Preventing Litigation was endorsed by RICHARD SUSSKIND, author of Tomorrow's Lawyers, who wrote:

"As a lawyer or client, if you prefer a fence at the top of a cliff to an ambulance at the bottom,
this insightful book is essential reading."


The following chapter excerpts are taken directly from
Preventing Litigation: An Early Warning System to Get Big Value Out of Big Data
By Nelson E. Brestoff and W.H. Inmon
(Business Expert Press 2015)

Index

Chapter 8: What is "Preventive Law"?

Chapter 19: The No Privacy Policies

Chapter 8

What is “preventive law”?

The primary reason each of the first four people who we asked to join our Board of Advisors said “yes” was that they had some connection to Professor Brown or his teachings.  So what is “preventive law”?  You already know it by various sayings and proverbs:

“It usually costs less to avoid getting into trouble than to pay for getting out of trouble.”
Louis M. Brown (1909-1996)[1]


“There is surely nothing quite so useless as doing with great efficiency that which should not be done at all.”
Peter F. Drucker[2]


“The best victory is … to win without fighting.”
Sun Tzu[3]


“An ounce of prevention is worth a pound of cure.”
Benjamin Franklin[4]

This last proverb is well known to all of us, even in our digital age.  The modern application is this:  Back up your computer (frequently) and hit “save” even as you’re writing, even after only a few pages. 

There’s even a saying in Latin that covers the point.  The Latin is Praemonitus praemunitus, which means “forewarned is forearmed.”[5]

So now we know that this notion of the value of “prevention” goes back a very long way.  Today we speak in terms of preventive maintenance and preventive medicine.  But law?  No.

And with that, let’s return to preventive law and its modern-day founding father, Professor Brown.  His philosophy was this:  “The time to see an attorney is when you’re legally healthy – certainly before the advent of litigation, and prior to the time legal trouble occurs.” 

And Professor Brown practiced what he preached, launching a program when he was President of the Beverly Hills Bar Association to give free legal advice to young couples before they were married. 

Right or wrong, Nick remembers Professor Brown saying (in the 1972 to 1975 timeframe) that he once had a client with a fleet of trucks and had to defend the company when, at various times and under various circumstances, the truck drivers had gotten into accidents.  What Professor Brown noticed, he said, was that the case facts had one thing in common:  The drivers had gotten into these accidents when they were making left hand turns. 

So should he keep on earning fees for defending these cases?  No, Professor Brown said.  Instead, he advised the company to have a policy that its drivers should instead make three rights.  At the time, Professor Brown wasn’t making this policy suggestion to save on time or gas; right turns were just safer turns to make. 

In other words, Professor Brown was making a business case for “preventive law.”

Nick can’t recall if Professor Brown’s story pertained to UPS or not.  Probably not.  But UPS has this precisely this policy today.  In 2008, D. Scott Davis, UPS’s Chairman and former CEO, gave a speech in Los Angeles entitled “Right Turn at the Right Time.”  The focus of the speech was the value of a company’s reputation, but the “right turn” policy also came up.  And what Scott Davis said about the “right turn” policy was this:

“We carefully map-out routes for all our drivers to reduce the number of left-hand turns they make.
Now get this:  In 2007 alone, this helped us:

• Shave nearly 30 million miles off already streamlined delivery routes;

• Save 3 million gallons of gas; and

• Reduce CO2 emissions by 32,000 metric tons, the equivalent of removing 5,300 passenger cars from the road for an entire year.” [6]

So Mr. Davis was praising the policy because there were fewer miles driven and less gasoline burned. 

Let’s monetize Dr. Davis’s figures.  Suppose a mile driven costs the company $0.50 per mile.  Then saving 30 million miles saves $15 million.  Now suppose that the cost of gas is only $3.00 per gallon.  By these lights, saving 3 million gallons of gas saved UPS another $9 million.  

So this Make Right Turns policy may be rooted in safety, as in fewer deaths and injuries, which means fewer lawsuits, but combined with the $24 million in benefits that Mr. Davis was citing, the Make Right Turns policy is a terrific example of Professor Brown’s teachings. 

The point is that a solid business case for “preventive law” is not hard to fathom.

A computer-based early warning system to avoid litigation doesn’t necessarily mean there will be fewer miles driven, or lower CO2 emissions, or even fewer collisions.  But in the context of product liability cases, prevention could mean fewer lawsuits, and, by inference, fewer deaths and fewer injuries.

