Risk

N.J. Supreme Court Rules Employers Can't Always Read Personal Email

Employees who use password-protected, third-party services can have a reasonable expectation of privacy, court says

In a ruling that could affect enterprises' privacy and security practices, the New Jersey Supreme Court last week ruled that an employer can not read email messages sent via a third-party email service provider -- even if the emails are accessed during work hours from a company PC.

According to news reports, the ruling upheld the sanctity of attorney-client privilege in electronic communications between a lawyer and a nursing manager at the Loving Care Agency.

After the manager quit and filed a discrimination and harassment lawsuit against the Bergen County home health care company in 2008, Loving Care retrieved the messages from the computer's hard drive and used them in preparing its defense.

The court found the company's policy regarding email use to be vague, noting it allows "occasional personal use."

"The policy does not address personal accounts at all," the decision said. "The policy does not warn employees that the contents of such emails are stored on a hard drive and can be forensically retrieved.

"Under all of the circumstances, we find that Stengart [Marina Stengart, the nursing manager] could reasonably expect that emails she exchanged with her attorney on her personal, password-protected, Web-based email account, accessed on a company laptop, would remain private," wrote Chief Justice Stuart Rabner in the decision, which upholds an appeals court ruling last year.

"Stengart plainly took steps to protect the privacy of those emails and shield them from her employer," Rabner continued. "She used a personal, password protected email account instead of her company email address and did not save the account's password on her computer."

Peter Frazza, Stengart's attorney, says the ruling sets a new boundary for employers who believe they have a right to all e-mails simply because they own the computer.

"Big Brother is always there, but employees have got to be comforted by the ruling, knowing they are protected," he says.

A legal analysis of the case suggests the court would have ruled against the company even if its policy had been more clearly stated.

"The Court stated that even a more clearly written and unambiguous policy regarding employer monitoring of emails would not be enforceable," the analysis states. "That is, a clear policy stating that the employer could retrieve and read an employee's attorney-client communication, accessed through a personal, password-protected e-mail account using the company's computer system, will not overcome an employee's expectation of privacy and the privilege would remain."

The Court's opinion also seems to suggest that employers cannot discipline employees for simply spending some time at work receiving personal, confidential legal advice from a private lawyer, although the Court noted that an employee who "spends long stretches of the workday" doing so can be disciplined, the analysis says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Government Shutdown Brings Certificate Lapse Woes
Curtis Franklin Jr., Senior Editor at Dark Reading,  1/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6443
PUBLISHED: 2019-01-16
An issue was discovered in NTPsec before 1.1.3. Because of a bug in ctl_getitem, there is a stack-based buffer over-read in read_sysvars in ntp_control.c in ntpd.
CVE-2019-6444
PUBLISHED: 2019-01-16
An issue was discovered in NTPsec before 1.1.3. process_control() in ntp_control.c has a stack-based buffer over-read because attacker-controlled data is dereferenced by ntohl() in ntpd.
CVE-2019-6445
PUBLISHED: 2019-01-16
An issue was discovered in NTPsec before 1.1.3. An authenticated attacker can cause a NULL pointer dereference and ntpd crash in ntp_control.c, related to ctl_getitem.
CVE-2019-6446
PUBLISHED: 2019-01-16
An issue was discovered in NumPy 1.16.0 and earlier. It uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object, as demonstrated by a numpy.load call.
CVE-2019-6442
PUBLISHED: 2019-01-16
An issue was discovered in NTPsec before 1.1.3. An authenticated attacker can write one byte out of bounds in ntpd via a malformed config request, related to config_remotely in ntp_config.c, yyparse in ntp_parser.tab.c, and yyerror in ntp_parser.y.