The comments to Model Rule 1.6 explain that a lawyer “must act competently to safeguard” client information against the inadvertent or unauthorized disclosure by a lawyer or anyone who is subject to the lawyer’s supervision. The use of clawback agreements in electronic discovery has become commonplace given the exponentially greater volume of information typically involved and the heightened risk that privileged or protected information will be inadvertently disclosed. While the terms of clawback agreements can widely vary, under a typical clawback, the parties agree that if privileged or protected information is disclosed, it will be returned pursuant to that agreement.

The problem with clawback agreements is that they are not enforceable against third parties. If your client is involved in related litigation involving similar issues, should the parties involved in that litigation learn of the disclosure of privileged information in your case, they could seek its production, irrespective of your clawback, by arguing they were not parties to your agreement and that the privilege was waived by your disclosure. Indeed, that limitation is codified in Fed. R. Evid. 502(e) which provides: “[a]n agreement on the effect of disclosure in a federal proceeding is binding only on the parties to the agreement.” So while clawback agreements serve a worthwhile purpose, they are not risk free. Better protection against third-party waivers in a federal proceeding can be obtained if a federal court enters a nonwaiver order under Fed. R. Evid. 502(d). However, many states have not adopted the equivalent of Rule 502(d), and it remains an open question whether a non-waiver order entered in one state-court proceeding is enforceable in other state-court proceedings. See Hopson v. City of Baltimore, 232 F.R.D. 228 (D.Md. 2005).

Thus, there is a continuing need for clawback agreements, especially in state-court litigation. But before entering into a clawback agreement with your opponent, also consider protecting yourself against potential criticism over its use. In document intensive cases, or suits where a significant amount of ediscovery will be sought, discuss the use of a clawback agreement with your client, including its risks and benefits. Obtain your client’s consent before using a clawback. A best practices approach would involve written consent from the client to the use of a clawback agreement before it is entered into with opposing counsel. This can avoid any after-the-fact controversy over the nature of your discussions with the client or the decision to use a clawback to protect the confidentiality of your client’s information.

Stengart v. Loving Care Agency, Inc., — A.2d —, 2010 WL 1189458 (N.J. March 30, 2010)

The New Jersey courts have a reputation of being protective of “informational privacy.” See, e.g., State v. Reid. A recent decision concerning employee privacy in personal emails adds to that reputation.

Plaintiff-employee used a work-issued laptop to access her Yahoo email account, through which she communicated with her lawyer about her lawsuit against the employer. During the discovery phase of that employment discrimination lawsuit, the employer used computer forensics to recover those Yahoo emails that had been copied to the computer’s temporary internet files folder.

Counsel for plaintiff demanded that the employer turn over the recovered emails, arguing that the communications were protected by the attorney-client privilege. When the employer agreed to turn them over but not discontinue use of the information garnered from them, plaintiff sought relief from the court.

The trial court denied relief and plaintiff sought review with the appellate court. That court reversed, and the employer sought review with the state’s supreme court. You can read our prior blog post that discussed the appellate court’s decision here. The supreme court upheld the appellate court’s decision, holding that the employee had a reasonable expectation of privacy in the communications.

The employer relied on a broadly-written company policy through which the employer reserved the right to review and access “all matters on the company’s media systems and services at any time.” But the court rejected those arguments.

Framework for the analysis

The supreme court considered two aspects in its analysis: (1) the adequacy of the notice provided by the company policy, and (2) the important public policy concerns raised by the attorney-client privilege.

As for the adequacy of the notice provided by the policy, the court found that because the policy did not address the use of password-protected personal email accounts, the policy was “not entirely clear.” As for the importance of the attorney-client privilege, the court lavished it with almost-sacred verbal accoutrements, calling it a “venerable privilege . . . enshrined in history and practice.”

“Intrusion upon seclusion” as source for standard

The court noted that the analysis for a reasonable expectation of privacy in dealings between two private parties was a bit different than the analysis in a Fourth Amendment case. The common law source for the standard in this context is with the tort of “intrusion upon seclusion.” Under New Jersey law, that tort is committed when one intentionally intrudes, physically or otherwise, upon the solitude or seclusion of another or his private affairs or concerns, in a manner that would be highly offensive to a reasonable person. (This language comes from the Restatement (Second) of Torts § 652B.)

