On May 23, in SEC v. Reserve Management Co. Inc.,the U.S. District Court for the Southern District of New York ruled that an employee does not have a reasonable expectation of privacy with respect to communications with a spouse through an employer’s email system. In reaching its decision, the court used the four-part test from In re Asia Global Crossing Ltd to determine if the employee had a reasonable expectation of privacy. A key point in this analysis was the presence and actual notice to employees of an email policy that both forbade personal communications and warned employees of possible disclosure of company-controlled email communications. A write up of this outcome from the National Law Review can be viewed here.

Several cases have afforded protection to employees who may reasonably have expected privacy when using company IT systems. In Asia Global Crossing, the court set forth a four-factor test to assess the reasonableness of an employee’s privacy expectation in personal email transmitted through a corporate email system. The Asia Global Crossing test is composed of four basic questions:

1. Does the company maintain a policy banning personal content or other objectionable use?
2. Does the company monitor the use of the employee’s computer or email?
3. Do third parties have a right of access to the computer or emails?
4. Did the company notify the employee, or was the employee aware, of the use and monitoring policies?

If all four questions can be answered in the affirmative, then the employee should have no expectation of privacy.

This four factor test has been adopted by a number of courts faced with the task of determining the reasonableness of privacy expectations. As the Reserve Management court pointed out, “the cases in this area tend to be highly fact-specific and the outcomes are largely determined by the particular policy language adopted by the employer.”

Further questions that should be considered when putting one of these policies together:

• Does the company maintain a policy banning personal content or other objectionable use?
• Is the policy written down?
• How often is it updated?
• Was the policy communicated to employees?
• How was it communicated?
• Can employees find it if they want to?
• Was the policy reviewed by legal staff?
• Does the company monitor the use of the employee’s computer or email?
• Did the company explain to the employees that the company and other legal entities has a right to access and review employee email?
• How was this communicated?
• Do third parties have a right of access to the computer or emails?
• Was this explained to all employees
• How was it communicated to the employees?
• Did the company notify the employee, or was the employee aware, of the use and monitoring policies?
• How did the company notify the employees?
• Does the company audit the policy?
• Does the company enforce the policy?

Some of the added question detail above highlights intent. Is the company’s intention to not allow personal communications from their employees (usually not) or is the intent to educate the employees as to their lack of privacy if they choose to utilize the corporate email system for personal use?

This review serves to remind organizations of the importance of creating and training employees on well thought out “use policies”. A well thought out and comprehensive use policy that employees are not aware of is in reality, not a policy. Lastly, when creating and adopting these use policies, it is always a good practice to get acknowledgements from all employees as to their understanding of the use policy.