A Blow to Client-Attorney Privilege in the Cybersecurity Arena
August 15th, 2011
In a recent ruling, the Third Appellate District Court (Sacramento) agreed 3-0 to uphold a previous decision against the plaintiff in a lower court case, Gina M. Holmes, who sued her employer after she quit her job after she said her employee had become hostile towards her after she told him she was pregnant shortly after she started the job. Holmes claimed that she had been subject to sexual harassment, retaliation, wrongful termination, violation of her right to privacy, and intentional infliction of emotional distress as the result of her bosses’ actions, She sent email messages that contained private information about her to her attorney using the company’s mail system, even though the company’s acceptable use policy forbade use of this mail system for personal reasons. Her employer, the Petrovich Development Company, captured the messages and used them in court as evidence that she had not experienced emotional distress. The ruling of the lower court was in favor of the employer, even though Holmes’ lawyer argued that the email messages were not admissible as evidence because of client-attorney privilege.
Before you think that the Third Appellate District Court ruling will set a clear precedent in future cases of this nature, you might recall an appellate court ruling in New Jersey almost exactly ten months ago. Marina Stengart, an ex-employee of the Loving Care Agency, had filed a lawsuit against this corporation. Realizing that she was soon to be fired, she had begun exploring the process of initiating the lawsuit while she was still an employee. Using her employer’s computer and email system, she corresponded with the lawyer she eventually hired. Loving Care captured email messages sent between Stengart and her lawyer and attempted to use them as evidence in the ensuing court case. The defense asserted that evidence obtained from Stengart should be admissible because she had been forbidden to use company email for personal purposes and had also been cautioned that whatever she did while she used Loving Care’s computing systems would be monitored and subject to inspection. Her lawyer countered that the content of her messages could not be read by Loving Care employees because of client-attorney privileges. Loving Care prevailed in the original trial, but Stengart won the appeal. Interestingly, the New Jersey Supreme Court ruling, like the recent Third Appellate District Court ruling, was unanimous, even though the rulings were diametrically opposed.
Rulings outside of the computing usage arena have almost always favored the protection of client-attorney privileges over the years. This is why the Stengart ruling caught my attention to the degree that it did. The more recent Holmes ruling is a blow to client-attorney privileges for computer usage cases in favor of supporting the precedence of agreed upon terms of usage. If an employer directs employees not to engage in certain actions in connection with the organization’s computing systems, but an employee ignores this direction, the employee may forfeit certain expected protections. This points once again to the critical importance of having a well thought out, carefully crafted acceptable use policy that is communicated adequately to and signed off by users. Such a policy at least gives an employer a leg to stand on, so to speak, if a court case involving wayward actions by a computing system user occurs.
The fact that two different higher-level courts have ruled so differently on the same issue is a sure sign that client-attorney privilege with respect to use of computing systems will go to the U.S. Supreme Court before too long. Those of us who are information security professionals will be waiting for the ruling with baited breath, so to speak.
–Gene Schultz, Ph.D., CISSP, CISM, GSLC
– – – – – – – – – – – – – – – – –
Dr. Eugene Schultz is the CTO at Emagined Security, an information security consulting practice based in San Carlos, California. He is the author/co-author of five books, and has also written over 120 published papers. Gene has been the editor-in-chief of two journals and is currently on the editorial board of three journals. He is also a SANS instructor, member of the SANS NewsBites editorial board, co-author of the 2005 and 2006 CISM preparation materials, and is on the technical advisory board of three companies. Gene has previously managed an information security practice as well as a national incident response team. He has also been professor of computer science at several universities and is retired from the University of California. He has received the NASA Technical Excellence Award, the Department of Energy Excellence Award, the ISACA John Kuyers Best Speaker/Best Conference Contributor Award, the Vanguard Conference Top Gun Award (for best presenter) twice, the Vanguard Chairman’s Award, and the National Information Systems Security Conference Best Paper Award. A Distinguished Fellow of the Information Systems Security Association (ISSA), Gene has also been named to the ISSA Hall of Fame and has received ISSA’s Professional Achievement and Honor Roll Awards. He is currently a member of the accreditation board of the Institute of Information Security Professionals (IISP). Dr. Schultz has provided expert testimony before committees within the U.S. Senate and House of Representatives on various security-related issues, and has served as an expert witness in legal cases.