So an early warning system offers the prospect of a big risk reduction plus a big cost reduction, and that’s a powerful combination.  It adds up to this:

Big Change.

__________

[1]  Louis M. Brown. 1950.  Manual of Preventive Law.  (New York:  Prentice-Hall, Inc.) (cited in http://en.wikipedia.org/wiki/Proactive_law).

[2]  Peter Drucker.  May,1963.  Managing for Business Effectiveness.  Harvard Business Review, p. 83.

[3]  See http://en.wikiquote.org/wiki/Sun_Tzu (The Art of Warfare Ch. 3 (circa 5th century BC)).

[4]  See www.ushistory.org/franklin/quotable/quote67.htm

[5]  See http://en.wikipedia.org/wiki/Praemonitus_praemunitus.

[6]  D. Scott Davis.  2008.  “Right Turn at the Right Time.”  http://pressroom.ups.com/About+UPS/UPS+Leadership/Speeches/D.+Scott+Davis/Right+Turn+at+the+Right+Time, (last accessed April 8, 2015).


Chapter 19

The No PrivacY policies

        We realize that employees often bring their own devices (BYOD) to work.  While BYOD may be a common practice today, it is inadvisable for security purposes.  Given the cost of remediating a hack into the enterprise’s computer system, a company will want to protect itself from being hacked when a BYOD device is connected to the enterprise intranet.  Because we want to identify and investigate what employees are saying to each other in order to be proactive about potential litigation threats, we see BYOD as an avoidable but significant risk. 

In addition, we hasten to say, we do not want a business to invade any employee’s privacy.  How do we navigate these waters?

What an employer should do

We start with what a client should do, which is to have a “computer technology resource” (CTR) policy and to insist that each employee read and sign an Employee Manual which contains that CTR policy.

We do not mean to even suggest that we are giving legal advice, but we think the CTR policy might want to promulgate a policy something like the following:

1. Company computer and e-mail accounts should be used only for company business;

2. Employees are prohibited from sending or receiving personal e-mails, except when using a company computer to access a personal, password-protected, web-based e-mail account (for example, a personal Yahoo, Google or other e-mail account); provided, however, that if the use is so frequent and so extensive that the employee is found to be insufficiently inattentive to his or her work, or disrupts the business operations of others, then the employee may be either disciplined or terminated.

3. Employees have no right to privacy with respect to any personal information or messages created on or accessed using a company computer or e-mail account;

4. E-mails sent or received on company computer resources are not private and should be regarded as postcards, and should not be understood as the equivalent of a sealed letter;

5. The company may inspect all files or messages on company computer resources at any time, for any reason, at its discretion;

6. The company or its agents may periodically monitor its computer resources and e-mail accounts to ensure compliance with its CTR policies; and

7. If any of the foregoing provisions are found to be against public policy or are unlawful, then any and all such provisions are severed from the Employee Manual, but the rest of the CTR policies and provisions shall remain in effect.

Why these elements? Because if a company follows this set of mandates, disclosures, and warnings, then, if there is no deviation from them, not even an employee’s communication with his or her personal attorney will be entitled to privacy or privileged from discovery by the company.

Can this be? Surely the attorney-client privilege would apply to keep an employee’s communication with his or her attorney privileged from disclosure, wouldn’t it?  The answer, if the above-listed CTR policies are in place, at least in California, is “No.”

In Holmes v. Petrovich Development Co., LLC,[1] the appellate court noted that when the employer has an express policy which reduces any expectation of privacy, e-mail communications between an employee and her attorney may be equivalent to "consulting her lawyer in her employer's conference room, in a loud voice, with the door open."

The facts in Holmes were as follows:

Gina M. Holmes (“Holmes”) worked as an executive assistant for the defendants Paul Petrovich and Petrovich Development Company, LLC.  After she was hired, she read and signed the company's express computer technology resource policy that governed her usage of the company computer and e-mail account.  It stated the elements we have described above.

In July 2004, approximately one month after Holmes was hired, she told Petrovich she was pregnant and wanted to take a six-week maternity leave in December.  She later revised her request to a four-month maternity leave beginning in November.  This prompted Petrovich to send the following e-mail to Holmes:  “I need some honesty.  How pregnant were you when you interviewed with me and what happened to six weeks? . . . That is an extreme hardship on me, my business and everyone else in the company.  You have rights for sure and I am not going to do anything to violate any laws, but I feel taken advantage of and deceived for sure.”

