Tennessee Court: The CFAA Is Not Unconstitutionally Vague

While she is no longer a public official, former Governor Sarah Palin has unwittingly contributed to a Tennessee federal district court upholding the constitutionality of the federal Computer Fraud and Abuse Act (“CFAA”). The case in question is a criminal prosecution against David Kernell, the college student charged with violations of the CFAA for accessing Palin’s Yahoo email account during the 2008 Presidential campaign. Continue reading

Privacy on Your Work Computer?

Can we expect any privacy when it comes to personal emails created at work?  Perhaps a little.  The New Jersey Supreme Court in Stengart v. Loving Care Agency affirmed a lower court opinion last week holding that despite an employer’s corporate computer policies reserving all rights to review employee emails, an employee’s communications with her attorney were protected by the attorney client privilege and, thus, off limits to review by her employer. 2010 WL 1189458 (N.J. March 30, 2010).

Marina Stengart used her employer’s laptop computer to communicate with her attorney about an anticipated lawsuit against her employer “through her personal, password-protected, web-based email account.” Id. at 2. . After Stengart filed a discrimination suit her then ex-employer found numerous emails on the company computer between Stengart and her attorney. These emails were found in temporary Internet files that had been saved to the hard drive.

Stengart’s employer had the following corporate computer policy permitting it to review “all matters on the company’s media systems” and allowed “[o]ccasional personal use:

The company reserves and will exercise the right to review, audit, intercept, access, and disclose all matters on the company’s media systems and services at any time, with or without notice.
E-mail and voice mail messages, internet use and communication and computer files are considered part of the company’s business and client records. Such communications are not to be considered private or personal to any individual employee.

The principal purpose of electronic mail (e-mail ) is for company business communications. Occasional personal use is permitted; however, the system should not be used to solicit for outside business ventures, charitable organizations, or for any political or religious purpose, unless authorized by the Director of Human Resources.

The court based its decision on (1) the ambiguity in the policy creating for Stengart an expectation of privacy that her emails with her attorney would not be viewed by her employer and (2) the important policy concerns underlying the attorney client privilege. First, the court found that “[]t is not clear from that language [of the policy] whether the use of personal, password-protected, web-based e-mail accounts via company equipment is covered” and “[t]he Policy also does not warn employees that the contents of such e-mails are stored on a hard drive and can be forensically retrieved and read by” the employer. Id. at 6.

The court concluded that “[a]s written, the Policy creates ambiguity about whether personal e-mail use is company or private property.” Id. Therefore, Stengart had an expectation of privacy in her email communications with her attorney over her company laptop.
Second, the court held that “[b]ecause of the important public policy concerns underlying the attorney-client privilege, even a more clearly written company manual-that is, a policy that banned all personal computer use and provided unambiguous notice that an employer could retrieve and read an employee’s attorney-client communications, if accessed on a personal, password-protected e-mail account using the company’s computer system, would not be enforceable.” Id. at 12.

It is this second prong of the decision with which I disagree. Traditional attorney client privilege law does not permit the privilege to exist where the client knows that the communications may not be private. There is no sound reason why that law should not apply if the email communication is made with full warning that use of personal internet based emails, even communications with an attorney, on a company computer may be monitored and viewed by the employer.

Social Media Poses Risks To Companies

By Melissa Krasnow.

Social media, including Facebook, Twitter, YouTube, etc., is an evolving and growing means of communication. According to some reports, people have been spending more time using social media sites than e-mail since February 2009. See “A World of Connections,” The Economist, Jan. 28, 2010. For companies, social media presents both opportunities and risks. These risks include reputational, brand, legal, regulatory and security concerns. This article outlines some approaches that companies are taking to manage the risks, including: 1) reviewing existing company compliance policies and preparing social media policies as warranted; 2) restricting workplace access to social media; 3) utilizing social media monitoring tools; 4) taking into account actual social media business issues; and 5) reviewing insurance coverage.

