Emails sent through Yahoo account using work computer protected under attorney-client privilege

The New Jersey supreme court has held that emails an employee sent to her lawyer using her company-issued computer and a personal Yahoo account are protected by the attorney-client privilege.

Stengart v. Loving Care Agency, Inc., — A.2d —, 2010 WL 1189458 (N.J. March 30, 2010)

The New Jersey courts have a reputation of being protective of “informational privacy.” See, e.g., State v. Reid. A recent decision concerning employee privacy in personal emails adds to that reputation.

Plaintiff-employee used a work-issued laptop to access her Yahoo email account, through which she communicated with her lawyer about her lawsuit against the employer. During the discovery phase of that employment discrimination lawsuit, the employer used computer forensics to recover those Yahoo emails that had been copied to the computer’s temporary internet files folder.

Counsel for plaintiff demanded that the employer turn over the recovered emails, arguing that the communications were protected by the attorney-client privilege. When the employer agreed to turn them over but not discontinue use of the information garnered from them, plaintiff sought relief from the court.

The trial court denied relief and plaintiff sought review with the appellate court. That court reversed, and the employer sought review with the state’s supreme court. The supreme court upheld the appellate court’s decision, holding that the employee had a reasonable expectation of privacy in the communications.

The employer relied on a broadly-written company policy through which the employer reserved the right to review and access “all matters on the company’s media systems and services at any time.” But the court rejected those arguments.

Framework for the analysis

The supreme court considered two aspects in its analysis: (1) the adequacy of the notice provided by the company policy, and (2) the important public policy concerns raised by the attorney-client privilege.

As for the adequacy of the notice provided by the policy, the court found that because the policy did not address the use of password-protected personal email accounts, the policy was “not entirely clear.” As for the importance of the attorney-client privilege, the court lavished it with almost-sacred verbal accoutrements, calling it a “venerable privilege . . . enshrined in history and practice.”

“Intrusion upon seclusion” as source for standard

The court noted that the analysis for a reasonable expectation of privacy in dealings between two private parties was a bit different than the analysis in a Fourth Amendment case. The common law source for the standard in this context is with the tort of “intrusion upon seclusion.” Under New Jersey law, that tort is committed when one intentionally intrudes, physically or otherwise, upon the solitude or seclusion of another or his private affairs or concerns, in a manner that would be highly offensive to a reasonable person. (This language comes from the Restatement (Second) of Torts § 652B.)

In this situation, the court found that plaintiff had both a subjective and objective expectation that the messages would be private. Supporting her subjective belief was the fact that she used a private email account that was password protected, instead of her work email account. And she did not store her password on the computer. Her belief was objectively reasonable given the absence of any discussion about private email accounts in the company policy.

Plaintiff’s expectation of privacy was also bolstered by the fact that the email messages were not illegal, nor would they impact the performance of the employer’s computer system. And they bore all the “hallmarks” of attorney-client communications.

For all these reasons, not the least of which the priority of the courts “to keep private the very type of conversations that took place here,” the court found that the conversations were protected by the attorney-client privilege.

Lawsuit against state officials for privacy violation moves forward

Welch v. Theodorides-Bustle, — F.Supp.2d —, 2010 WL 22365 (N.D. Fla., January 5, 2010)

Plaintiff sued the Florida Department of Highway Safety and Motor Vehicles and a number of state officials for violation of the federal Driver’s Privacy Protection Act, 18 USC §2721-25. Plaintiff claimed that the defendants turned over a large amount of protected personal information to a private party, and that that party then further disclosed the information to another entity that published the information on the web.

Florida driver

As a result, the personal information of a number of Florida drivers became available for viewing online by anyone.

The defendants moved to dismiss the suit for failure to state a claim. The court denied the motion.

There is an exception to the Driver’s Privacy Protection Act’s prohibition on disclosure of personal information when the disclosure is made by a government agency “in carrying out [the agency’s] functions.” The defendants did not deny that their conduct would violate the Act, but argued that the exception applied. The defendants essentially argued that the mere fact that the disclosure was made by a governmental entity made the disclosure to be automatically carried out in connection with that agency’s function.