Holmes was offended and e-mailed a response that explained she did not tell him about her pregnancy earlier, in part, because she had two miscarriages in the past and did not want to disclose the pregnancy until it appeared likely that she would carry the baby to term.

Because Petrovich was concerned that Holmes may be quitting, he forwarded Holmes' e-mail to human resources and in-house counsel.  When Holmes learned that Petrovich forwarded her e-mails to others, she was upset and sought legal advice concerning a claim for pregnancy discrimination.

For example, Holmes exchanged several e-mails with her attorney from her company e-mail account where she stated, “I know that there are laws that protect pregnant women from being treated differently due to their pregnancy, and now that I am officially working in a hostile environment, I feel I need to find out what rights, if any, and what options I have.  I don't want to quit my job; but how do I make the situation better?”

This e-mail conflicted with Holmes’s contentions at trial.  At trial, her counsel objected when Petrovich’s counsel tried to introduce this e-mail and other e-mails like it.

The trial court overruled the objections, the e-mails were admitted into evidence, and the Court of Appeals affirmed, holding that the employer's computer policy made clear that Holmes had no legitimate reason to believe that communications from her company e-mail account were private, regardless of whether the employer actually monitored her e-mail.

Thus, given the CTR policy, Holmes was held to have knowingly disclosed her attorney-client communications to her employer and waived the privilege.

Holmes is a 2011 California decision.  In 2007, a New York court reached a similar conclusion.  In Scott v. Beth Israel Med. Ctr., the e-mail policy stated:

“This Policy clarifies and codifies the rules for the use and protection of the Medical Center’s computer and communications systems.  This policy applies to everyone who works at or for the Medical Center including employees, consultants, independent contractors and all other persons who use or have access to these systems.

1.  All Medical Center computer systems, telephone systems, voice mail systems, facsimile equipment, electronic mail systems, Internet access systems, related technology systems, and the wired or wireless networks that connect them are the property of the Medical Center and should be used for business purposes only.

2.  All information and documents created, received, saved or sent on the Medical Center’s computer or communications systems are the property of the Medical Center.

Employees have no personal privacy right in any material created, received, saved or sent using Medical Center communications or computer systems.  The Medical Center reserves the right to access and disclose such material at any time without prior notice.”[2]

The policy was available in hard copy and maintained in the officer of the administrator for each of the Center’s departments and on the intranet.

The plaintiff, Dr. Scott, was the chairman of the orthopedics department and worked closely with the department administrator. 

In 2002, every employee received an employee handbook which contained a brief summary of the e-mail policy.  After 2002, newly hired doctors were required to sign a form acknowledging that they had read and were familiar with it.

However, Dr. Scott never signed such an acknowledgement and denied knowing of it.

Nevertheless, this “no personal use” policy, combined with a policy allowing for employer monitoring and the employee’s knowledge of these two policies, diminished any expectation of privacy.

The issue materialized when Dr. Scott used Center computers to communicate by e-mail with his counsel.  When Dr. Scott asserted the attorney-client privilege, the Center rejected his claim to the privilege, citing the policy. So Dr. Scott sought a protective order from the court, but the court denied it.

In denying Dr. Scott’s request for a protective order, the court cited a federal bankruptcy case, which held that the attorney-client privilege was inapplicable if: 

• (1) … the corporation maintain[s] a policy banning personal or other objectionable use,

• (2) … the company monitor[s] the use of the employee’s computer or e-mail,

• (3) … third parties have a right of access to the computer or e-mails, and

• (4) … the corporation notif[ies] the employee, or the employee was aware, of the use and monitoring policies.[3]

In Scott, the court found that the first two elements were satisfied by the Center’s “no personal use” and monitoring policies; found the third element inapplicable; and held that Dr. Scott had both actual and constructive notice of the policy because the policy had been disseminated to each employee in 2002, including Dr. Scott, and because the Center made the policy available by notice on the Center’s intranet. 

In addition, because Dr. Scott was an administrator, he was held to have constructive notice of the policy, in part because he required newly hired doctors under his supervision to acknowledge in writing that they were aware of it.

