No Reasonable Expectation of Privacy on Work PCs
If you think the contents of your work computer are your business and only your business, then think again. Applying federal rulings from other jurisdictions to help guide its ruling, the New Jersey State Appeals Court ruled in a recent case that "an employee has no reasonable expectation of privacy in personal files stored on a company-owned computer." This is a significant finding as it sets a precedent for the state of New Jersey, and adds to other similar rulings from the 4th and 10th U.S. Circuit Court of Appeals (U.S. v. Angevine and U.S. v. Simons, respectively).
In fact, not only did the court rule that a employee of a company has no expectation of privacy of the contents of his work computer, the court further ruled that an employer's consent to a police search of the employee's computer is enough to make the search lawful. The ruling for the case, State of New Jersey vs. M.A., stated:
"We conclude... that neither the law nor society recognize as legitimate defendant's subjective expectation of privacy in a workplace computer he used to commit a crime."
This expectation of privacy is not even legitimized if the employee uses a "confidential password":
"A burglar plying his trade in a summer cabin during the off season may have a thoroughly justified subjective expectation of privacy, but it is not one which the law recognizes as 'legitimate'."
The case centers around a man who was convicted of stealing money from his employer via electronic fund transfers, with evidence that was collected by police without a warrant. (The employer granted consent to the police to search the computer for evidence of the crimes.) In the initial case, the employee's attorneys attempted to suppress the evidence, claiming that the employee had a reasonable expectation of privacy. The motion was denied, and the employee "pleaded guilty to the thefts but preserved his right of appeal on the search and seizure issue." The appeals court subsequently agreed with the lower court's ruling.
While this case specifically deals with criminal activity, it could potentially add more weight to a growing legal perception that the contents of an employee's computer--be it work-related or personal--can be considered the property of his employer by the simple fact that the employer owns the equipment that the data is physically stored on.
It should be noted, however, that this finding deals specifically with the expectation of privacy between and employer and an employee, and could not be applied to an individual's personal data stored on equipment owned by his Internet service provider. In fact, in New Jersey vs. M.A., M.A.'s attorneys tried to use the findings of a recent New Jersey Supreme Court case, State of New Jersey vs. Reid, as a precedent for its case. In the New Jersey vs. Reid, the court found, "when users surf the Web from the privacy of their homes, they have a reason to expect that their actions are confidential." The judges in New Jersey vs. M.A. dismissed the findings of the New Jersey vs. Reid as being applicable in the case of New Jersey vs. M.A.:
"However, Reid's crime involved the Internet and information divulged by an Internet service provider, and it occurred at home through the use of Reid's personal computer, which she never brought to work or permitted co-workers to use. Thus Reid does not apply."
So perhaps the lesson learned for potential Internet criminals plotting against their employers is to always use their home computers and hope that legally binding warrants and subpoenas are not issued to gain access to their personal offline or online data. The lesson learned for us law-abiding citizens is that we need to be careful what activities we engage in on our work computers and what data we store on them. Even if the activities and data are not illegal, they can still land us in trouble with our employers if they don't jive with company policy or expectations. In other words, leave the DRM-stripped MP3 file sharing and porn downloading for home.
In fact, not only did the court rule that a employee of a company has no expectation of privacy of the contents of his work computer, the court further ruled that an employer's consent to a police search of the employee's computer is enough to make the search lawful. The ruling for the case, State of New Jersey vs. M.A., stated:
"We conclude... that neither the law nor society recognize as legitimate defendant's subjective expectation of privacy in a workplace computer he used to commit a crime."
This expectation of privacy is not even legitimized if the employee uses a "confidential password":
"A burglar plying his trade in a summer cabin during the off season may have a thoroughly justified subjective expectation of privacy, but it is not one which the law recognizes as 'legitimate'."
The case centers around a man who was convicted of stealing money from his employer via electronic fund transfers, with evidence that was collected by police without a warrant. (The employer granted consent to the police to search the computer for evidence of the crimes.) In the initial case, the employee's attorneys attempted to suppress the evidence, claiming that the employee had a reasonable expectation of privacy. The motion was denied, and the employee "pleaded guilty to the thefts but preserved his right of appeal on the search and seizure issue." The appeals court subsequently agreed with the lower court's ruling.While this case specifically deals with criminal activity, it could potentially add more weight to a growing legal perception that the contents of an employee's computer--be it work-related or personal--can be considered the property of his employer by the simple fact that the employer owns the equipment that the data is physically stored on.
It should be noted, however, that this finding deals specifically with the expectation of privacy between and employer and an employee, and could not be applied to an individual's personal data stored on equipment owned by his Internet service provider. In fact, in New Jersey vs. M.A., M.A.'s attorneys tried to use the findings of a recent New Jersey Supreme Court case, State of New Jersey vs. Reid, as a precedent for its case. In the New Jersey vs. Reid, the court found, "when users surf the Web from the privacy of their homes, they have a reason to expect that their actions are confidential." The judges in New Jersey vs. M.A. dismissed the findings of the New Jersey vs. Reid as being applicable in the case of New Jersey vs. M.A.:
"However, Reid's crime involved the Internet and information divulged by an Internet service provider, and it occurred at home through the use of Reid's personal computer, which she never brought to work or permitted co-workers to use. Thus Reid does not apply."
So perhaps the lesson learned for potential Internet criminals plotting against their employers is to always use their home computers and hope that legally binding warrants and subpoenas are not issued to gain access to their personal offline or online data. The lesson learned for us law-abiding citizens is that we need to be careful what activities we engage in on our work computers and what data we store on them. Even if the activities and data are not illegal, they can still land us in trouble with our employers if they don't jive with company policy or expectations. In other words, leave the DRM-stripped MP3 file sharing and porn downloading for home.