The court rejected this ipse dixit assertion, holding that disclosure by a government agency being treated as automatically protected would accordingly make any violation of the Act by the government impossible.

Similarly, the court rejected the defendants’ argument that language in the contract with the entity to which the information had been provided rendered the disclosure proper. The receiving entity promised to use the information only for a proper purpose. But the self-serving recitals in that agreement, without specifying in detail what a proper purpose would be, would not bind third parties.

Alligator car photo courtesy Flickr user jeffdhartman under this Creative Commons license.

Death scene photos posted on the web did not subject coroner to liability

Werner v. County of Northampton, 2009 WL 3471188 (3rd Cir. October 29, 2009) (Not selected for official publication).

Plaintiff’s son died in the family home. No one seems to know for sure whether it was an accident or suicide. Even Plaintiff gave conflicting statements to the court — in his complaint he said it was not suicide, but in a later-filed brief he said it was.

Do not cross this line and I mean it.

In any event, on the day the son died, the coroner came to the house to take pictures. Somehow the coroner’s son got a hold of the photos and posted them on the web with a caption “There is no better way to kill yourself.”

Plaintiff sued the coroner under 28 U.S.C. 1983 which, among other things, gives citizens a cause of action when their rights are violated by someone acting under the law. Plaintiff claimed the coroner committed a due process violation of Plaintiff’s liberty interests in his reputation by allowing the photos to be posted.

To succeed on his liberty interest claim, Plaintiff was required to satisfy the “stigma plus” test. The district court dismissed the complaint, finding Plaintiff’s allegations did not meet this standard.

A statement that is “stigmatizing” under this test must be (1) made publicly, and (2) false. In this cause, the court found that the death scene photos were the relevant statement. But there were no allegations in the complaint that the photos themselves were “false.” (What the court was probably saying here is that the photos had not been Photoshopped or otherwise changed in a way to make them not accurately portray the scene.)

The court made a fine distinction in the process of dismissing the case. In response to the motion to dismiss, Plaintiff argued that the thrust of his argument was that the website falsely suggested his son committed suicide. But the court found otherwise, carefully looking at the allegations of the complaint which, for example, said that the photos “fueled the false impression that the Plaintiff’s son committed suicide.”

There were no allegations that the photos themselves were the false statements. But what about the caption, “[t]here is no better way to kill yourself,” you ask? Though the opinion does not address this point, one is left to conclude that that language could not be attributed to the defendant coroner, since it was his son that posted the photos, and not himself.

Photo courtesy Flickr user Fabio Beretta under this Creative Commons license.

Email snooping can be intrusion upon seclusion

Analysis could also affect liability of enterprises using cloud computing technologies.

Steinbach v. Village of Forest Park, No. 06-4215, 2009 WL 2605283 (N.D. Ill. Aug. 25, 2009)

Local elected official Steinbach had an email account that was issued by the municipality. Third party Hostway provided the technology for the account. Steinbach logged in to her Hostway webmail account and noticed eleven messages from constituents had been forwarded by someone else to her political rival.

Steinbach sued the municipality, her political rival and an IT professional employed by the municipality. She brought numerous claims, including violation of the Federal Wiretap Act, the Stored Communications Act, and the Computer Fraud and Abuse Act. She also brought a claim under Illinois common law for intrusion upon seclusion, and the court’s treatment of this claim is of particular interest.

The defendant IT professional moved to dismiss the intrusion upon seclusion claim under Fed. R. Civ. P. 12(b)(6)(for failure to state a claim upon which relief can be granted). The court denied the motion.

The court looked to the case of Busse v. Motorola, Inc., 813 N.E.2d 1013 (Ill.App. 1st. Dist. 2004) for the elements of the tort of intrusion upon seclusion. These elements are:

  • defendant committed an unauthorized prying into the plaintiff’s seclusion;
  • the intrusion would be highly offensive to the reasonable person;
  • the matter intruded upon was private; and
  • the intrusion caused the plaintiff to suffer.

