1. NEW YORK CONNECTICUT
3 Park Avenue Four Landmark Square
New York, NY 10016 Stamford, Ct 06901
Employees’ Privacy Rights in the Digital Age
Wendi S. Lazar and Lauren E. Schwartzreich
Ten years ago employees wondered if their employers could look through their purses merely be-
cause they brought them to work. Today employees ask whether their employers own all electronic
data created, viewed or stored on their work computers and BlackBerrys.
In New York, private sector employees may have a reasonable expectation of privacy in their work
computers, cellular phones and other electronic devices. In 2001 the U.S. Court of Appeals for the
Second Circuit confirmed in Levanthal v. Knapek1 that an employee may have a reasonable expec-
Wendi S. Lazar
tation of privacy in the content of her work computer, especially where her employer maintains
an unclear technology usage policy. Since Leventhal, employers in the Second Circuit have crafted
broad and detailed technology policies aimed at draining reasonable expectations of privacy out of
employees’ work-related technology.
These policies aim to bind employees to notices stating, more or less, that (1) all electronic data
created, stored, received or sent from the employer’s electronic device or system (e.g., computer
server or third-party wireless service provider), regardless of the purpose for which it is created,
is the employer’s property; (2) the employee cannot expect such data to remain private; and (3)
the employer may monitor and obtain such data at its discretion and without further notice to the
Lauren E. Schwartzreich employee.
Although employers expect that these policies will permit unfettered access to employees’ personal electronic data, courts
are increasingly scrutinizing their enforceability. In Pure Power Boot Camp Inc. v. Warrior Fitness Boot Camp, LLC,2 the
court was incredulous of the employer’s reliance upon its policy to defend its accessing of an employee’s personal Hotmail
e-mail account. The court explained, “[i]f [an employee] had left a key to his house on the front desk at [his workplace]
one could not reasonably argue that he was giving consent to whoever found the key, to use it to enter his house and rum-
mage through his belongings.”3 It now appears in the Second Circuit that employees do not check their privacy at the door
to their workplace.
Inconsistent monitoring or enforcement of technology policies against employees may be unlawful. An employer may
not selectively enforce a technology policy against an employee who exercises workplace rights, such as engaging in union
Monitoring Internet or telephone usage may be unlawful where it is done in response to a complaint of discrimination.
For example, in Zakrzewska v. The New School,5 the court found that an employer’s covert monitoring of an employee’s
personal Internet usage after she complained of discrimination could constitute an unlawful retaliatory adverse employ-
ment action. Similarly, in Dotson v. City of Syracuse,6 the court found that an employer’s monitoring of an employee’s
telephone conversations after she had complained of discrimination was “intrusive” and might also constitute unlawful
New York Law Journal article April, 2010
2. Employees’ Privacy Rights in the Digital Age
Technology policies do not confer access to employees’ personal electronic information stored by cellular providers or on
employees’ personal online e-mail accounts, restricted-access social networking site profiles or password-protected blogs.
Federal statutes, such as the Electronic Communications Privacy Act, and its subsections the Wiretap Act7 and the Stored
Communications Act (SCA),8 provide criminal and civil penalties against employers who gain unauthorized access to
employees’ personal electronic communications and data. Employers may pay heavily for assuming that their technology
policies shield them from these laws.9
Under the Wiretap Act,10 employers may not intercept employees’ personal electronic communications (that are in trans-
mission). While employers may be liable under this act for monitoring employees’ telephone calls11 claims of unlawful
interception of e-mails are less likely to succeed under the act due to courts’ narrow construction of the “in transmission”
provision of the law.12
Employers may violate the SCA if they access employees’ personal e-mail accounts without permission. In Pure Power
Boot Camp, discussed above, the employer maintained a broad computer use policy stating that employees had no right
of personal privacy in any matter stored in or created on the company’s system, inclusive of personal e-mail accounts
accessed on the company’s system, and that computer usage was subject to monitoring without additional notice. The
employer accessed the employee’s personal Hotmail account by using the password he had saved on his computer.13 The
court found that by these actions the employer violated the SCA.
