Personal Emails on Company Computers

In December of 2007, Marina Stengart was employed as the Executive Director for Nursing at Loving Care Agency Inc., a company which provides home-care nursing and health services. Sadly, Ms. Stengart's relationship with Loving Care soured, and she left Loving Care and sued for, among other things, harassment based on gender, religion and national origin. However, before she left, Ms. Stengart used a laptop computer provided by the company to exchange emails with her attorney. When she left, she returned the laptop to Loving Care, and they were able to retrieve and read those emails by examining her computer's cache.

Not surprisingly, her lawyer went berserk (which, when a lawyer does it, is called applying for an order to show cause) and said that Loving Care's attorney should have treated the emails as privileged and returned them once they were discovered. Loving Care's attorney disagreed, and, on March 30, the New Jersey Supreme Court issued a comprehensive opinion (which can be found here) stating that Loving Care's attorney should have treated the emails as privileged and remanding to the trial court to determine an appropriate sanction.

Some interesting points from the opinion:

1) The Court said that Loving Care's policy regarding personal emails received on company machines was not entirely clear. However

Because of the important policy concerns underlying the attorney-client privilege, even a more clearly written company manual -- that is, a policy that banned all personal computer use and provided unambiguous notice that an employer could retrieve and read an employee's attorney-client communications, if accessed on a personal, password protected e-mail account using the company's computer system -- would not be enforceable.

2) The fact that Ms. Stengart was technically unsophisticated and didn't know that her computer automatically cached documents contributed to her having a reasonable subjective expectation of privacy in the emails. If she had been more technically savvy, the Court may not have decided the emails were protected (though, given the policy considerations surrounding the privilege, I wouldn't bet on it).

3) Even though it wasn't searching for privileged materials, once it found that it had emails that were potentially privileged, Loving Care's law firm had a duty not to read them, and to report them to Stengart's lawyer. Because Loving Care's firm didn't do that, they could be disqualified and/or forced to pay Stengart's costs (or face whatever other sanctions the trial court deems appropriate).

An interesting case, and a result I'm sure was an unpleasant surprise to Loving Care.

via this article from Computer World.

Data Storage

As a general rule, one of the easiest ways to make sure data isn't stolen is to not have it. Unfortunately, as mentioned in this paper from GFI Software there are often legal requirements that prevent a company from purging its data. As the paper mentions, there are a variety of securities regulations that require companies to keep records. While true, that's only part of the story. For example, electronic discovery rules can prohibit a company from purging its records. What's (potentially) worse, even if a company doesn't purge it's records, it can still be sanctioned under the electronic discovery rules if it's records aren't in a reasonably accessible form.

The moral of the story? You need to know not just how to protect data, but what data to keep, and how to keep it in a form where you can get it back.