The defendant presented three arguments as to why the claim should fail, but the court rejected each of these. First, the defendant argued that the facts allegedly intruded upon were not inherently private facts such as plaintiff’s financial, medical or sexual life, or otherwise of an intimate personal nature. Whether the emails were actually private, the court held, was a matter of fact that could not be determined at the motion to dismiss stage. Plaintiff’s claim that emails from her constituents were private was not unreasonable.

The defendant next argued that Steinbach had not kept the facts in the email messages private. But the court soundly rejected this argument, stating that the defendant failed to explain how Steinbach displayed anything openly. Plaintiff asserted that she had an expectation of privacy in her email, and defendant cited no authority to the contrary.

Finally, the defendant argued that the intrusion was authorized, looking to language in the Federal Wiretap Act and the Stored Communications Act that states there is no violation when the provider of an electronic communication services intercepts or accesses the information. The court rejected this argument, finding that even though the municipality provided the email address to Steinbach, Hostway was the actual provider. The alleged invasion, therefore, was not authorized by statute.

The court’s analysis on this third point could have broader implications as more companies turn to cloud computing services rather than hosting those services in-house. In situations where an employer with an in-house provided system has no policy getting the employee’s consent to employer access to electronic communications on the system, the employer – as provider of the system – could plausibly argue that such access would be authorized nonetheless. But with the job of providing the services being delegated to a third party, as in the case of a cloud-hosted technology, the scope of this exclusion from liability is narrowed.

Email ribbon photo courtesy Flickr user Mzelle Biscotte under this Creative Commons License

Scope of Electronic Communications Privacy Act may not be so narrow

Brahmana v. Lembo, No. 09-106, 2009 WL 1424438 (N.D. Cal. May 20, 2009)

Plaintiff former employee Brahmana sued his former employer Cyberdata, claiming that Cyberdata violated the Electronic Communications Privacy Act (at 18 U.S.C. 2511) (&#147ECPA&#148). Brahmana claimed that Cyberdata used a keylogger to intercept the username and password for Brahmana’s personal email account.

Cyberdata moved to dismiss the claim under Rule 12(b)(6) for failure to state a claim upon which relief can be granted. The court denied the motion, finding that the determination of whether there was a violation of the ECPA would best be made after discovery.

The ECPA makes it unlawful for any person to intentionally intercept, among other things, any “electronic communication.” An “electronic communication” is defined in the ECPA as “any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic, or photooptical system that affects interstate or foreign commerce.”

An important question in this case was whether the keystrokes allegedly captured by the keylogging device met this definition of electronic communication.

An earlier case from another district (United States v. Ropp, 347 F.Supp.2d 831 (C.D. Cal. 2004)) held that keystrokes gathered by a hardware keylogger attached between a computer’s keyboard and central processing unit were not electronic communications because the system transmitting the information did not affect interstate commerce.

But another case questioned that opinion’s holding, finding that though the keystrokes themselves did not travel in interstate commerce, they did “affect interstate commerce” and therefore fell within the ECPA’s definition.

This court avoided ruling on the legal question of whether intercepting electronic data being transmitted from one piece of local hardware to another might be an electronic communication as defined by the ECPA. One must remember that a Rule 12(b)(6) motion merely tests the sufficiency of the pleadings. The court does not consider evidence at that stage, but merely tests whether the facts alleged by the plaintiff could plausibly support the legal claim.

In this case, the court found that Brahmana’s allegations did not specify whether the particular means of monitoring affected interstate commerce, but were sufficient to render plausible the claim that communications were monitored in some way. “The issue of how any alleged monitoring took place,” the court found, “and whether it allegedly affected interstate commerce is better resolved after some discovery.”

