Privacy Compliance & Data Security : Data Security Lawyer & Attorney : Fox Rothschild Law Firm : Privacy Rights, Security Breach Responses

This week, the Supreme Court of New Jersey unanimously ruled on a novel issue of privacy law, holding that an employee has a reasonable expectation of privacy in e-mail communications with her attorney sent and received through a personal, web-based e-mail account even though the account is accessed on an employer-issued computer. In making its decision, the Court recognized that (a) the employer's policy did not specifically give notice that messages sent or received on a personal, web-based e-mail account were subject to monitoring if accessed on company equipment and (b) the policies underlying the attorney-client privilege support the preservation of confidentiality in these circumstances. The Court stated that analysis of the issue was inherently fact-specific, and that employees have a greater expectation of privacy when using a personal, web-based e-mail account (as opposed to a company e-mail system). Other relevant factors considered by the Court were (a) the fact that the account's password was not saved on the employee's computer and (b) the fact that the e-mails contained a legend warning the reader that the communication may be attorney-client privileged. While no one fact was found to be outcome-determinative, the totality of the circumstances created a reasonable expectation of privacy, with no waiver of the privilege.

The Court also clarified that its ruling was not meant to prevent employers from regulating or monitoring the use of workplace computers, but rather was a holding that reading the contents of attorney-client communications was not necessary to do so. In fact, the Court held that even a policy which provided unambiguous notice that a company could read such communications would be unenforceable.

Matthew S. Olesh co-wrote this post.

• Print
• Comments
• Trackbacks
• Share Link

The Information Security and Privacy Advisory Board (the “Board”), known from the late 1980’s until 2002 as the Computer System Security and Privacy Advisory Board, has released its expected report with recommendations on updating privacy law and policy in light of technological advancements.  The Board’s report, titled “Toward a 21^st Century Framework for Federal Government Privacy Policy,” (PDF), makes several recommendations at the federal government level to address longstanding deficiencies in current practices, as follows:

• Amendments to the Privacy Act of 1974 and Section 208 of the E-Government Act of 2002 are needed to:
  • Improve Government privacy notices
  • Update the definition of System of Records to cover relational and distributed systems based on government use, not holding, of records
  • Clearly cover commercial data sources under both the Privacy Act and the E-Government Act
• Government leadership on privacy must be improved
  • OMB should hire a full‐time Chief Privacy Officer with resources
  • Privacy Act Guidance from OMB must be regularly updated
  • Chief Privacy Officers should be hired at all “CFO agencies”
  • A Chief Privacy Officers’ Council should be developed
• Other changes in privacy policy are necessary
  • OMB should update the federal government’s cookie policy
  • OMB should issue privacy guidance on agency use of location information
  • OMB should work with US-CERT to create interagency information on data loss across the government
  • There should be public reporting on use of Social Security Numbers

Citing a lack of leadership from Congress, the failure to update federal laws and regulations, and the breakneck speed of technological evolution, the Board appeared critical that “only a few privacy leaders in key agencies have been empowered by their internal leadership to fill the policy vacuum.”

Whether this report will be the catalyst of sweeping privacy reform from the Obama administration that many have expected remains to be seen.

• Print
• Comments
• Trackbacks
• Share Link