Migrated from eDJGroupInc.com. Author: Greg Buckles. Published: 2010-10-01 08:55:02Format, images and links may no longer function correctly. While reviewing this morning’s eDJ web findings, I came across a good case analysis by K&L Gates regarding a privilege waiver issue in DeGeer v. Gillis, 2010 WL 3732132 (N.D. Ill. Sept. 17, 2010). The actual opinion seems to only be available through Westlaw at this time, but the analysis of the fact pattern and findings are worth a read. An eDiscovery consulting firm employee used his work computer to send privileged email to his own counsel. These emails were later produced in the computer image and the subject of the waiver dispute. The decision pivoted on the question of how the employer interpreted their computer usage policy. This particular case highlights the inherent conflict between the U.S. corporate usage policies and employee privacy.
Most U.S. corporations and governmental agencies start with the presumption that anything created on business assets by an employee is corporate property. This is in direct conflict with the privacy protections that dominate the EU and other countries. See the 2010 Data Privacy Map from Privacy International below. The concerns over data privacy have even created specialized discovery service offerings such as the recent announcement from FTI of their packaged, onsite FTI Investigate™ offering. Before you say, “But the laws in Belgium have no bearing here!”, consider the global nature of corporations, email, IM and other social networks. The June Supreme Court decision City of Ontario v. Quon No. 08-1332 Supreme Court of United States(Quon v. Arch Wireless) upheld the status quo on the expectation of privacy in the workplace, but we are slowly moving toward a recognition that employees do not just abandon all rights or privacies when they clock in.
Data Protection Laws - www.privacyinternational.org
I have had GCs and CIOs show me there draconian policies banning all personal email, calls, etc by employees. Many felt that the total ban on any kind of personal use covered the company. My next question is, “So how do you monitor and enforce compliance?” When we dig down into the reality of corporate life, we usually find a tacit acceptance that employees will use webmail, IM and other social network systems while at work. Here is a good example of a generic computer usage policy from the Texas Workforce Commission that tries to address this reality with an “excessive use” clause.
Coming back to the DeGeer case, the court spelled out a five factor test on privilege waiver that provides some good pointers when developing an overall corporate privacy policy. “(1) does the employer maintain a policy banning personal use of e-mails; (2) does the employer monitor the use of its computer or e-mail; (3) does the employer have access to the computer or e-mails; (4) did the employer notify the employee about these policies; and (5) how did the employer interpret its computer usage policy?”
The overall tests spell out an overall approach to employee computer usage:
- Create a policy
- Effectively communicate that policy to employees
- Implement compliance monitoring that demonstrates reasonable effort to prevent systematic non-compliance
- Maintain access and custody of computer assets (think hard about mobile devices)
- Reality check the policy intent against ongoing practices
No one wants to work for a company that expects you to abandon your personal life just because you clocked in. Many non-exempt and on-call employees take work home with them every day. There has to be a balance between the corporate risk/cost and employee privacy. That judgment falls on corporate counsel and HR executives. You want to tackle this before it comes up in a discovery dispute. Just remember that policy without enforcement and compliance is not worth the paper it was printed on.