Announcement

Collapse
No announcement yet.

Court rules against employer reading an employee's personal email

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Court rules against employer reading an employee's personal email

    Only applicable to New Jersey right now, but interesting nonetheless:
    The New Jersey Supreme Court has ruled that an employer cannot read email messages sent via a third-party email service provider, even if the emails are accessed during work hours from a company PC.
    Regarding employer notification that employee emails could be monitored:
    even a more clearly written and unambiguous policy regarding employer monitoring of emails would not be enforceable. That is, a clear policy stating that the employer could retrieve and read an employee's attorney-client communication, accessed through a personal, password-protected email account using the company's computer system, will not overcome an employee's expectation of privacy and the privilege would remain.
    Full article here.

    The court's decision is here (PDF).

    You can also view the PDF via Google Docs here (recommended).

    EDIT (Also posted below): After further reading, one of the caveats in this particular case was that the email was with a lawyer, and that the Court was protecting the attorney-client privilege. Not surprisingly, the headlines have glossed over this fact. So it's unclear to me if this would apply to otherwise normal personal emails. I suspect that it may not.
    Last edited by theprez98; April 13, 2010, 06:34.
    "\x74\x68\x65\x70\x72\x65\x7a\x39\x38";

  • #2
    Re: Court rules against employer reading an employee's personal email

    I guess the only solution if this spreads to other states is that employees using non-sanctioned email services will be terminated.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

    Comment


    • #3
      Re: Court rules against employer reading an employee's personal email

      Originally posted by streaker69 View Post
      I guess the only solution if this spreads to other states is that employees using non-sanctioned email services will be terminated.
      After further reading, one of the caveats in this particular case was that the email was with a lawyer, and that the Court was protecting the attorney-client privilege. Not surprisingly, the headlines have glossed over this fact. So it's unclear to me if this would apply to otherwise normal personal emails. I suspect that it may not.

      Having now read the entire opinion, it is narrowly tailored (as one would hope all such court opinions are), and really makes no mention of otherwise normal personal emails. To assume that your employer could no longer read any of your personal emails would, I think, be in error.
      Last edited by theprez98; April 13, 2010, 06:40.
      "\x74\x68\x65\x70\x72\x65\x7a\x39\x38";

      Comment


      • #4
        Re: Court rules against employer reading an employee's personal email

        Originally posted by theprez98 View Post
        ... To assume that your employer could no longer read any of your personal emails would, I think, be in error.
        What you do on your employers' network(s) is in fact not your business, it's theirs. This appears to be just an extension of enforcement of the attorney-client privilege, thus still not shaking any "the man is reading my personal emails" approach to the topic. The court ruled that the employer does not have the right to read emails between client and council, however, it appears that the employers' right to monitor traffic on their network is still solid.

        Nonetheless, if you have something personal to do online when at work, that's pretty much what 3G is for. Smartphones, 3G notebooks, air cards, etc. all offer alternatives to using your employers' network(s) for personal business. Using their time for such business, however, may still get you in the brown and stinky, and is another discussion in itself. My 2¢.
        "You have cubed asscheeks?"... "Do you not?"

        Comment


        • #5
          Re: Court rules against employer reading an employee's personal email

          Originally posted by sintax_error View Post
          What you do on your employers' network(s) is in fact not your business, it's theirs. This appears to be just an extension of enforcement of the attorney-client privilege, thus still not shaking any "the man is reading my personal emails" approach to the topic. The court ruled that the employer does not have the right to read emails between client and council, however, it appears that the employers' right to monitor traffic on their network is still solid.
          I did bring this issue up with our HR Tick just a little bit ago, and she thinks that the employer still has the right to do it. But I'm not sure that she understood everything I was saying.

          Nonetheless, if you have something personal to do online when at work, that's pretty much what 3G is for. Smartphones, 3G notebooks, air cards, etc. all offer alternatives to using your employers' network(s) for personal business. Using their time for such business, however, may still get you in the brown and stinky, and is another discussion in itself. My 2¢.
          Our AUP here has it listed that no employee may use an unapproved internet connection on a company computer. If they want to use it, they'd need to supply their own computer and do it on their own time during a break.
          A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

          Comment


          • #6
            Re: Court rules against employer reading an employee's personal email

            I'm confused... does the company not have the right to monitor all internal traffic anyway?
            They can just grab it at the tcp/ip level. Filters like "Watchguard" do things that way: If I'm emailing out payroll.xls, the filter can nab specific keywords and block it from going outside.

            Companies should have the right to monitor anything in their networks, this is absurd. What happens when someone downloads a trojan form their personal email service that bypasses "internal" spam filters, sends off tradesecrets.pdf, and now you need to figure out what damage was done?

            I can't believe this was passed. This is a private network owned by a corporation for business use. We're protecting people that violate company policy? Do the decision makers have any professional advisers or simply agree that nobody should be in my inbox? I couldn't find one specific term in the document for what defines an email, it looks like it could be any sort of packet sent over the network, so now we're ad-hock defining what our IT departments shouldn't see? As said above, the reaction to this will undoubtedly have to be termination for breaking the policy. I hope this gets revoked.