As a final matter, the court rejected the argument that the attorney’s notice in its e-mails to Dr. Scott changed the outcome.  The notice stated:  “This message is intended only for the use of the Addressee and may contain information that is privileged and confidential.  If you are not the intended recipient, re hereby notified that any dissemination of this communication is strictly prohibited.  If you have received this communication in error, please erase all copies of the message and its attachments and notify us immediately.”

This (not atypical) notice appeared in every e-mail from counsel to Dr. Scott.  However, the court held that the notice could not create a right of privacy out of whole cloth, and did not alter the Center’s policy, stating:  “When client confidences are at risk, [counsel’s] pro forma notice at the end of the e-mail is insufficient and not a reasonable precaution to protect its clients.”     

What an employer should NOT do

Given its long and venerable history, no employer should expect courts to frequently hold that the attorney-client privilege has been waived.

1.  Undermine the Policy by Conduct

However, actions often speak louder than words. Suppose that a company had a CTR policy identical to the policy described in Petrovich.

But now suppose that the company sent the message that non-compliance would be tolerated.  That message undermines the policy, and it is known as “operational reality.”

The "operational reality" test is used in the Ninth Circuit and was discussed in a 2008 opinion, Quon v. Arch Wireless Operating Co.[4]

In Quon, the plaintiff had a reasonable expectation of privacy as to his personal text messages sent from his company pager because of an informal policy that contradicted the written policy.  The plaintiff's supervisor had made it clear that text messages would not be audited if employees paid any applicable overage charges, even though the employer's policy prohibited the personal use of pagers.

In other words, the "operational reality" was that the plaintiff had a reasonable expectation that his personal text messages would be kept private.  Thus, under those circumstances, an informal policy effectively voided the written policy.

Why can we have some confidence in the CTR policy in Holmes?  Because Holmes actually argued that she had a reasonable expectation that her e-mails to her attorney were private because of the "operational reality" that the company did not audit employee computers during her employment.

But that argument failed.  The Court of Appeal rejected it because there was no evidence that the company had an informal policy that contradicted its express, written policy. 

So the message is fairly clear.  If a company promulgates a written policy, no supervisor should undercut it with a verbal policy to the contrary.

2.  Permit employees to use personal computer resources for work

Holmes also argued that she had a reasonable expectation of privacy, because she used a private password for her company e-mail account and deleted the e-mails after they were sent. The Court also rejected this argument because Holmes utilized her company e-mail account, not her personal e-mail account.

But suppose that the CTR policy is not clear, and an employee uses a company computer to access a personal, password-protected, web-based e-mail system to communicate with his or her attorney.

A New Jersey appellate court addressed these facts in 2010.[5]  There, the plaintiff used her company issued laptop to access her Yahoo account to e-mail her attorney about bringing an employment discrimination lawsuit against her employer. The company CTR policy had not prohibited this. 

Not surprisingly, the New Jersey court held that the attorney-client privilege had not been waived.

Moreover, the New Jersey court noted that a policy permitting an employer to retrieve and read an employee's attorney-client communications accessed on a personal, password-protected e-mail account would not be enforceable because, in New Jersey, it would be void as a matter of public policy.

3.  Fail to have employees read and sign the policy

Courts are reluctant to create exceptions to the attorney-client privilege, so hiccups in implementing a CTR policy can matter and change the outcome of a case.  In Mintz v. Mark Bartelstein & Assoc., Inc., Holmes was distinguished by the Court, and was not followed because the employee did not read or sign the Employment Manual.[6]  Holmes was also distinguished because the plaintiff used his home computer, not a company device.[7]  Evidently, there were no grounds for holding the employee to constructive notice, as in Scott.

Under the circumstances, the Court’s ruling that Mintz had not waived his attorney-client privilege was not unexpected.  Without requiring Mintz to read or sign the policy, and because there was no showing that Mintz had some supervisory capacity that would have made him aware of it, he could not be held to it. 

The Internet of Things

Employers have been requiring employees to sign No Privacy policies since 2002, if not before.  But the Internet of Things—the IoT—did not exist in 2002.  Now the future is clear:  the world will be populated with billions of smart, embedded computer devices that interact with our personal lives, and interact with each other.  That’s the Internet of Things.

