As employers in northern Nevada are well aware, with the advent of new technologies that enable faster and more efficient communications and records management, changes in the law are soon to follow. These changes and developments require employers to grapple with a wide array of privacy and records management laws. Recently, there have been two important developments in the area of employee privacy in electronic communications that affect employers, and as the law adapts to these new technologies, employers must also review their policies and adapt them to reflect new developments in the law.
First is an employee's right to privacy in personal e-mail communications on a personal, web-based e-mail account on a company computer.
Many employers have policies warning employees not to expect privacy in their personal email communications at the workplace. However, in light of a recent development in this area of the law, employers will need to reexamine these policies. Recently, the New Jersey Supreme Court found that an employee had a reasonable expectation of privacy in email communications with her attorney sent through the employee's personal, password-protected, web-based email account, but accessed on a company-owned laptop computer. While that court does not have jurisdiction over Nevada, it would be prudent to follow that court's standards until this area of law becomes more developed in Nevada.
The case of Stengart v. Loving Care Agency arose from the resignation and subsequent employment discrimination lawsuit of Marina Stengart, against her employer, Loving Care Agency, Inc. During her employment as the executive director of nursing for Loving Care, Stengart was issued a company laptop. Loving Care had a written Internet usage policy permitting occasional personal use, and warning all employees that the company reserved the right to intercept and disclose "all matters on the company's media systems," but not specifically alerting employees that Loving Care could forensically retrieve e-mails and data transmitted over an employee's personal, web-based e-mail system if sent using Loving Care's hardware. Prior to her resignation, Stengart used her work-issued laptop to e-mail her personal attorney from her password-protected web-based Yahoo email account regarding a potential suit against Loving Care.
During discovery, in an effort to preserve electronic evidence, Loving Care hired experts to create a forensic image of the hard drive from Stengart's company laptop. While reviewing the laptop's contents, Loving Care's attorneys discovered and read retrieved e-mails exchanged between Stengart and her lawyer via Stengart's personal, password- protected Yahoo account, which had been stored in the cache of temporary Internet files on the computer's hard drive. Loving Care argued that Stengart had no expectation of privacy in her e-mails with her lawyer because they were sent and received from a company-issued laptop, over the company's computer system.
The New Jersey Supreme Court held that Stengart had a reasonable expectation of privacy in e-mails sent from her personal, password-protected email account and that those e-mails were privileged from disclosure. The court also found that the employer's policy did not clearly put the employee on notice that the e-mails were company property or subject to review. The court explained that the company's policy expressly permitted occasional personal use of e-mail, but was unclear as to whether personal, password-protected, web-based e-mail accounts accessed through a company computer were covered by the company's computer policy, did not warn employees that the contents of such e-mails were stored on a hard drive and could be forensically accessed and read by the employer.
This case provides yet another example of the importance to employers of establishing clear and lawful policies relating to employees' personal use of computer systems. Employers whose policies warn employees about having a reasonable expectation of privacy in workplace communications should review their electronic communications policies. Specifically, employers should revise their policies or create new policies that address communications through web-based email accounts using company equipment.
A second issue is the Nevada statute on personal information security (NRS 603A, NRS 597.970)
While Nevada courts have not yet addressed an employee's privacy interests in private web-based e-mail, the Nevada Legislature has recognized a privacy interest preventing a business's transmittal of certain types of personal information electronically. In 2005, the Nevada Legislature enacted a statute entitled "Security of Personal Information." This statute requires any organization that collects personal data to "implement and maintain reasonable security measures to protect those records." Under the statute, "personal information" means a natural person's first name (or first initial) and last name in combination with either: their social security number, driver's license or identification card number, or account or credit/debit card number and security code. In 2008, the Legislature restricted the transfer of this personal information by electronic means.
Taken in combination, these provisions mean that businesses in Nevada cannot send personal information (of customers, employees, or anyone) outside the business's secure system, unless the business has some encryption procedure to ensure security of the information. This includes e-mails that may contain such personal information. In order to comply with Nevada's personal information security laws, businesses should restrict any information they send that is not encrypted. However, if a business encrypts their information, then no restrictions are required.
While the law in the area of electronic communications continues to develop and evolve to meet the needs of a changing technological landscape, employers should also ensure that they carefully craft and revise their policies to ensure they are up-to-date to avoid legal liability in the workplace.
Megan Starich is an attorney with McDonald Carano Wilson LLP and a member of the firm's employment and labor law group. Contact her at 788-2000 or mstarich@mcdonaldcarano.com.