Employers may violate the SCA by accessing employees’ otherwise restricted Web sites, such as password-protected social
networking sites and chat groups. In a case out of New Jersey, Pietrylo v. Hillstone Restaurant Group,14 a district court re-
cently upheld a jury verdict finding that an employer violated the SCA where it accessed a group of employees’ password-
protected and invite-only chat forum located on the social networking site, MySpace.
Employers may also violate the SCA by accessing employees’ personal text messages via a cellular wireless provider—even
if the employer owns the phone, pays the bills and maintains the contract with the provider.
In Quon v. Arch Wireless Operating Co.,15 a decision out of the U.S. Court of Appeals for the Ninth Circuit, a wireless
provider violated the SCA by providing the employer-city with transcripts of text messages sent to and from the plaintiff-
employee’s work pager. The employer maintained a technology policy that, it argued, (1) permitted the employer to moni-
tor electronic communications, including pagers, and (2) put the employee on notice that electronic communications via
pagers were not confidential and that pagers were not for personal use.
However, the employee’s supervisor maintained an informal policy permitting personal use of pagers and also agreed not
to monitor the communications if the employee paid all service plan overage fees. After the employee exceeded the service
plan on several occasions, and even though the employee paid the overage, the employer asked the wireless provider for
transcripts of the employee’s text message communications. The wireless provider complied. Subsequently, the employer
terminated the employee citing the content of those text messages, and the employee successfully sued both his employer
(for violating his Fourth Amendment rights) and the wireless provider (for violating the SCA).
In December 2009, the U.S. Supreme Court denied cert. to the wireless provider who had appealed the Ninth Circuit’s
decision in Quon, thus confirming that entities like cellular service providers, Web-based e-mail providers and social net-
working sites risk violating the SCA if they disclose the contents of employees’ stored communications to their employer.
However, the implications of Quon are still unsettled. On Dec. 14, 2009, the Supreme Court granted certiorari to the
city-employer (arguments were heard April 19, 2010). In doing so, the Court may have set the stage for a potential shift in
employee privacy rights. The Court’s opinion may venture beyond the unique public sector issues raised in the cert petition
and touch upon private sector employees’ privacy rights. Further, the Court’s ruling (or dicta) concerning employee privacy
may influence lower courts’ analyses of privacy rights in the private sector.
At this juncture, wireless providers will undoubtedly avoid disclosure of text messages to employers without direct authori-
zation from the actual user, recipient or intended addressee, as required under the SCA.16 Thus, employers are less likely to
obtain the content of employees’ personal text messages through a wireless provider.17
New York Law Journal article April, 2010
3. Employees’ Privacy Rights in the Digital Age
Similarly, online e-mail providers and social networking sites are unlikely to disclose employees’ personal user content to
employers due to similar liability. Even where an employer compels an employee to sign a waiver, entities subject to the
SCA will likely not disclose protected content. As a result of others’ liability under the SCA, employees indirectly receive
some protection against disclosure of their stored private electronic communications.
In addition to being protected from unauthorized accessing or selective monitoring of private electronic communications
by their employers, as described above, New York employees’ communications with counsel may also receive protection
from inadvertent disclosure.
While circuits are split over whether employees waive their attorney-client privilege by communicating with counsel or
maintaining privileged content on a work computer,18 the Second Circuit would likely find no waiver where communica-
tions are via online personal e-mail accounts.19
In United States v. Hatfield,20 the court found no waiver of privilege concerning electronic communications and docu-
ments an employee maintained on his work computer. The court noted the absence of direct guidance on this issue from
the Second Circuit or the New York Court of Appeals and applied a four-factor test well-established within the district
courts21 and added its own fifth factor: (1) whether the employer maintained a policy banning personal computer use; (2)
whether the employer monitored employees’ use of computers or e-mails; (3) whether third parties had a right to access
employees’ computers or e-mails; (4) whether the employee was on notice of the use and monitoring policies and (5)
whether disclosure of the privileged information would be consistent with the employer’s interpretation of its own policy.
