Expectation of Privacy versus Client-Attorney Privilege
Those of us who are information security professionals have long been aware of the need of organizations to defeat users’ expectation of privacy before they use their organization’s computers and networks. Showing a warning banner displayed to users before they log on has become a standard practice. This banner generally reads as follows:
“This computer is the sole property of and must be used for official business only. Unauthorized use is forbidden and will be punished to the full extent of the law. All user actions will be monitored. Attempting to log on constitutes user consent to be monitored.”
However, a recent ruling is causing us to rethink the meaning and impact of warning banners intended to defeat the expectation of privacy. Two years ago, Marina Stengart, a former employee of the Loving Care Agency, filed a lawsuit against this company. While still an employee, she used Loving Care’s computers to send emails back and forth to her lawyer. This company searched for and found copies of these emails and argued that because Stengart had been warned that whatever she did while she used Loving Care’s computers was subject to monitoring and was thus not private meant that the company had the prerogative to retrieve, read and disclose the content of these messages. Stengart’s attorney argued that the content of these messages was protected by client-attorney privileges. Loving Care won the trial case, but the New Jersey Supreme Court reversed the ruling by a 7 – 0 margin. Loving Care was ordered to hand over all of Stengart’s messages in connection with her lawsuit and to not keep any of them.
The big “takeaway” from this case is that defeating users’ expectation of privacy is no magic bullet. Client-attorney privilege has precedence over an organization’s right to collect and examine employees’ email. The big question now is whether subsequent rulings to the Stengart versus Loving Care ruling will result in other exceptions to the expectation of privacy rule. For example, what if an employee reveals personal information in email and IM messages in communicating with others? Even though the user has been warned that the organization’s computers are not to be used for non-business related matters and that all use of the organization’s computers will be monitored, might a user who finds that the organization’s management keeps files containing messages of this nature successfully sue the company for invasion of privacy? At this point, of course, we do not know, but this possibility has become more probably because of the New Jersey Supreme Court’s recent ruling.
As someone who is very much concerned about the general lack of privacy rights for U.S. citizens and residents, I suppose I should be happy with the recent ruling. But I am torn—what is so bad about an organization forbidding the use of its computing systems for personal reasons and warning users to not expect privacy? All a user has to do is get a smartphone use it to exchange personal messages to that person’s heart’s content.
Stay tuned. There will be more rulings related to expectation of privacy. Meanwhile, information security professions need to be conferring with their organizations’ legal departments and go back to the proverbial starting blocks to see what can be done regarding defeating users’ expectation of privacy.