The case instructs us that this court is not willing to read the definition of “electronic communication” as narrowly as the court did in Ropp. No doubt there will be some interesting evidence produced in discovery that shows how the keystrokes were allegedly intercepted. But at least we know at this early stage in the litigation that the court will consider whether the transmission of electronic data within a system — and not crossing state lines — may still affect interstate commerce.

I-Spy photo courtesy Flickr user Leo Reynolds under this Creative Commons license.

Court allows Wal-Mart to subpoena Facebook and MySpace

Ledbetter v. Wal-Mart Stores, Inc., 2009 WL 1067018 (D.Colo. April 21, 2009)

A couple of electricians were severely burned when the electrical system they were working on in an Aurora, Colorado Wal-Mart shorted out. They sued Wal-Mart over their injuries. One of the plaintiffs’ wives brought a claim for loss of consortium.

During discovery, Wal-Mart sent subpoenas to Facebook, MySpace and Meetup.com seeking information about the plaintiffs. The plaintiffs filed a motion for protective order which would have prevented the social networking sites from providing the requested information. The plaintiffs claimed that the information should be protected by the physician-patient privilege or, as for the loss of consortium claim, the spousal privilege. The court denied the motion and allowed the subpoenas.

The court held that an earlier protective order entered in the case (to which the parties had agreed) protected the confidentiality of the information. And the plaintiffs had put the purported confidential facts, i.e., the extent of the injuries and the nature of the consortium, at issue by bringing the suit. Moreover, the information sought by the subpoenas was reasonably calculated to lead to the discovery of admissible evidence and was relevant to the issues in the case.

It’s worth noting that the court might have had other reasons to deny the motion for protective order that it did not mention. A privilege of confidentiality is usually destroyed when it is disclosed to a third party. How could information on Facebook or MySpace still be secret? Unless Wal-Mart was only seeking private messages sent either between the spouses or one of the plaintiffs and a doctor, it would seem that most everything these sites would have would not be confidential in the first place.

Shame on you, Facebook, for overreaching

Facebook, I hereby grant to you an irrevocable, perpetual, non-exclusive, transferable, fully paid, worldwide license (with the right to sublicense) to use the following content: “Go jump in a lake.”

The past few days people have been talking about how scandalous it is that Facebook changed its terms of service to grab up a very broad license in content its users upload. I’m sure that Facebook is counting on this controversy to go wherever it is that memes go to die, to be forgotten just like most controversies-du-semaine. It probably will, but as the sentiment finds itself already on the decline, I’ll comment.

Here’s what the offending section of the Facebook terms of service now says, in relevant part:

You hereby grant Facebook an irrevocable, perpetual, non-exclusive, transferable, fully paid, worldwide license (with the right to sublicense) to (a) use, copy, publish, stream, store, retain, publicly perform or display, transmit, scan, reformat, modify, edit, frame, translate, excerpt, adapt, create derivative works and distribute (through multiple tiers), any User Content you (i) Post on or in connection with the Facebook Service or the promotion thereof subject only to your privacy settings or (ii) enable a user to Post, including by offering a Share Link on your website and (b) to use your name, likeness and image for any purpose, including commercial or advertising, each of (a) and (b) on or in connection with the Facebook Service or the promotion thereof. You represent and warrant that you have all rights and permissions to grant the foregoing licenses.

I was pretty peeved when I learned that Facebook had modified its terms to get a broader license. But I was even more peeved when I read founder Mark Zuckerburg’s blog post from yesterday which tried to justify the changes. Of course Facebook must make sure it has the rights it needs in order to “show [users’ content and information] to the other people they’ve asked [it] to share it with.” But isn’t the right to share that content inherent in the very “asking”? Why be grabby?

Facebook is being content greedy. It’s commandeering more than it needs to run the service. An example Zuckerburg uses in the post concerns the text of a messages sent between friends. If one user deactivates his or her account, a copy of each message will still exist in the other friend’s inbox. Fine. I see the point. So get a license to store and display a copy of private messages. There’s no problem with that.

