While it is generally well established that employees do not have a high expectation of privacy when using their employer’s e-mail system (“Monitoring Employee E-Mail Generally OK,” New England In-House, October 2005), a more difficult issue is presented when the communication implicates the attorney-client privilege or work product doctrine.

Consider the following factual scenario.

An employee separates employment from the company and litigation ensues. The employer hires a forensic consultant to inspect the computer used by the employee. Evidence helpful to the employer’s case is uncovered.

A layer of complexity is added when the computer contains communications between the employee and his personal attorney. Is the attorney-client privilege available to the former employee in shielding the discovery of those communications? Or is the privilege waived by this type of use of the company’s computer in the face of a policy banning personal usage?

While there is scant reported precedent in this area, a recent decision handed down by a U.S. District Court in New York in Curto v. Medical World Communications, Inc., Docket No. 03-CV-6327 (E.D.N.Y. May 15, 2006), provides guidance to companies concerning the juxtaposition of the attorney-client privilege and an employee’s personal use of a company computer system.

The plaintiff, employed by Medical World Communications, Inc. (MWC), was assigned a company-owned laptop computer and primarily worked out of her home office.

When she was terminated in October 2003, the plaintiff was instructed to return the laptop computer to MWC. Prior to returning the computer, she deleted her personal files from the laptop’s hard drive, including notes and e-mails she had sent to her personal attorney regarding her claims against MWC and the other defendants.

The e-mails at issue were sent using MWC’s laptop, but through the plaintiff’s personal AOL account.

In defending against the former employee’s claim, MWC hired a computer consultant who was able to restore portions of the files and e-mails that had been deleted by the former employee.

Upon restoration of these documents, the defendants produced them to the plaintiff in the course of discovery. The plaintiff asserted that certain documents in the production were protected from disclosure by the attorney-client privilege and work product immunity. She sought a protective order demanding that the documents be delivered to her and not disclosed by the defendants.

The trial court judge upheld a magistrate judge’s ruling that the plaintiff had not waived her right to assert the attorney-client privilege as to those communications with her private attorney, notwithstanding that they were found on the company-owned laptop computer in apparent violation of company policy.

The judge in Medical World noted that the voluntary disclosure of communications otherwise protected by the attorney-client privilege generally results in a waiver. The judge then reviewed under what circumstances a party’s inadvertent disclosure does not constitute a waiver of the attorney-client privilege.

In conducting this analysis, the judge considered four well-known factors: (1) the reasonableness of the precautions taken by the producing party to prevent inadvertent disclosure of privileged documents; (2) the volume of discovery versus the extent of the specific disclosure at issue; (3) the length of time taken by the producing party to rectify the disclosure; and (4) the overarching issue of fairness.

Introduction of policy enforcement ‘subfactor’

In addition to a consideration of these four factors regarding inadvertent disclosure, the magistrate judge introduced a new “subfactor” – whether the employer enforced its computer usage policy.

In considering the new subfactor, the magistrate judge acknowledged that the plaintiff had signed an employee handbook containing a computer policy barring personal usage of computers by employees. But this did not end the inquiry, according to the magistrate judge, because lack of enforcement by MWC created a “false sense of security” which “lull[ed] employees into believing that the policy would not be enforced.”

In upholding the magistrate judge’s ruling, the District Court judge noted that use of the computer policy enforcement subfactor was not clearly erroneous or contrary to law. Indeed, according to the District Court judge, it “goes right to the heart of the overriding question which guides the Court’s analysis: was the plaintiff’s conduct so careless as to suggest that she was not concerned with the protection of the privilege.”

The District Court judge distinguished numerous cases holding that an employee has no expectation of privacy in the use of a workplace computer. Those cases are analogous but not controlling, according to the judge, because they arise in the context of an employee asserting a right to privacy claim, but they do not address e-mail communications implicating the attorney-client privilege.

Practical guidance for employers

The Medical World case is somewhat puzzling in analyzing the issue under an inadvertent disclosure of documents approach (the plaintiff did not inadvertently produce the documents at issue but actually sought to destroy them) rather than considering whether the employee’s use of the company’s computer contrary to policy would constitute a waiver of the attorney-client privilege.

Nonetheless, the case is instructive for companies seeking to obtain forensic evidence that would not later be deemed privileged.

In Medical World, the trial court judge found significant that the plaintiff worked from a home office on a company-owned laptop and that the e-mail messages at issue did not pass through MWC’s servers.

Thus, as a matter of fact and contrary to the notice in its computer usage policy, MWC was not able to monitor Plaintiff’s activity on her laptop hard drive or monitor her e-mail messages at any time.

The District Court also drew a distinction between the existence of a policy and enforcement of that policy. The judge noted that the MWC policy stated that the company “may” monitor employee e-mail as opposed to affirmatively stating that it “will” engage in such monitoring. Further, the company was able to cite only four instances where it had, in fact, monitored the computer use of its employees.

In light of the Medical World decision, companies should review their e-mail usage policies to ensure that employees are put on notice unambiguously of the company’s e-mail monitoring practices.

It is important to avoid having employees “lulled into a false sense” of security and privacy with respect to e-mail communications. Employers should also consider addressing in their e-mail policies the subject of private communications, including those between an employee and a personal attorney.

Finally, the Medical World case highlights difficulties that may be encountered with employees working from home or those utilizing personal e-mail accounts on a company computer. These realities of the workplace should be taken into account with respect to both computer policies and monitoring practices.

Terence P. McCourt, a shareholder in the Boston office of Greenberg Traurig ([email protected]), concentrates his practice on the representation of management in all aspects of labor and employment litigation and counseling.