In this situation, the court found that plaintiff had both a subjective and objective expectation that the messages would be private. Supporting her subjective belief was the fact that she used a private email account that was password protected, instead of her work email account. And she did not store her password on the computer. Her belief was objectively reasonable given the absence of any discussion about private email accounts in the company policy.

Plaintiff’s expectation of privacy was also bolstered by the fact that the email messages were not illegal, nor would they impact the performance of the employer’s computer system. And they bore all the “hallmarks” of attorney-client communications.

For all these reasons, not the least of which the priority of the courts “to keep private the very type of conversations that took place here,” the court found that the conversations were protected by the attorney-client privilege.

Introduction.

Stengart addressed whether the attorney-client privilege protected a former employee’s emails that were sent to her attorney using a company-issued laptop computer through a personal, password-protected, web-based (Yahoo) email account. The emails addressed a lawsuit the former employee contemplated bringing against her employer and were sent to the employee’s personal attorney prior to her resignation from the company. The company obtained the emails after suit was filed by making a forensic image of the computer’s hard drive and extracting them from the plaintiff’s internet browser history.

The court in Stengart concluded the emails were privileged, holding the policy considerations underlying the attorney-client privilege “substantially outweighed” the company’s interest in enforcing its computer use and electronic communications policy. The decision is also significant in that the court remanded for an evidentiary hearing to determine whether the company’s attorneys should be disqualified or if some other sanction should be imposed as a result of their failure to comply with Rule 4.4(b) of the New Jersey Rules of Professional Conduct. The New Jersey rule, like Rule 4.4(b) of the Model Rules, requires that whenever a lawyer has reasonable cause to believe that a document was inadvertently produced, the lawyer should not read it, and must promptly notify the sender.

The court’s decision in Stengart should be contrasted with Scott v. Beth Israel Medical Center, 17 Misc. 934, 847 N.Y.S.2d 436 (2007), which held the attorney-client privilege was lost when the plaintiff used the company’s email system to communicate with his attorney in view of the company’s no personal use and email monitoring policies coupled with the plaintiff’s awareness of those policies. The Stengart and Beth Israel decisions demonstrate that whether an employee’s communication with personal counsel retains its privileged nature when made via the company’s computer or email system involves a fact-specific inquiry. This post will address those decisions and will outline the factors that courts have examined when addressing the issue of attorney-client privilege in this context.

Ambiguous Electronic Communications Policy.

In Stengart, the plaintiff disputed whether the company’s electronic communications policy was in effect or was merely in draft form at the time she sent the emails, and whether the policy applied to executives such as the plaintiff. While the appellate court noted that the privilege issue should not have been decided absent an evidentiary hearing addressing these points given the factual dispute in the record, that was not the basis of the court’s holding.

The court also noted several ambiguities in the company’s electronic communications policy. In its employee handbook, the company reserved “the right to review, audit, intercept and disclose all matters in the company’s media systems and services at any time, with or without notice.” However, the policy neither defined nor suggested what was encompassed by the phrase “media systems and services,” and the court concluded that those words alone did not convey “a clear and unambiguous understanding about their scope.”

The company policy clearly provided: “E-mail and voice mail messages, internet use and communication and computer files are considered part of the company’s business and are not to be considered private or personal to any individual employee.” It further stated, however, that “occasional personal use” of those systems was permitted. The court in Stengart observed the policy made no attempt to explain when such personal use was permitted and ruled “[a]n objective reader could reasonably conclude … that not all personal emails are necessarily company property because the policy expressly recognizes that occasional personal use is permitted.”

Stengart noted “[t]hese ambiguities cast doubt over the legitimacy of the company’s attempt to seize and retain personal emails sent through the company’s computer via the employee’s personal email account.” While the electronic communications policy was obviously relevant to whether the communication was confidentially made, the court again chose not to base its decision on the ambiguities in the company policy. Rather, the court explained:

Giving the company the benefit of all doubts about the threshold disputes mentioned in earlier sections of this opinion, as well as the broadest interpretation of its electronic communications policy permitted, despite the obvious ambiguities in the policy’s text, we nevertheless are compelled to conclude that the company policy is of insufficient weight when compared to the important societal considerations that undergird the attorney-client privilege. As a result, we conclude that the judge exhibited inadequate respect for the attorney-client privilege when she found that plaintiff “took a risk of disclosure of her communications and a risk of waiving the privacy she expected” when she communicated with her attorney through her work-issued computer, and that plaintiff’s action in the face of the policy “constitute[d] a waiver of the attorney client privilege.” Accordingly, we reverse the order under review and conclude that the emails exchanged by plaintiff and her attorney through her personal Yahoo email account remain protected by the attorney-client privilege.