The bigger rub comes with photos and video users upload. Why does Facebook need a perpetual license for that? I don’t see any reason, whether from a technological or other practical standpoint, why photos and video could not or should not be deleted — and the license to Facebook terminated — when a user deactivates his or her account. YouTube doesn’t demand a license for content after it has been taken down by a user.

Zuckerburg’s post contains the following interesting statement: “In reality, we wouldn’t share your information in a way you wouldn’t want.” Okay Mark, let’s talk about reality. I don’t want you using information about me, like my name, for commercial purposes. That’s reality. Why then do you demand to have the right to use my name and other information for commercial purposes? Are you suggesting that the terms of service as now written don’t reflect reality? I know they were written by lawyers, but surely your legal counsel can’t be that removed from the real world.

I like Facebook, and through it I have reconnected with old friends and made some new ones. But those connections are what’s important, not the intermediary. I may delete my photos off of there but I’ll probably keep using it, at least for now. But I’ll likely post less content. Shame on you, Facebook, and shame on you Mark Zuckerburg, for putting up a post just filled with platitudes, all while ignoring the fact there’s no reason for your new overreaching. That kind of stunt will invigorate those who want an alternative to Facebook, and will accellerate the process of making Facebook tomorrow’s Friendster.

Greedy photo courtesy Flickr user Gribiche under this Creative Commons license.

Expedited electronic discovery includes subpoena to ISP and imaging of defendants’ hard drives

Allcare Dental Management, LLC v. Zrinyi, No. 08-407, 2008 WL 4649131 (D. Idaho October 20, 2008)

Plaintiffs filed a defamation lawsuit against some known defendants as well as some anonymous John Doe defendants in federal court over statements posted to Complaintsboard.com. The plaintiffs did not know the names or contact information of the Doe defendants, so they needed to get that information from the Does’ Internet service provider.  But the ISP would not turn that information over without a subpoena because of the restrictions of the Cable Communications Policy Act, 47 U.S.C. § 501 et seq. [More on the CCPA.]

Under Federal Rule of Civil Procedure 26(d)(1), a party generally may not seek discovery in a case until the parties have had a Rule 26(f) conference to discuss such things as discovery. Because of the Rule 26(d)(1) requirement, the plaintiffs found themselves in a catch-22 of sorts: how could they know with whom to have the Rule 26(f) conference if they did not know the defendants’ identity.

So the plaintiffs’ filed a motion with the court to allow a subpoena to issue to the ISP prior to the Rule 26(f) conference. Finding that there was good cause for the expedited discovery, the court granted the motion. It found that the subpoena was needed to ascertain the identities of the unknown defendants. [More on Doe subpoenas.] Furthermore, it was important to act sooner than later, because ISPs retain data for only a limited time.

The Plaintiffs also contended that that the known defendants would likely delete relevant information from their computer hard drives before the parties could engage in the ordinary process of discovery. So the plaintiffs’ motion also sought an order requiring the known defendants to turn over their computers to have their hard drives copied.

The court granted this part of the motion as well, ordering the known defendants to turn their computers over to the plaintiffs’ retained forensics professional immediately. The forensics professional was to make the copies of the hard drives and place those copies with the court clerk, not to be accessed or reviewed until stipulation of the parties or further order from the court.

Anonymous defendants to be unmasked in Computer Fraud and Abuse Act case

Kimberlite Corp. v. Does 1-20, No. 08-2147, 2008 WL 2264485 (N.D. Cal. June 2, 2008)

Plaintiff Kimberlite sued a number of anonymous John Doe defendants after it learned that its network and email system had been unlawfully accessed. A few days after filing suit for violation of the Computer Fraud and Abuse Act (CFAA) and trespass to chattels under state law, Kimberlite served a subpoena on AT&T, the owner of the IP address from which the unauthorized access originated, seeking to discover who was responsible.

One of the John Doe defendants, pro se, wrote a letter to the court which the court treated as a motion to quash the subpoena. The court denied the motion.