            Comment


            • #7
              Re: Court rules against employer reading an employee's personal email

              Originally posted by SHA-hi View Post
              I'm confused... does the company not have the right to monitor all internal traffic anyway?
              They can just grab it at the tcp/ip level. Filters like "Watchguard" do things that way: If I'm emailing out payroll.xls, the filter can nab specific keywords and block it from going outside.

              Companies should have the right to monitor anything in their networks, this is absurd. What happens when someone downloads a trojan form their personal email service that bypasses "internal" spam filters, sends off tradesecrets.pdf, and now you need to figure out what damage was done?

              I can't believe this was passed. This is a private network owned by a corporation for business use. We're protecting people that violate company policy? Do the decision makers have any professional advisers or simply agree that nobody should be in my inbox? I couldn't find one specific term in the document for what defines an email, it looks like it could be any sort of packet sent over the network, so now we're ad-hock defining what our IT departments shouldn't see? As said above, the reaction to this will undoubtedly have to be termination for breaking the policy. I hope this gets revoked.

              The problem boils down to is whether or not the right of confidentiality between lawyer and his client, or if the right to an employer to monitor their traffic is greater. Attorney/client privilege confidentiality has been proven to be greater than an EULA in this case. Just cause this guy beat the system, doesn't mean that every Joe Blow will try to beat the system this way, unless they just email lawyers when they abuse their employer's network from here on out.
              "As Arthur C Clarke puts it, "Any sufficiently advanced technology is indistinguishable from magic". Here is my corollary: "Any sufficiently technical expert is indistinguishable from a witch"."

              Comment


              • #8
                Re: Court rules against employer reading an employee's personal email

                Originally posted by g3k_ View Post
                The problem boils down to is whether or not the right of confidentiality between lawyer and his client, or if the right to an employer to monitor their traffic is greater. Attorney/client privilege confidentiality has been proven to be greater than an EULA in this case. Just cause this guy beat the system, doesn't mean that every Joe Blow will try to beat the system this way, unless they just email lawyers when they abuse their employer's network from here on out.
                I suspect, even though I haven't read anything about this case, is that the contact with the guy's lawyer was probably about some dispute with his employer. So of course, a pissing match ensues.
                A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

                Comment


                • #9
                  Re: Court rules against employer reading an employee's personal email

                  Sure, but this needs to be a non-issue. He can do whatever he wants in his in-box, but the second he brings it into the company it's a potential threat that needs to be managed. If you don't want your network admin reading your emails at work, don't open your personal 3rd party inbox exposing the network to viruses at work. I don't understand how this is an actual issue. Don't open your inbox at work, your privacy never gets "invaded".

                  Comment


                  • #10
                    Re: Court rules against employer reading an employee's personal email

                    Originally posted by SHA-hi View Post
                    I'm confused... does the company not have the right to monitor all internal traffic anyway?
                    They can just grab it at the tcp/ip level. Filters like "Watchguard" do things that way: If I'm emailing out payroll.xls, the filter can nab specific keywords and block it from going outside.

                    Companies should have the right to monitor anything in their networks, this is absurd. What happens when someone downloads a trojan form their personal email service that bypasses "internal" spam filters, sends off tradesecrets.pdf, and now you need to figure out what damage was done?

                    I can't believe this was passed. This is a private network owned by a corporation for business use. We're protecting people that violate company policy? Do the decision makers have any professional advisers or simply agree that nobody should be in my inbox? I couldn't find one specific term in the document for what defines an email, it looks like it could be any sort of packet sent over the network, so now we're ad-hock defining what our IT departments shouldn't see? As said above, the reaction to this will undoubtedly have to be termination for breaking the policy. I hope this gets revoked.
                    Courts have long upheld the sanctity of attorney/client communications above almost everything else. Couple that with the courts' traditional ignorance of technology, and this decision isn't really surprising.

                    The biggest problem that I see with this decision is this sentence in paragraph 4: "Also, the company did not warn employees that the content of such e-mails is stored on the hard drive and capable of being read by the company." According to that, there is an implied requirement of all companies doing business in New Jersey to advise all their employees on the technical details of how web browsers' caches work -and by extension that includes technical details of almost all other programs whether or not the company knows how a given program works.

                    Based on that critical technical point -which the court clearly does not understand- and from precedent dealing with an internal email server -detailed in paragraph 5-, the court concluded that the plaintiff had a reasonable right to an expectation of attorney-client privilege. While it has some insight into the difference between external web-based email and an internal server, the court fails to understand how packet based communications work. Even with this lack of understanding the court implies that employers must have this knowledge, and directly states that employers must inform and educate employees of this.

