The Court of Appeals for the Second Circuit recently held that a defendant waived any privilege with respect to emails he sent to his personal attorney over his employer’s email system. This case is another reminder that employees generally have very little expectation of privacy in emails exchanged using their employer’s accounts.
The defendant in the case, Christopher Finazzo, was convicted in a kickback scheme in which he caused Aeropostale to use a clothing vendor called South Bay Apparel as its supplier of T-shirts and fleeces in exchange for millions of dollars in secret payments. Aeropostale learned of the scheme in November 2006 when, during an unrelated investigation, it discovered an email Finazzo sent to his estate planning attorney regarding his will. The email disclosed his ownership interests in South Bay and certain joint ventures.
Following a trial, Finazzo was sentenced to eight years in prison and ordered to forfeit over $25 million. He argued, among other things, he was entitled to a new trial because the government “knowingly used misappropriated attorney-client privileged information” when it used the email as evidence.
On March 7, the Second Circuit held the lower court did not abuse its discretion when it found that Finazzo waived any privilege over the email. Aeropostale’s policy stated that employees “should have no expectation of privacy when using the Company’s Systems” and indicted the company may monitor and access all use of the email system without permission. Finazzo had signed a document acknowledging he read the Employee Handbook containing these policies.
The appeals court also said there was no evidence that Finazzo took steps to preserve the confidentiality of his email communications with his attorney. “In these circumstances, it was not an abuse of discretion for district court to rule that Finazzo had not carried his burden to show that he had kept the [email] confidential,” the court wrote.
I always recommend that my company clients have their employees specifically agree that emails on the company’s servers are owned by the company and that the employee has no expectation of privacy in those emails. This should extend to any company technologies.