California Court of Appeals Decision Reminds Employers to Have Clear, Enunciated IT Systems Use Policy

Electronic communications are an indispensable component of business in today’s world. Every day, employees send emails, text messages and instant messages by the thousands through their corporate email systems and devices, not only for business-related communications with colleagues, customers, vendors and partners, but also to discuss personal matters with friends, family and spouses. Although companies may believe they can access and use all electronic information on company property, beware.

Ruling on a dispute between former business partners of a cannabis manufacturing company, a California appellate court recently drove home the need for employers to implement well-defined written policies governing employees’ use of company information technology (IT) resources and communications systems. Equally important, it also addressed the employer’s ability to monitor and control such resources and systems (Militello v. VFARM 1509, ___ Cal.Rptr.3d ____ (2023), 2023 WL 2579204 (Mar. 21, 2023)). In the lawsuit, the plaintiff, a former (disgruntled) director of the cannabis manufacturer, sued the business and the remaining directors alleging a number of business torts and wrongful termination. Without telling her business partners, the plaintiff accessed the company’s email system and pulled emails between one of the other directors and her husband, to use during the lawsuit.

The manufacturer and remaining directors moved to disqualify the former director’s counsel, arguing that the emails were protected by the spousal privilege and that the plaintiff’s counsel had failed to disclose receipt of the presumptively privileged communications. The trial court agreed and granted the motion to disqualify.

The court of appeal affirmed, finding: (1) there was no evidence the cannabis manufacturer had a written electronic systems monitoring policy (whether through its governing bylaws or an employee handbook) or a policy prohibiting the director from using her company-issued email for personal communications; (2) there was no evidence the director whose emails were accessed had agreed to such a policy; and (3) there was no evidence the director had received any warning from the email service provider that her email account would be monitored. 

Takeaways for California Employers

In light of this decision, employers should review their policies to ensure they have a well-defined IT resources and communications systems policy, which should, at a minimum:

• Define the resources and systems covered by the policy.
• Notify employees that there is no reasonable expectation of privacy when using company resources, devices, and systems, including to conduct personal communications.
• Notify employees that company-issued resources, devices and systems are monitored by the company.
• Define any inappropriate use of company IT resources and communications systems, including communications for personal use.
• Require employees to acknowledge that they understand the policy and consent to it.

California employers that access and review employees’ messages, even personal ones, without first having put into place a clear, written policy specifying their right to do so, risk incurring liability for claims of invasion of privacy or, as in the case above, losing their counsel of choice in a litigation. If you have questions regarding compliance, please reach out to the authors listed below or your regular Armstrong Teasdale lawyer.