                    All-in-all, this is an asinine decision. In an attempt to maintain attorney/client privilege, the court set the bar for technical knowledge of all employers in New Jersey to be higher than its own understanding of those same technical issues.
                    Thorn
                    "If you can't be a good example, then you'll just have to be a horrible warning." - Catherine Aird

                    Comment


                    • #11
                      Re: Court rules against employer reading an employee's personal email

                      I know you guys have already addressed some of these points, but it seems as though several things influenced this ruling:

                      1) The company's use/privacy policies regarding email were ambiguous and contradictory in several instances. Also, since the company allowed use of personal email at work, (according to the court) it implies the company's acknowledgment of the employee's right to keep those communications private.
                      2) There was a question as to whether the use policy had been formally adopted and properly disseminated to employees.
                      3) Attorney-client privilege (the employee was emailing her attorney)
                      4) The court did not find parts of the employer's policy to be reasonable. With regards to email privacy issues, the employer's rules supposedly overstepped the reasonable bounds of the furtherance of the company's business.
                      5) The court felt that the employee had a reasonable expectation of privacy.
                      6) The company's first attorney goofed and did not follow proper legal procedure in handling the emails.

                      Personally, I think anything done on the company's time while using the company's network and computers IS the company's business. But from a legal standpoint, I can see why the ruling turned out like it did. Point #1 was not stressed as one of the major points of the case, but it is one of the more valid points made. Point #3, as mentioned by others, is the major hinge on which this case turned. Point #4 is subjective, and I do not agree with the court on points 4 or 5 in the least.

                      As Thorn noted, the court's lack of understanding of the underlying technology is another reason this case turned out like it did. Additionally, if you read through the judges' opinions, it looks like they basically had it in for this company from the beginning.
                      "Why is it drug addicts and computer afficionados are both called users? " - Clifford Stoll

                      Comment


                      • #12
                        Re: Court rules against employer reading an employee's personal email

                        Originally posted by streaker69 View Post
                        ...Our AUP here has it listed that no employee may use an unapproved internet connection on a company computer. If they want to use it, they'd need to supply their own computer and do it on their own time during a break.
                        Exactly. An unapproved internet connection on a company machine is flat out asking for trouble. I was mainly referring to smartphones, but many laptops these days are coming with built in 3g capabilities, and the 3g aircard bit was assuming it was to be used on the hypothetical employee's own laptop. And like I said, use of these devices on company time is a good way to get the boss crawling down your throat.

                        I'm inclined to agree with g3k_ here. This ruling doesn't really set any precedent for some jagoff browsing craigslist or something on a company network to sue his employer. Bottom line is that you need to treat your confidential transmissions as just that and take steps to ensure that confidentiality as much as possible. Checking your personal email on someone else's machine or network is not the way to keep private matters private.
                        "You have cubed asscheeks?"... "Do you not?"

                        Comment


                        • #13
                          Re: Court rules against employer reading an employee's personal email

                          Originally posted by streaker69 View Post
                          I suspect, even though I haven't read anything about this case, is that the contact with the guy's lawyer was probably about some dispute with his employer. So of course, a pissing match ensues.
                          Oh yeah, of course. I think that it's kind of embarrassing to the company this happened to. I'm not sure if she lost her job over this incident and thats why this lawsuit is happening, but this is a slap in their face.

                          Also, I think that part of why this is a problem is the reason she accessed her Yahoo account, which was to send company email to her lawyer about the harassment she faced at work. Depending on how their internet policy is written (which is probably poorly because of the result of this case), she probably shouldn't of transmitted it to an outside source. I think the proper procedure would have been for her lawyer to subpoena for the records. Then again, if my butt was on the line, and I knew that these emails would be used against me & had control of the system, I probably would of deleted them.
                          "As Arthur C Clarke puts it, "Any sufficiently advanced technology is indistinguishable from magic". Here is my corollary: "Any sufficiently technical expert is indistinguishable from a witch"."

                          Comment


                          • #14
                            Re: Court rules against employer reading an employee's personal email

                            In a semi-related story,

                            One of the Banks I've work for had this guy, lets call him Jack. Jack downloaded porn, quite a lot of it. This was back in the days of the wild wild web (well over 10 years ago). Jack downloaded the porn at work, and CD burners just came out and he had one on his workstation. Jack decided to burn the porn onto CDs, sell the disks to his co-workers, and keep a client list on his machine. One day word gets out to the "wrong" people he's been doing this, and they fire him. Jack insists that the porn is his property, and takes the bank to court. Of course they ruled against jack, but I felt this was a related story you guys might enjoy reading (even though it's not about attorney-client privileges).

                            Comment


                            • #15
                              Re: Court rules against employer reading an employee's personal email

                              Originally posted by SHA-hi View Post
                              In a semi-related story,

                              One of the Banks I've work for had this guy, lets call him Jack. Jack downloaded porn, quite a lot of it...
                              "Jack", Do you still have the porn?
                              "\x74\x68\x65\x70\x72\x65\x7a\x39\x38";

                              Comment

                              Working...
                              X