Company Compliance Policies And Social Media Policies

According to a recent survey by Manpower, 29% of companies in the Americas and 20% of companies worldwide have a social media policy. See “Social Networks vs. Management? Harness the Power of Social Media, Manpower, January 2010. Companies that do not have social media policies likely are preparing them or at least considering them. While there are social media policies, other company compliance policies (e.g., codes of conduct, codes of ethics, confidentiality obligations, privacy policies, intellectual property policies, etc.) often cover aspects of social media use. The starting point is for a company to review existing policies, determine whether they cover aspects of social media and revise or update them as necessary or appropriate and prepare a social media policy as warranted. A new social media policy should be drafted to be consistent and integrated with other company compliance policies.

By way of example, a company record retention policy and legal hold could be implicated by social media use. Information on a company’s social networking site is considered to be electronically stored information. As soon as a company is reasonably aware of the possibility of litigation, audit or investigation, it must take steps to preserve all records that may be relevant to the matter, including electronically stored information. If information on the social networking site may be relevant, the company must take appropriate steps to preserve it. Accordingly, a company’s record retention policy and legal hold should be reviewed regarding social media and revised and updated if necessary or appropriate. Any new social media policy should be drafted to work together with the record retention policy and legal hold.

Social media policies typically are tailored to a particular company’s circumstances, including the many different ways that companies use social media. Many social media policies are not publicly available. Based on a review of the social media policies of Sun (which was acquired by Oracle in early 2010), Yahoo, IBM, Edelman, Cisco and Dell, following are some of the common elements of these policies:

• Identify yourself and make it clear when you are speaking on behalf of or about the company;
• Use common sense and judgment; • Know that there is personally liability for content;
• Understand that disclaimers are advisable, but not a shield from liability;
• Realize that disclosed information should be accurate;
• Seek advice from the legal department or management when necessary (e.g., when unsure about posting or for permission to comment on work-related legal matters);
• Do not disclose confidential or financial information or material, non-public information about the company; and
• Follow established company guidelines, policies and codes.

Social media policies often involve different areas of a company (e.g., human resources, marketing, legal, communications, etc.). A number of different laws could potentially apply, including without limitation employment, intellectual property, privacy and securities law. In some cases, there may be additional regulation (e.g., Federal Trade Commission, Financial Industry Regulatory Authority, Food and Drug Administration, etc.). As a result, a multi-disciplinary business and legal team frequently is assembled to prepare a social media policy. As with other company compliance policies, a social media policy needs to be implemented and enforced consistently.

Restricting Workplace Access To Social Media

According to a survey by Robert Half, 54% of U.S. workplaces completely block access to social networks, whereas 19% permit access solely for business purposes, 16% permit limited personal use and 10% permit any personal use of social networks. See “Whistle — But Don’t Tweet — While You Work,” Robert Half, October 2009.

Social Media Monitoring Tools

Social media monitoring tools encompass analytics software for tracking and analysis (e.g., traffic, keywords, trends, etc.), including Web software tools like Webtrends, Omniture and Google Analytics. In addition, there are URL shorteners, including Bit.ly and Ow.ly, which track information like clicks from different traffic sources. There also are tools that collect metrics on Twitter — Twittersearch, Twitrratr, Twinfluence and Tweetstats. Company employees could engage in monitoring behalf of the company. Moreover, there are third-party paid monitoring options, which can be domestic global in scope. These include Radian6 (owned by Webtrends), Sysomos and Buzzlogic. These tools track the activity of a brand in social media and provide insights about the tone of the dialogue (i.e., “sentiment analysis”).

Considering Actual Social Media Business Issues

Certain business issues are arising through the use of social media. Examples of these include an impostor establishing an impostor site, pretending to be another person (e.g., Twitter impostors in the case of celebrities and executives) and whether Facebook’s terms of use can be modified. Once aware of these issues, a company can work to devise protections and solutions (e.g., how to deter impostor sites and how shut them down).

Reviewing Insurance Coverage

A company should review the particular terms of its existing insurance coverage and determine whether any social media use or aspects covered.


Addressing the risks of social media should not necessarily outweigh realizing the opportunities. Companies must recognize and encourage the opportunities offered by social media communication, relationship-building and reputation and brand enhancement, among other things.

Melissa J. Krasnow is a partner in the Minneapolis office of Dorsey & Whitney LLP whose practice focuses on privacy, social media, corporate and securities law. For additional information please visit www.dorsey.com/krasnow_melissa/. She may be reached at krasnow.melissa@dorsey.com.