The employer’s broad computer use policy was problematic in several respects: it did not expressly prohibit usage for per-
sonal legal matters; it did not state that the employer will monitor computer usage; the employer did not actually monitor
computer usage; and the employer understood its policy to protect other employees’ “privileges.”22
Notably, the court found it would be “fundamentally unfair to subject [the employee] to the consequences of waiving
privilege based on a strict, theoretical interpretation of [the employer’s] Computer Usage Policy that was never imagined by
[the employer] itself and, in fact, contradicted by [the employer’s] own actions….”23
Most recently, in Stengart v. Loving Care Agency Inc.,24 the New Jersey Supreme Court issued an opinion as yet the most
important for employee privacy rights in 2010. The court affirmed an appellate court’s ruling that an employer violated its
employee’s privacy when it accessed the employee’s e-mails to and from counsel that were sent and received from a work
computer. The court confirmed that while an employer has a right to establish policies and to discipline employees who
violate them, a policy that allows an employer to read an employee’s attorney-client communication is unenforceable.
State Law Claims
Employees and their counsel may find additional privacy protections from existing state statutory and common law. Unfor-
tunately, New York does not recognize invasion of privacy claims.25 However, New York’s labor law does prohibit termina-
tion of employees based on recreational activities performed outside the workplace,26 arguably including online activities
like blogging or Twittering.
New York employees may also have claims of false light invasion of privacy (e.g., for online misrepresentations about
employees, such as statements made by managers on social networking sites like LinkedIn) or tort claims arising out of
workplace cyberstalking. It may also be possible to bring a tortious interference of contract claim against an employer
who requires an employee to disclose her password to her social networking site profile, as this act may violate her social
networking site’ service agreement27 or because the policy violates public policy concerns.
The Supreme Court’s upcoming decision in Quon will certainly give New York lawyers new parameters for understanding
and interpreting private and public sector employees’ rights to workplace privacy in the digital age. In the meantime, how-
ever, a new set of rules is already re-shaping employees’ expectation of privacy and their understanding of what electronic
communications are protected.
New York Law Journal article April, 2010
4. Employees’ Privacy Rights in the Digital Age
Wendi S. Lazar is a partner at Outten & Golden and co-chair of the firm’s executives and professionals practice group.
Lauren E. Schwartzreich is an associate at the firm and co-chair of its Electronic Discovery Committee.
1. 266 F.3d 64, 74 (2d Cir. 2001).
2. 587 F.Supp.2d 548 (SDNY 2008).
3. Id. at 561.
4. See, Guard Publishing Co. v. NLRB, 571 F.3d 53, 60 (D.C. Cir. July 7, 2009); cf. Gorzynski v. JetBlue Airways Corp., 596 F.3d 93 (2d Cir. Feb. 19,
5. 543 F.Supp.2d 185 (SDNY 2008).
6. No. 5:04-CV-1388, 2009 U.S. Dist. LEXIS 62174 (NDNY July 21, 2009).
7. 18 U.S.C. §2510, et seq. (prohibiting unauthorized interception of communications while in transmission).
8. 18 U.S.C. §2701, et seq. (prohibiting unauthorized access of stored electronic communications).
9. Under the SCA, employees may obtain an award of punitive damages where the violation was intentional, attorneys’ fees and costs, and statutory
damages with proof of actual damages. See Van Alstyne v. Electronic Scriptorium Ltd., 560 F.3d 199 (4th Cir. 2009).
10. See, 18 U.S.C. §2511(1)(a)-(b).
11. See, Hay v. Burns Cascade Co. Inc., No. 5:06-CV-0137, 2009 U.S. Dist. LEXIS 12160 (NDNY Feb. 18, 2009).
12. See, Konop v. Hawaiin Airlines Inc., 302 F.3d 868, 878-79 (9th Cir. 2002) (employer intercepted messages that were in storage, not while they
were in transmission); Steve Jackson Games Inc. v. U.S. Secret Serv., 36 F.3d 457 (5th Cir. 1994) (unopened e-mails on computer were not in transmis-
sion); but see United States v. Councilman, 418 F.3d 67, 85 (1st Cir. 2005) (en banc) (e-mails in “transient electronic storage” are intercepted while “in
transmission” as defined under the statute).
