September 01, 2011

iWitness: The Challenge of Electronic Communications: Privilege, Privacy, and Other Myths

John M. Barkett

Download a printable PDF of this article (membership required).

Lawyers beware. When attorney-client communications occur by email from home or work, the attorney-client privilege can easily be lost.

Holmes v. Petrovich Dev. Co., LLC, 191 Cal. App. 4th 1047 (Cal. Ct. App. 3d Dist. Jan. 13, 2011), raised the question of whether emails sent to counsel by an employee using her employer’s computer were privileged in the following circumstances: The employee had been told that company computers were to be used only for company business; employees were prohibited from using them to send or receive personal email; the company would monitor compliance with its computer usage policy and might inspect “all files and messages . . . at any time”; and employees “have no right of privacy” for personal information or messages created or maintained using company computers. These warnings were contained in an employee handbook that the plaintiff admitted she had read and signed.

Holmes sued Petrovich for, among other claims, wrongful termination after she told her employer of her pregnancy. When she became concerned about her continued employment, she sent an email from her office to an attorney and also forwarded to the attorney emails that she had received from her supervisor. The attorney told Holmes to delete the communications from her work computer because her employer might claim a right of access to it.

Holmes later resigned claiming a hostile work environment. The suit followed. The employer found the attorney-client email exchange and, over Holmes’s objection, used it at trial.

Handbook Trumps Privilege

The court of appeals acknowledged that the California Evidence Code insulated privileged electronic communications from waiver where persons involved in “the delivery, facilitation, or storage of electronic communication may have access to the content of the communication.” This was not the case here, however. Rather, sending emails on the company’s computer was “akin to consulting her lawyer in her employer’s conference room, in a loud voice, with the door open, so that any reasonable person would expect that their discussion of her complaints about her employer would be overheard by him.” Any belief by Holmes in the privacy of her email exchange was unreasonable because of the handbook warning, the appellate court held. And even if her employer did not access employee emails or audit employee computer usage, “absent a company communication contradicting” the handbook policy on computer usage, “it was unreasonable for Holmes to believe that her personal email sent by company computer was private simply because, to her knowledge, the company had never enforced its computer monitoring policy.”

Alamar Ranch, LLC v. County of Boise, 2009 LEXIS 101866 (D. Idaho Nov. 2, 2009), reached the same result. This case involved a Fair Housing Act suit against Boise County. The plaintiff alleged that the county rejected a permit to build a treatment facility for troubled youth because of the opposition of a group called Opponents of Alamar, which was represented by a lawyer named Charney. Charney communicated with his clients by email. One client, Kirkpatrick, used her office email for privileged communications with Charney. Kirkpatrick’s employer was subpoenaed and produced those emails. Charney moved to recover the privileged emails. Kirkpatrick’s employer had put all employees on notice of its email policy whereby the employer “reserves and intends to exercise the right to review, audit, intercept, access, and disclose all messages created, received, or sent over the email system for any purpose.” Kirkpatrick submitted a declaration in which she stated that she was not aware of email monitoring by her employer. Her ignorance was insufficient to protect the privilege.

Cases about email from the office and waiver of privilege can be more nuanced. DeGeer v. Gillis, 2010 LEXIS 97457 (N.D. Ill. Sept. 17, 2010), involved an employer who was unrelated to the dispute in question but who responded to a subpoena for documents issued by the defendants. DeGeer had sued the defendants to recover a bonus to which he claimed he was entitled before the defendants’ management consulting business that had employed him was sold to the subpoena recipient, a company called Huron. Nine emails became the subject of a privilege waiver dispute.

As part of an unrelated internal investigation at Huron, DeGeer was required to turn in his Huron laptop. He also provided, on DVDs, Huron-related data from his personal laptop computer and from an external hard drive he used. DeGeer withheld from these data DVDs three emails that had been sent from his work email address (presumably accessed remotely) because they were communications with his counsel. He provided Huron’s law firm with a log of the withheld emails and asked them to remove from any production the same emails located on Huron servers. That request was honored.

Separately, the defendants in the lawsuit subpoenaed Huron, which responded by producing DeGeer’s electronic documents. The production included six additional privileged emails that were sent from DeGeer’s personal email address “while apparently utilizing the Huron server.” DeGeer and his counsel were unaware that electronic communications sent from a personal email account would be preserved on Huron’s server and were also unaware that Huron had done an additional search of the server (which resulted in the location of the six additional emails) before responding to the subpoena.

Fortunately for DeGeer, the parties had stipulated in a protective order that inadvertent production of privileged documents did not constitute a waiver. The production of the six emails was inadvertent, the magistrate judge held. The privilege was preserved by the protective order.

As to the three emails, DeGeer was fortunate. The magistrate judge held that while Huron had the right to access information on DeGeer’s Huron-issued laptop, Huron followed a policy of honoring the privacy of an employee to communicate with counsel using work email addresses on Huron computers; hence, there was no waiver.

Email Privacy

Stengart v. Loving Care Agency, Inc., 990 A.2d 650 (N.J. 2010), also involved the ability of an employer to recover emails, this time from a company-issued laptop. Marina Stengart used her company-issued laptop to exchange emails with her lawyer through her personal, password-protected, web-based email account. She later filed an employment discrimination lawsuit against her employer, Loving Care Agency. The agency hired a forensic expert to recover files, including Stengart’s attorney-client emails, from the company’s laptop used by Stengart. Loving Care then gave the emails to its lawyers. They claimed a privilege waiver because of Loving Care’s written policy that “e-mail and voice mail messages, Internet use and communication and computer files are considered part of the company’s business and client records. Such communications are not to be considered private or personal to any individual employee.”