The Issue as Framed in Stengart Balanced the Company’s Right to Create Workplace Rules Against the Public Policies Underlying the Attorney-Client Privilege.

In order to claim attorney-client privilege, the party asserting the privilege must demonstrate that the communication was confidential when made and expected that its confidential nature would be maintained. See, e.g., Edna S. Epstein, The Attorney-Client Privilege and Work Product Doctrine, at 235 (5th ed. 2007). Various courts have examined the circumstances surrounding an email communication, and have concluded that the privilege is waived when “the holder of the privilege voluntarily discloses or consents to the disclosure of any significant part of the communication to a third party or stranger to the attorney-client relationship.” Power Boot Camp, Inc. v. Warrior Fitness Camp, 587 F.Supp. 2d 548, 563 (S.D.N.Y. 2008).

In Beth Israel, the appellate court outlined four factors relevant to the issue of confidentiality, which is a prerequisite to attorney-client privilege in this context. Those factors address whether:

(a) the company maintains an electronic communication policy banning personal or other objectionable use;

(b) the company monitors the use of its employees’ computers or email;

(c) third-parties have a right of access to its computers or emails; and

(d) the company notifies its employee or whether the particular employee was aware of the company’s use and monitoring policies.

The court in Beth Israel recognized that when an employee sends an email to his personal counsel via the company’s computer system knowing the company has a policy of monitoring and examining those emails, the employee could not legitimately claim he sent the email expecting it would remain confidential. However, another appellate court in People v. Jiang, 131 Cal. App. 4th 1027, 33 Cal. Rptr. 184, 205 (2005), held that an employee’s emails to his attorney were privileged notwithstanding the fact that they were sent via his employer’s computer. In Jiang, the court determined that the privilege was not lost in view of the employee’s “substantial efforts to protect the documents from disclosure by password-protecting them and segregating them in a clearly marked and designed folder.” Additionally, the policy on electronic communications in Jiang did not specifically prohibit the employee’s personal use of the company’s computer system.

Accordingly, the scenario presented in Stengart was factually analogous to Jiang. However, the appellate court in Stengart did not approach the privilege issue from the perspective outlined above. Instead, the court noted that “an employer’s rules and policies must be reasonable to be enforced,” and framed the issue as one which required the court’s “balancing of the company’s right to create and obtain enforcement of reasonable rules for conduct in the work-place against public policies underlying attorney-client privilege.”

With the issue framed in this fashion, the appellate court in Stengart concluded that while a company may monitor its employees’ computer use and take appropriate disciplinary action when the employee engages in personal matters during work hours, “that right to discipline or terminate, however, does not extend to the confiscation of the employee’s personal communications.” The court ultimately concluded that an employer’s policy which transformed all private communications into company property merely because the company owned the computer used to make the private communication or to access the private information during work hours “further[ed] no legitimate business interest.” The court in Stengart added:

Certainly, the electronic age – and the speed and ease with which many communications may now be made – has created numerous difficulties in segregating personal business from company business. Today, many highly personal and confidential transactions are commonly conducted via the Internet, and may be performed in a moment’s time. With the touch of the keyboard or click of the mouse, individuals may access their medical records, examine activities in their bank accounts and phone records, file income tax returns, and engage in a host of other private activities, including, as here, emailing an attorney regarding confidential matters. Regardless of where or how these communications occurred, individuals possess a reasonable expectation that those communications will remain private.

Stengart Should be Read in Light of New Jersey’s Recognition of a Broad Right to Informational Privacy Under the State Constitution.

Because the existence of a privilege results in the withdrawal of potentially relevant information from the judicial process, many courts have strictly construed the attorney-client privilege. See, e.g., Fisher v. United States, 425 U.S. 391, 403 (1976) (observing “since the privilege has the effect of withholding relevant information from the fact finder, it applies only when necessary to achieve its purpose”). Foster v. Hill, 188 F.3d 1259, 1264 (11th Cir. 1999) (holding the party invoking the attorney-client privilege has the burden of establishing its applicability which is “narrowly construed”).

