The article quotes the key passage from the court’s decision:

“The DOJ maintains a policy that does not ban personal use of the company email. Although the DOJ does have access to personal emails sent through this account, Mr. Tukel was unaware that they would be regularly accessing and saving emails sent from his account. Because his expectations were reasonable, Mr. Tukel’s private emails will remain protected by the attorney-client privilege,” wrote Chief Judge Royce Lamberth.

This decision highlights a point often emphasized by employment lawyers — it is the language of the employer’s policy that will often determine whether an employee had a reasonable expectation of privacy in an employer’s communications systems (whether it be email, voicemail, internet usage, etc.).

We are confident that this issue will be the subject of more litigation, particularly given that the U.S. Supreme Court has agreed to hear a case involving the privacy of text messages by a public employee.  The Business Insider has the story here.

The case is Pietrylo v. Hillstone Restaurant Group.  The court’s opinion on post-trial motions can be read here.  The jury verdict form is here.

The punch line?  More after the break.

Pietrylo was a server at Houston’s Restaurant in New Jersey, and he created a MySpace account entitled the “Spec-Tator” as a private place to vent about working at Houston’s.  Pietrylo invited other Houston employees, including Marino, to become members of the group and post comments related to the restaurant’s policies and management.  One of those employees showed the page to a Houston’s manager.  Other managers soon learned of the site, and one of those managers asked the employee for her password to access the site.  The employee acceded, stating that she did so because she was afraid of the consequences of not complying.  The manager then proceeded to access the site numerous times and printed out copies of the page contents.  The site contained various jokes and sexual remarks concerning Houston’s management and customers, as well as references to violence and drug use.  Pietrylo and Marino were subsequently terminated.

Pietrylo and Marino sued Houston’s, alleging violations of state and federal wiretapping laws, the state and federal Stored Communications Act, wrongful termination, and invasion of privacy.  The plaintiffs then voluntarily dismissed the wiretapping claims.  After a week-long jury trial, a verdict was rendered in favor of the plaintiffs on the Stored Communications Act claims.  The Act prohibits the intentional access of stored communications without authorization or in excess of authorization.  The jury found that Houston’s had “knowingly or intentionally or purposefully” accessed the MySpace account without authorization.  The jury also found that Houston’s acted with malice, supporting a punitive damages award.  The jury did not, however, find that Houston’s had invaded the plaintiffs’ right of privacy, which required a finding that the Spec-Tator was a “place of solitude and seclusion which was designed to protect the Plaintiffs’ private affairs and concerns.”

So what is the punch line?  On July 21, 2009, the plaintiffs’ filed a motion for attorneys’ fees, currently pending before the court, in the amount of $123,270.

The court’s conclusion and final order reads as follows: 

In conclusion, we reverse the order under review and remand for the entry of an order requiring the turnover of all emails exchanged by plaintiff and her attorney that are now in possession of either the company, the company’s attorneys, or their agents or employees. The order should also direct the deletion of all these emails from any computer hard drives upon which they were stored. We also remand for a hearing to determine whether Sills Cummis should be disqualified from further representing the company; that hearing is to be conducted by the Chancery judge in the related case. Discovery is stayed in this action pending a resolution of the disqualification issue.

The Virginia Lawyer magazine had an article on the topic here.  The Virginia Supreme Court briefly addressed the issue in Banks v. Mario Indus., which can be found here.  The relevant portion of that decision is as follows:

Pursuant to Mario’s employee handbook, Mario permitted employees to use their work computers for personal business.  However, Mario’s employee handbook provided that there was no expectation of privacy regarding Mario’s computers. Cook created the pre-resignation memorandum on a work computer located at Mario’s office. Cook printed the document from this computer, and Cook sent it to his attorney for the purposes of seeking legal advice. Cook then deleted the document from the computer. Mario’s forensic computer expert, however, retrieved the document from the computer’s hard drive. We held in Clagett v. Commonwealth, 252 Va. 79, 92, 472 S.E.2d 263, 270 (1996), that “the [attorney-client] privilege is waived where the communication takes place under circumstances such that persons outside the privilege can overhear what is said.” See Edwards, 235 Va. at 509, 370 S.E.2d at 301 (“The privilege may be expressly waived by the client, or a waiver may be implied from the client’s conduct.”). Therefore, we hold that the trial court did not err in admitting the pre-resignation memorandum into evidence.