Thus, one of the subjects of the Computer Technology Resource Policy must be the devices that people, in their private lives, use to access their own personal data.  The focus is not the data such devices access from the environment, i.e., the weather conditions, which is not personal to them.  The focus is the data such devices access from their own bodies, for example, such as smart phones or watches or other kinds of wearable devices that measure temperature, blood pressure, and so forth.  Such data is personal, private, and confidential to the persons who wear or otherwise carry them.

Any sensible person would see the difference between the data collected by such personal (and so private) devices and the enterprise computer ecosystem. 

But, clearly, there is a potential for the personal device to exchange data with an enterprise device. 

And so we have put our finger on a two-way street:  the IoT opens a potential doorway for the enterprise to learn about an employee’s otherwise personal information, and it also opens a path for the enterprise to open itself up to a hacker attack.  We can’t think of a better reason for a CTR policy to ban devices known as BYODs. 

So, to protect privacy as well as to protect the enterprise, employees should not be permitted to use their personal devices for work. 

The Federal Trade Commission

There is yet another reason to have a CTR policy.  In the context of an enterprise interacting with its customers, the Federal Trade Commission (FTC) has recently asserted a broad authority to protect the consumer.  The Federal Trade Commission Act (the Act) prohibits “unfair or deceptive acts or practices in or affecting commerce,” and enables the FTC as a regulatory, enforcing agency.  15 U.S.C. §45(a).  The Act defines “unfair acts or practices” as acts or practices that cause or are likely to cause “substantial injury to consumers which [are] not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.”[8] 

For example, in a recent case, which was resolved by settlement, the FTC filed an enforcement action against TRENDNet, which makes routers, Internet cameras, and other networking devices. 

The FTC alleged that TRENDNet had failed to adequately secure its Internet camera devices, which could have permitted users’ live video streams to be exposed to the public.  The adverse results were the litigation costs (of course), but also a requirement to revise its security policies and mandatory third-party reviews of its security obligations for the next twenty years. 

In addition, there were restrictions on TRENDNet’s marketing and its customer support obligations.

So a “trend” is clear.[9]  Businesses can expect that a failure to adopt a privacy policy (at least in the context of the data it collects from consumers), or worse, a failure to abide by its own policies, may be seen as an unfair and deceptive act under the law.

Accordingly, businesses should, in addition to advising their engineers to secure the devices, have a CTR policy in order to demonstrate that it had a policy that was reasonable and had implemented it.

__________

[1]  191 Cal.App.4th 1047, 119 Cal.Rptr.3d 878 (2011).

[2]  See 17 Misc. 934, 847 N.Y.S.2d 436 (2007).

[3]  In re Asia Global Crossing, Ltd., 322 B.R.247 (S.D.N.Y. 2005).

[4]  Quon v. Arch Wireless Operating Co., 529 F.3d 892 (9th Cir. 2008), rev'd on other grounds by City of Ontario, Cal. v. Quon, ___ U.S. ___, 130 S.Ct. 2619, 177 L.Ed.2d 216 (2010) (reversing on Fourth Amendment grounds only); see also City of Ontario, 130 S.Ct. at 2627 ("The petition for certiorari filed by Arch Wireless challenging the Ninth Circuit's ruling that Arch Wireless violated the SCA was denied.").

[5]  Stengart v. Loving Care Agency, Inc., 990 A.2d 650 (N.J. 2010).

[6]  Mintz v. Mark Bartelstein & Assoc., Inc., 885 F.Supp.2d 987, 998 (C.D. Cal. 2012).

[7]  Ibid.

[8]  See 15 U.S.C. 45(n).  The FTC can enforce this prohibition using administrative remedies and/or judicial remedies, including in a federal court proceeding in which civil penalties and or injunctions may be sought.  15 U.S.C. 45(b) and 53(b).  The FTC argues that the scope of its authority is broad because Congress intentionally did not define “unfair” and left it to the FTC to do so.  See the FTC’s Brief in Federal Trade Commission v. Wyndham Hotels & Resorts, LLC, No. 14-3514 at pp. 16-17 (3rd Cir. Nov. 14, 2014).  www.ftc.gov/system/files/documents/cases/141105wyndham_3cir_ftcbrief.pdf, (last accessed April 8, 2015).

[9]  The broadness of the FTC’s authority is being challenged in an interlocutory appeal to the Third Circuit.  See Federal Trade Commission v. Wyndham Hotels and Resorts, LLC, Case No. 14-3514 (3d Cir. 2014).