Stengart’s approach to the privilege issue should be read in light of the broad right to privacy recognized by New Jersey courts under the New Jersey State Constitution. See, e.g., State v. Reid, 389 N.J. Super. 563, 914 A.2d 310, 317 (2007) (noting a line of decisions which are “highly protective” of an individual’s right to privacy even when the information sought is in the hands of a third party). For example, while federal courts have routinely held that internet subscribers have no right of privacy with respect to identifying information on file with their internet service providers, the appellate court in Reid reached the opposite conclusion based upon the right of privacy afforded by the New Jersey State Constitution. Id. The court in Reid noted that of those States that have an explicit right of privacy in their State Constitutions, only New Jersey has recognized a right to “informational privacy.” Id. at 313-14. Stengart suggests that the issue of privilege waiver in this context involves not only a fact-bound inquiry, but also one that may be jurisdictionally specific, making broad generalizations or bright-line approaches to the issue problematic.

Do Not Ignore Applicable Ethical Rules.

In Stengart, company’s attorneys did not notify the plaintiff or her counsel that the company had extracted the emails from the computer she had used before producing them in discovery. The appellate court in Stengart concluded that counsel’s actions were inconsistent with the obligations imposed by Rule 4.4(b) of the New Jersey Rules of Professional Conduct. The court criticized counsel’s approach in the case, noting that counsel had “appointed itself the sole judge of the issue and made use of the attorney-client emails without giving plaintiff an opportunity to advocate a contrary position.”

Thus, a lesson to be learned from Stengart is that whenever an attorney receives potentially privileged or confidential information relating to the opposing party, that attorney should carefully consider how that information was obtained. Was its production intentional or inadvertent? Counsel should then review the applicable rules of professional conduct and consider whether to consult with a knowledgeable attorney concerning your ethical duties under the circumstances presented. The safest course of action is to promptly notify opposing counsel about your receipt of any confidential or privileged information. When the issue cannot be informally resolved with opposing counsel, bring the matter to the court’s attention and allow the court to resolve the issue before using or further disclosing the information in discovery.

Factors To Consider Involving Privilege And Email Communications.

Courts generally view the use of email as simply another form of communication and apply privilege rules that have developed in the context of written and oral communications between the attorney and client. There are unique technological aspects to the use of email – they can reside in a “sent file,” on a computer’s hard drive, an email server or on backup tapes. Internet service providers will also possess email communications for short periods of time. We have previously posted one of our PowerPoint slides which depicts the potential routes that a single email can take and where it can be found which can be seen here. However, no court has ever held that the technologically unique features of email communication defeats the attorney-client privilege.

The mere fact that a company computer is used by an employee should not result in a loss of the privilege. See Curto v. Medical World Communications Inc., 2006 WL 1318387 (E.D.N.Y. 2006) (holding privilege applied to emails sent from an employee’s home office on a company issued laptop that was not connected to the company’s email server). No one would argue that an employee who uses a company phone to call an attorney from the privacy of his or her own office thereby loses the right to claim their conversation was privileged. The mere use of a company computer does not necessarily change the privilege equation.

Similarly, a company prohibition on the personal use of communication equipment does not necessarily vitiate the privilege. While an employee may be disciplined for violating a company policy by making a personal phone call from the privacy of his or her office, the mere violation of a company policy would not defeat the claim of privilege. However, where a company prohibits personal use of company equipment, advises its employees that it reserves the right to monitor and review their electronic communications and does so, then the employee will have difficulty claiming that the communications made in confidence to the attorney.

As Jiang demonstrates, an employee’s use of password protected web-based email account will bolster the employee’s claim of privilege as would the use of encryption software. On the other hand, the use of a shared computer and/or the existence of shared passwords on a company computer will lessen the strength of any privilege argument. Copying others on emails between the attorney and the client can result in the privilege being lost as one of our prior posts explains. A company’s failure to explicitly prohibit the personal use of its email and computer systems, or ambiguities in such a policy are additional factors that several courts have noted when addressing the issue.

Beware of the Stored Communications Act When Accessing an Employee’s Web-based Email.

The Stored Communications Act, 18 U.S.C. §2701, prohibits the access of an “electronic communication service” without proper authorization. The Act is violated when a person accesses an electronic communication service or obtains an electronic communication while in electronic storage without authorization. Several courts have concluded that emails stored on an electronic communication service provider’s system constitute “stored communications” under the Act. See Power Boot Camp, 587 F.Supp. 2d at 555 (collecting cases). The district court in Power Boot Camp concluded that when a company accessed, without proper authorization, its former employee’s Hotmail account emails from the company computer he had purportedly used to view those emails, the Act was violated.