Doe argued that Kimberlite had failed to state a claim under the CFAA. The court rejected that argument, observing that Kimberlite had adequately alleged and had provided preliminary evidence of a CFAA violation. (Doe had not challenged the sufficiency of the trespass to chattels claim.) Kimberlite’s computers were “protected” computers under the CFAA because they were used in interstate and foreign commerce. They were password protected and accessed without authorization by someone from the subject IP address. Kimberlite succeeded in alleging the threshold amount of CFAA damages ($5,000) through an employee declaration describing over 100 hours of investigation and repair following the intrusions.

Doe also argued that Kimberlite had not demonstrated a need to obtain the information that outweighed Doe’s privacy rights under the Cable Communication Policy Act (CCPA). That act prohibits cable operators from disclosing subscriber information unless certain criteria are met.

The court rejected the CCPA argument first by expressing serious doubt that AT&T, as an Internet service provider was a “cable operator” and thus subject to the CCPA. Even if the CCPA did apply, the court found Kimberlite had demonstrated a compelling need for the information sought. It had adequately set forth a cause of action, so discovery of the anonymous parties was proper.

Employee text messages covered under Stored Communications Act and Fourth Amendment

Quon v. Arch Wireless Operating Co., Inc., — F.3d —-, 2008 WL 2440559 (9th Cir. June 18, 2008)

Sergeant Quon’s employer, the City of Ontario, California Police Department, issued him a pager with which he could send and receive text messages. Copies of text messages sent and received using the pager were archived on Arch Wireless’s computer server. The City’s agreement with Arch Wireless allowed for each user to send up to 25,000 characters’ worth of messages a month.

The police department required any employee who went over that monthly limit to pay the overage charges. Quon went over that limit several times and paid the extra fees. After awhile, the department started to investigate Quon, ostensibly to see whether the department should seek to raise the 25,000 monthly character limit. Quon’s supervisor had told him that the department would not review the contents of the messages if he continued to pay for the overages.

But the department acquired transcripts of the messages anyway. Quon sued, alleging violations of the Stored Communications Act, 18 U.S.C. §§2701-2711 (SCA) and the Fourth Amendment.

The district court awarded summary judgment to the defendants on the SCA claim, finding that Arch Wireless was a “remote computing service” as defined by the SCA, and thus it was appropriate for Arch Wireless to turn over the contents of the messages to the police department as a “subscriber” to the service.

On the defendants’ summary judgment motion on the Fourth Amendment claim, the district court determined that Quon had a reasonable expectation of privacy, but that the question of whether the search of the contents of the messages by the police chief was reasonable should be heard by a jury. That jury found that the search was reasonable because it was to determine the efficacy of the 25,000 character limit (i.e., to determine whether work-related reasons warranted upgrading).

Quon sought review of both the SCA and Fourth Amendment issues with the Ninth Circuit. On appeal, the court reversed the lower court’s holding that the SCA was not violated. As for the Fourth Amendment claim, the appellate court held that the search by the police chief was unreasonable as a matter of law, and that the question should not have even made it to the jury.

On the SCA claim, the court looked to the plain meaning of the statute as well as the legislative history from 1986 to conclude that the lower court’s determination that Arch Wireless was a remote computer service was erroneous. Arch Wireless did not provide “computer storage” nor “processing services.” Although Arch Wireless was storing the messages after transmission, the court held that that function was contemplated as one for an electronic communications service as well, which was more in line with the services Arch Wireless provided. So when Arch Wireless turned over the contents of the messages to the police department, which was merely a subscriber and not “an addressee or intended recipient of such communication[s],” it violated the SCA.

On the Fourth Amendment question, the court concluded that the search was unreasonable as a matter of law because it was unreasonable in its scope. Assuming that the only reason the police chief wanted to check the efficacy of the 25,000 character limit, there would have been less intrusive ways of doing so. Quon could have been asked to count the characters himself, or could have redacted personal messages in connection with an audit.

1 2 3 5 6 7 8 9