folder of temporary Internet files. Unless deleted and overwritten with new data, those temporary Internet files remained on the hard drive.
On several days in December 2007, Stengart used her laptop to access a personal, password-protected e-mail account on Yahoo's website, through which she communicated with her attorney about her situation at work. She never saved her Yahoo ID or password on the company laptop.
Not long after, Stengart left her employment with Loving Care and returned the laptop. On February 7, 2008, she filed the pending complaint.
In an effort to preserve electronic evidence for discovery, in or around April 2008, Loving Care hired experts to create a forensic image of the laptop's hard drive. Among the items retrieved were temporary Internet files containing the contents of seven or eight e-mails Stengart had exchanged with her lawyer via her Yahoo account.*fn1 Stengart's lawyers represented at oral argument that one e-mail was simply a communication he sent to her, to which she did not respond.
A legend appears at the bottom of the e-mails that Stengart's lawyer sent. It warns readers that
THE INFORMATION CONTAINED IN THIS EMAIL COMMUNICATION IS INTENDED ONLY FOR THE PERSONAL AND CONFIDENTIAL USE OF THE ...