While the district court in Power Boot Camp recognized that an employee’s implied consent may provide sufficient authorization under the Act to permit an employer’s access to an personal email account, statements in an employee handbook must provide clear notice of that fact. While the former employee in Power Boot Camp may have been on notice that the company’s computers could be searched for evidence of his personal use, he was not aware that such a search could include his Hotmail, Gmail or any other web-based mail accounts. Thus, the company policy was not sufficiently specific to dodge a violation of the Act.

Privilege and privacy issues involving an employee’s personal email communications is an evolving area of law that will continue to develop with technological advancements. As these decisions demonstrate, attorneys and their clients must take care when reviewing potentially privileged or confidential information communicated by an employee via a company-issued computer over the internet.

Flagg has been listed by one e-discovery blog as one of the top 5 e-discovery decisions of 2008.  

No, this is not the decision involving the text messages between the former Mayor of Detroit and his female chief of staff that were purportedly more tawdry and explicit than an old Harlequin romance novel.  Flagg involved a wrongful death action and the text messages being sought related to a possible cover-up and interference of an investigation involving the murder of an exotic dancer who allegedly performed at a party at the Mayor’s official residence. 

The case is significant because in ordering that the text messages could be produced, the district court outlined several ways to get around the Stored Communications Act, 18 U.S.C. 2701.  Section 2702 of the Act generally prohibits a person or entity providing an “electronic communication service” (ECS) or a “remote computing service” (RCS) from knowingly divulging to any person or entity the contents of a communication while in “electronic storage” by that service or which is “carried or maintained on that service.”  A service provider can divulge contents of an electronic communication with the consent of an appropriate party.  Who can provide that consent varies depending upon if the service provider is an “ECS” or “RCS” provider.  In the case of an RCS provider, a “subscriber,” like the City, can provide the required consent.  With an ECS provider, only “the originator or an addressee or intended recipient” of the message (in this case, city employees and officials) can lawfully consent to the release.  

In reaching the conclusion that the text messages could be produced, the court in large part  relied on Rule 34′s requirement that a responding party produce not only documents in its possession, but also documents under the responding party’s “custody and control.”  The court pointed to cases holding that documents in the possession of a party’s agent or attorney are considered under the responding party’s control.  The court noted that a corporate party is deemed to have control over documents in the possession of its officers or employees.  Thus, the court in Flagg concluded that irrespective of whether the service provider was deemed to be and ECS or RCS provider, the City had both the ability and the obligation to secure any consent required by the Stored Communications Act to obtain release of the text messages – in accordance with a protocol which the court had previously set up to screen the text messages for relevancy and/or  privilege.

So one “take away” from this case is to remember that whenever you are seeking to preserve paper documents or electronic data through a litigation hold and/or  when certifying that a production response is complete under Fed. R. Civ. P 26(g) by signing that response, don’t overlook information in the possession of a third party which your client controls.

Flagg bears mentioning another reason. The district court in Flagg concluded that the service provider was an “RCS” as defined under the Stored Communication Act.  In the process of reaching that conclusion, the district court in Flagg disagreed with Quon v. Arch Wireless Operating Co., 529 F.3d  892 (9th Cir. 2008).  The Ninth Circuit’s decision in Quon caught the attention of several commentators for an entirely different reason — Quon held that an employee could claim a reasonable expectation of privacy in his text messages based on his employer’s informal practice which contradicted the city’s policies on internet use and computer use. Quon also addressed whether the release to the City of the text messages sent by members of the city’s “swat team” over city-issued pagers violated the Stored Communications Act.  The Ninth Circuit in Quon found that the service provider’s release of those text messages violated the Act based on its conclusion that the service provider was an “ECS.”  While the district court in Flagg distinguished that aspect of Quon on several different grounds and based its decision on at least one argument which had not been raised in Quon, if you are practicing on our left coast, and run into a question involving the Stored Communication Act, make sure you argue Flagg, but follow Quon.

Flagg also explained that production of text messages pursuant to a third-party subpoena would divulge the content of those communications in violation of the Act unless the appropriate consent was first obtained. The court concluded that a Rule 34 production request provided “a more straightforward path” to the discovery of the text messages.

When the discovery of text messages may be sought in one of your cases, carefully review the Stored Communication Act.  Unfortunately, the statute is far from a model of clarity as the Flagg and Quon decisions aptly demonstrate.