A court case coming out of New Jersey could impact most firms’ privacy and security practices according to an article on DarkReading. The New Jersey Supreme Court recently ruled in Stengart v. Loving Care Agency, Inc., 408 N.J.Super. 54, 973 A.2d 390 (Superior Ct., A.D. 2009) that an employer can not read email messages sent via a third-party email service provider, even if the emails are accessed during work hours from a company PC.
The court found the company’s policy on email use to be vague, noting it allows “occasional personal use.” “The policy does not address personal accounts at all,” the decision said. “The policy does not warn employees that the contents of such emails are stored on a hard drive and can be forensically retrieved.”
The ruling written by Chief Justice Stuart Rabner in part states that the employee could, “reasonably expect that emails she exchanged with her attorney on her personal, password-protected, web-based email account, accessed on a company laptop, would remain private.” Rabner continues that the employee, “Plainly took steps to protect the privacy of those emails and shield them from her employer. She used a personal, password protected email account instead of her company email address and did not save the account’s password on her computer.”
The law firm of Jackson Lewis provides a legal overview of the case on their blog, The Workplace Privacy Data Management and Security Report recommends that employers consider modifying their existing electronic communication policies to include:
- Clear notice that personal, web-based emails accessed using company networks and stored on company networks or company computers can be monitored and reviewed by the company (of course, care should be taken here to avoid concerns under the Electronic Communications Privacy Act and the Stored Communications Act);
- Definitions of the specific technologies and devices to which the policies apply;
- Warnings that web-based, personal e-mail can be stored on the hard drive of a computer and forensically accessed;
- No ambiguities about personal use.
Rb-
I am no lawyer, be sure to consult your attorney about this and all legal issues, in my opinion, this ruling is new law-making. The new laws are applicable only in New Jersey for now. However, unless the U.S. Supreme Court overturns this new law it will be the starting point for all other ligation. Firms should begin reviewing and updating their technology policies to protect themselves from this new law.
An interpretation of the ruling suggests that employees have to be specifically warned that it is possible to forensically retrieve data from the firm’s computers. In this ruling, the Court found, “the Policy does not warn that the contents of personal, web-based e-mails are stored on a hard drive and can be forensically retrieved and read.”
Sounds like another shot in the arm for the content filtering firms.
Related articles
- Your Email Is Not Private (On One Side of the Hudson) (dailykos.com)
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.