In a recent “Not Precedential” opinion, a divided Third Circuit panel engaged in an instructive and interesting debate about whether, under New Jersey law, an employer may access and monitor a former employee’s password-protected accounts using information the employee left on his work computer.
The case involved a group of employees who left an employer en masse to join a competing enterprise. One of the departing employees failed to log out of his Facebook account before he returned his computer to the employer. The employer was thus able to—and did—monitor for more than a month the employee’s password-protected Facebook activity, which included Facebook Messenger exchanges among the other former employees in which the employees admitted to improperly sending the employer’s confidential information to their new employer.
When the employer sought a preliminary injunction against the former employees, the employees claimed that the old employer had unclean hands—and thus was not entitled to an injunction—because of its post-termination monitoring of the employee’s password-protected Facebook activity and other password-protected accounts. The district court rejected the unclean hands defense and entered an injunction.
On appeal the majority held that the employer’s monitoring of the employee’s accounts was not sufficiently related to the employees’ wrongful conduct to support an unclean hands defense. But the majority did not stop there. It devoted a lengthy footnote to discussing whether the employer’s monitoring activities were improper, suggesting that an employer may access password-protected information on a work computer even if the employer lacks a policy expressly saying that it could do so.
In a much more detailed analysis of the issue, the dissent concluded that the employer intentionally accessing the former employee’s password-protected accounts was wrong. The dissent concluded that the employer’s actions ran afoul of the New Jersey Supreme Court’s teachings in Stengart v. Loving Care Agency, Inc., where an employee’s emails with her attorney using her work computer, but sent through her private password-protected email account, were deemed private and privileged. The dissent also concluded that the employer had committed the common-law tort of intrusion upon seclusion.
Since the opinion is “Not Precedential” and the majority’s discussion about the propriety of the employer’s actions is dicta, it would not be prudent to take the majority’s opinion as giving employers license to access employees’ password-protected accounts using information left on a work computer. As the dissent points out, there are considerable risks in doing so. Thus, one should continue to tread carefully when it comes to accessing an employee’s password-protected information through a work computer, especially if the employer’s policy does not expressly permit it.