It was recently reported that Harvard University took it upon itself to view the work emails of 16 residential deans as part of its investigation into a cheating scandal. The level of outrage at Harvard’s investigation that this may conjure will depend entirely on the extent to which you believe employees have an expectation of privacy in a corporate email account.
According to U.S. v. Finazzo (E.D.N.Y. 2/19/13), employees not only enjoy no such expectation of privacy, but they may also waive their attorney client privilege in communicating through such corporate email account, provided that the right language is used in the corporate email policy.
In Finazzo, the U.S. government alleged that Christopher Finazzo, an executive at the clothing retailer Aéropostale, received illegal kickbacks from transactions between his employer and one of its vendors. During an unrelated internal investigation, Aéropostale discovered an email in Finazzo’s Aéropostale email account between him and his personal attorney. That email contained a list of Finazzo’s personal assets, which included several companies he co-owned with the vendor from whom he received the illegal kickbacks.
In his subsequent federal criminal trial, Finazzo attempted to block the government from using that email against him. The trial court denied his motion, holding that he had no expectation of privacy in his work email account.
In reaching this conclusion, the federal court relied upon Aéropostale’s email policies, which stated:
Except for limited and reasonable personal use (e.g., occasional personal phone calls or e-mails), Company Systems should be used for Company business only. Any limited exceptions to this rule must be approved through the IT department. Under no circumstances may Company Systems be used for personal gain or profit; solicitations for commercial ventures; religious or political issues; or outside organizations. Company Systems may not be used to distribute chain letters or copyrighted or otherwise protected materials….
You should have no expectation of privacy when using Company Systems. The Company may monitor, access, delete or disclose all use of the Company Systems, including e-mail, web sites visited, material downloaded or uploaded and the amount of time spent on-line, at any time without notification or your consent.
The court concluded that Aéropostale’s policy, and Finazzo’s knowledge of it, disposed of any claim that the email exchange with the personal attorney was private and therefore privileged:
Finazzo has no reasonable expectation of privacy or confidentiality in any communications he made through his Aéropostale e-mail account. Aéropostale had a clear and long-consistent policy of limiting an employee’s personal use of its systems, reserving its right to monitor an employee’s usage of the system, and making abundantly clear to its employees, including Finazzo, that they had no right to privacy when using them.
As this decision makes clear, the language used in the workplace email policy will be the overriding factor in determining the expectation of privacy that an employee may rely upon when claiming privacy rights in communications transmitted through workplace email accounts, and presumably on workplace cell phones, as well. As such, it is critical that an employee not only know and understand their employer’s policy, but also keep that in mind when using and offering their workplace email account for private communications. From an employer standpoint, it would be wise to: (1) warn employees that they have no expectation of privacy in corporate emails or in their use of corporate systems; (2) ban personal use of corporate systems or email, or limit such personal use to what is reasonable and occasional; and (3) reserve the right of the company to monitor employee use of its systems, including emails.