These two decisions illustrate the risks on both sides of the equation in sending privileged emails from an employer’s computer and attempting to use those emails in subsequent litigation.

The article discusses the many legal implications of monitoring electronic communications using spyware, GPS devices, video surveillance and accessing emails without authorization, which are not only family law issues but come up frequently in the workplace.

The article was written by Sharon Nelson and John Simek of Sensei Enterprises, Inc. (website), who also author the “Ride the Lightning Electronic Evidence Blog” (here).

Under the Act, Maryland businesses have two noteworthy obligations.  First, businesses must implement and maintain reasonable security procedures and practices to protect personal information it owns or licenses.  Second, businesses must notify state residents of any data breaches related to their computerized personal information.  This requirement is triggered when, after promptly conducting a reasonable investigation, the business determines that a misuse of the individual’s personal information has occured, or is reasonably likely to occur as a result of the breach.

Personal information is defined as an individual’s first name, or first initial and last name, in combination with his/her social security number, driver’s license number, individual tax ID number, or financial account number (including credit or debit cards), which together with password or security information would permit access to the account.  Information is not “personal information,” however, if it is encrypted, redacted or otherwise protected to render the information unreadable or unusable.

Maryland businesses will also have to ensure certain outside service providers maintain security procedures and practices to protect personal information as well.  Maryland businesses that use third parties to perform services, and disclose personal information about a Maryland resident to the third party, must include express provisions in the third-party services agreement that require the third party to implement and maintain reasonable security procedures and practices that are appropriate under the circumstances and are designed to protect the personal information from unauthorized use, access, modification, disclosure or destruction.  This provision of the Act is applicable to service contracts entered into beginning January 1, 2009.

Violations of the Maryland Personal Information Protection Act are considered unfair or deceptive trade practices.  Private lawsuits to enforce violations are available under Maryland law for such violations, including awards of attorneys’ fees.

(Contributed by Michael K. Wilson, Welter Law Firm, P.C.)

Checking out job applicants on the internet can have a number of legal implications, depending on how the information is used.  Different lawyers have different opinions about the legality of this practice.  See here, here and here.  As many articles note, it is very difficult to prove a case of discrimination in hiring.  An invasion of privacy claim based on information posted on the internet would also be a long shot.  In some states, however, it is unlawful to discriminate against an employee for lawful away-from-work activities or the use of lawful products while off-duty.  (See, e.g., New York Labor Law § 201-d; California Labor Code § 96(k); ND CC § 14-02.4-03; WI Stat. § 111.321; CO Rev. Stat. § 24-34-102.5).  In these states, greater attention should be paid to the use of social networking sites, blogs, or websites as applicant screening tools.

Hiring discrimination claims are probably a red herring.  The potential risk is that an employee with a different discrimination claim (such as failure to promote or termination) would use evidence of discriminatory practices by the supervisor in hiring (for example, the screening out of applicants by race or sex) to help prove their claim.  Such evidence might be admissible to show bias by the supervisor. 

A similar issue is currently before the U.S. Supreme Court.  The Court will be hearing oral arguments on December 3 in a case involving “me too” evidence (evidence of co-workers who claim they were discriminated against).  Sprint/United Management Co. v. Mendelsohn, No. 06-1221 (U.S. S.Ct.) (Law.com)  Perhaps the Mendelsohn case will indirectly provide employers with some guidance on the implications of unrestricted use of social networking sites in the hiring process.

As an aside, the Virginia Supreme Court recently held that an employee’s use of his computer at work to send emails to his attorney waived the attorney client privilege as to those emails.  Perhaps just another timely reminder that there is very little privacy in the information age.