The New Jersey Supreme Court disagreed. It held that Stengart had a subjective and objective expectation of privacy in the attorney-client emails—the former because she used a personal, password-protected account for the communications and the latter because Loving Care’s policy did not address the use of personal accounts, much less personal, web-based email accounts accessed through company laptops, and did not warn employees that the contents of email sent through personal accounts could be forensically retrieved and read by the company. The court went a step further and announced that “because of the important public policy concerns underlying the attorney-client privilege,” a policy “that banned all personal computer use and provided unambiguous notice that an employer could retrieve and read an employee’s attorney-client communications, if accessed on a personal, password-protected e-mail account using the company’s computer system” would not be enforced in New Jersey.

What would have been the result had Stengart’s children had access to her password and used her email account? In Willis v. Willis, 914 N.Y.S.2d 243 (N.Y. App. Div. 2010), Jane Willis claimed that her former husband, Richard, defamed her in an email sent to her and read by one of the Willises’ children. The email was sent to the plaintiff’s email account, which was regularly used by the Willises’ children; hence the basis for “publication” of the allegedly defamatory statement. The plaintiff used the same email account to communicate with her attorneys. The defendant sought and obtained copies of those emails, arguing that they were not privileged. The children knew their mother’s password and regularly used the account. The plaintiff herself was claiming “publication” of the defamation because the children used the account. The children were related to both Jane and Richard. There was no evidence that Jane asked the children to keep email communications confidential. Hence, the plaintiff had no reasonable expectation of confidentiality in the emails.

Green v. Beer, 2010 LEXIS 87484 (S.D.N.Y. Aug. 24, 2010), involved a suit by a couple, the Greens, arising out of an investment in a tax shelter scheme promoted by the defendants. The Greens were not proficient in the use of email. Their son, Daniel, was. They gave their son’s email address to their lawyer and regularly communicated with their lawyer through their son. The defendants, claiming waiver, sought those communications. Daniel testified that his parents needed his technical assistance to send and receive emails and that he regularly assisted them. Daniel’s affidavit mimicked the words of section 4548 of the New York Civil Practice Law and Rules, which protects electronic communications from waiver for the “sole reason” that “persons necessary for the delivery or facilitation of such electronic communication may have access to the content of the communication.” That statute might not have envisioned children handling emails for their parents as opposed to, say, Internet service providers doing so. No matter. The district court held that this language protected the privilege.

Social Networks Discoverable

And as the following cases demonstrate, information on social networking sites is hardly private.

Romano v. Steelcase, Inc., 907 N.Y.S.2d 650 (N.Y. Sup. Ct. 2010), was a personal injury action. The defendant sought access to the plaintiff’s Facebook and MySpace pages and accounts, seeking information inconsistent with the plaintiff’s claimed injuries. The plaintiff refused to authorize Facebook and MySpace to allow this access. The defendant moved to compel access. The trial court granted it: “[I]t appears that Plaintiff’s public profile page on Facebook shows her smiling happily in a photograph outside the confines of her home despite her claim that she has sustained permanent injuries and is largely confined to her house and bed.” As a result, “there is a reasonable likelihood that the private portions of her sites may contain further evidence such as information with regard to her activities and enjoyment of life, all of which are material and relevant to the defense of this action.” The trial court ordered the plaintiff to provide whatever authorization was required by Facebook and MySpace to give the defendant access to the plaintiff’s “records, including any records previously deleted or archived” by Facebook and MySpace.

McMillen v. Hummingbird Speedway, Inc., No. 113-2010 CD (C.P. Jefferson, Pa. Sept. 9, 2010), reached the same result in a similar context, but the trial court ordered the plaintiff to provide the defendant with “Facebook and MySpace user names and passwords” and prohibited the plaintiff from deleting or altering “existing information and posts” on the plaintiff’s accounts.

The courts in McMillen and Romano rejected privacy claims made by the plaintiffs in each action because Facebook’s and MySpace’s terms of use did not guarantee confidentiality or privacy and also because account holders’ information either appeared on the “public” portion of a user’s page or was available to “friends” to whom the user gives access.

Privacy concerns were, however, recognized in EEOC v. Simply Storage Mgmt., LLC, 270 F.R.D. 430 (S.D. Ind. 2010). The Equal Employment Opportunity Commission (EEOC) brought a sexual harassment suit against the defendant on behalf of two claimants, Zupan and Strahl. Both claimants sought damages for emotional distress. The defendant sought access to the claimants’ Facebook and MySpace accounts to review their profiles and other communications, arguing that this information would refute the emotional distress claims. The EEOC sought to limit the discovery to social networking site (SNS) information that directly addressed matters alleged in the complaint. The defendant wanted unrestricted access.

The magistrate judge explained it was “reasonable to expect severe emotional or mental injury to manifest itself in some SNS content, and an examination of that content might reveal whether onset occurred, when, and the degree of distress. Further, information that evidences other stressors that could have produced the alleged emotional distress is also relevant.” Concluding that the EEOC’s approach was too restrictive and that it did not address the proper scope of discovery for “garden variety emotional distress claims,” the court allowed discovery of, among other things, “any profiles, postings, or messages” for claimants for a prescribed time period as well as any photographs or videos that “relate to any emotion, feeling, or mental state.”

What can lawyers learn from these cases? Wise lawyers will have their clients call, not email, them from work and will be cautious about leaving voice mail messages for their clients, in the event that the employer converts voice mail to an audio or text file and sends the voice mail to the recipient by email on the employer’s email system. For email communications, they will require clients to use password-protected private email accounts that are secure from third parties, including, where local law dictates, the clients’ children. They should never assume that attorney-client email exchanges from a client’s work computer are secure even when communications occur through the client’s password-protected personal email account. And they will always counsel their clients about the discoverability of information posted on social networking sites.    


John M. Barkett

The author is a partner with Shook Hardy & Bacon LLP, Miami.