13. The employer further accessed his Gmail and another e-mail account through information (and the password) it obtained through the Hotmail
14. No. 06-5754, 2009 U.S. Dist. LEXIS 88702 (D. N.J. Sept. 25, 2009).
15. 529 F.3d 892 (9th Cir. 2008). Rehearing, en banc, denied, 554 F.3d 769 (9th Cir. 2009), cert. granted sub nom. City of Ontario v. Quon, 130 S. Ct.
1011 (Dec. 14, 2009) (hereafter, Quon).
16. See, 18 U.S.C. §2702(b)(3).
17. Employers may still obtain text messages through physical examination of employees’ work cell phones, as the SCA only applies to electronic data
stored by a “remote computing service” or “electronic communication service.” 18 U.S.C. §§2701-2711.
18. Compare United States v. Ziegler, 474 F.3d 1184, 1190 (9th Cir. 2007) (reasonable expectation of privacy in contents of work computer); with
Muick v. Glenayre Electronics, 280 F.3d 741, 743 (7th Cir. 2002) (no expectation of privacy in contents of work computer); United States v. Simmons,
206 F.3d 392, 398 (4th Cir. 2000).
19. See, United States v. Hatfield, No. 06-CR-0550, 2009 U.S. Dist. LEXIS 106269 (E.D.N.Y. Nov. 13, 2009) (Second Circuit likely to uphold privilege);
Curto v. Medical World Communications Inc. 03-CV-6327, 2006 U.S. Dist. LEXIS 29387 (E.D.N.Y. May 15, 2006); Geer v. Gilman Corp., 06-CV-
0889, 2007 U.S. Dist. LEXIS 38852 (D. Conn. Feb. 12 2007), Orbit One Communications Inc. v. Numerex Corp., 255 F.R.D. 98, 107-8 (SDNY 2008);
In re Asia Global Crossing, Ltd., 322 M/R/ 247. 259-61 (SDNY Bnkr. 2005); but see, Long v. Marubeni America Corp., No. 05 Civ. 639, 2006 U.S.
Dist. LEXIS 76594 (SDNY Oct. 19, 2006); Scott v. Beth Israel Medical Center Inc., 847 N.Y.S.2d 436 (N.Y. Supp. Ct., N.Y. Cty. 2007).
20. 2009 U.S. Dist. LEXIS 106269, at 30 n12.
21. See, Curto, 2006 U.S. Dist. LEXIS 29387 at 2-3 (applying four-factor test and finding that employee did not waive privilege by maintaining docu-
ments on employer’s computer); Geer, 2007 U.S. Dist. LEXIS 38852 at 3-4; Orbit One Communications Inc., 255 F.R.D. 98 at 107-8.
22. 2009 U.S. Dist. LEXIS 106269, at 33.
23. Hatfield, 2009 U.S. Dist. LEXIS 106269 at 34 n14.
24. Stengart v. Loving Care Agency Inc., 408 N.J. Super. 54 (App. Div. 2009), aff ’d, —N.J.— (March 30, 2010).
25. See, Mack v. United States, 814 F.2d 120, 123 (2d Cir. 1987); but see Brown-Criscuolo v. Wolfe, 601 F.Supp.2d 441 (D. Conn. 2009); Walston v.
UPS, No. 2:07-CV-525, 2009 U.S. Dist. LEXIS 10307 (D. Utah, Feb. 11, 2009).
26. See, New York Labor Law §201-d.
27. Facebook Statement of Rights and Responsibilities (Dec. 21, 2009) (http://www.facebook.com/policy.php#!/terms.php) (last visited March 19,
New York Law Journal article April, 2010