In John P. Mello Jr.’s blog post, “Peeking into employee’s email can be no-no”, John details a recent New Jersey court case involving the rights of a company to view the contents of an employee’s non-business related emails on the laptop issued to the employee after the employee had left the company.

In the court case, the trial court refused to require the employer, Loving Care, to return the emails to the employee’s attorneys. A judicial panel had upheld a lower court’s ruling that it was allowable for the company to access the employee’s email communications between the employee and her attorney.

Later, however, an appellate court reversed the lower court’s decision and held that the employee had not waived their attorney-client privilege.

As it turns out, the laws regarding email privacy vary not only at state level but also at the federal level. For example, if one of the employees in your company sends an email from their state to someone else in another state the question could come up – which state’s email privacy laws supersedes the other state’s email privacy law? As it happens, what might be considered legal to read in one state might, in another state, be considered illegal and unjustified to read.

According to the State of California Online Privacy Protection Act (OPPA) of 2003, companies which operate commercial websites must disclose their privacy policy with regard to what data they might collect and share with other organizations. That data could theoretically include the contents of email messages that pass through their servers.

Continue reading Employee Email Privacy Considerations

In my previous post I wrote about Los Angeles’ decision to consider Google Apps for email and other applications. Although it gets attention for cost savings, there are some real concerns with email in the cloud, especially in government organizations that are required to comply with security and privacy policies and regulations.

The World Privacy Forum’s letter to the Mayor of LA went into some detail about why they don’t think it’s a good idea. Let’s take a look at some of the major points in WPF’s letter. The first four points address medical and health-related information, domestic violence and sexual assault information, substance abuse information, and sensitive information in general. The Google/LA deal doesn’t address any of these areas, or any of the regulations such as HIPAA, Violence Against Women Act, or 42 CFR Part 2 (a California law that regulates confidentiality of substance abuse program clients). The legalities related to compliance with these sorts of statutes when using cloud computing for sending and storing data are still fuzzy, and could leave the city government open to liability.

Continue reading Do you really want email in the cloud?