new jersey ruling on email privacy at work

This is the kind of story and court-ruling that makes my head spin. Via DarkReading:

In a ruling that could affect enterprises’ privacy and security practices, the New Jersey Supreme Court last week ruled that an employer can not read email messages sent via a third-party email service provider — even if the emails are accessed during work hours from a company PC.

According to news reports, the ruling upheld the sanctity of attorney-client privilege in electronic communications between a lawyer and a nursing manager at the Loving Care Agency.

After the manager quit and filed a discrimination and harassment lawsuit against the Bergen County home health care company in 2008, Loving Care retrieved the messages from the computer’s hard drive [temporary cache files] and used them in preparing its defense.

I’d suggest checking out the ruling itself [pdf].

Some of this sounds fairly obvious, right? But what really raises questions would be laptop users who take their system home or offsite (i.e. away from the shelter of corporate web filtering) and then use it to connect to personal email accounts. Do employees have a reasonable right to privacy for any artifacts that get stored on the system, especially of a protected nature like attorney-client exchanges or perhaps doctor exchanges. If so, do employers have a duty to take extra care of those systems, any backups made, or images made after a termination? Or during technical troubleshooting and such?

Things like this end up resulting in complex policies, especially those designed to protect both business and individual interests. The same kind of policies that get ignored once they get too complicated…