An employee sued the company for discrimination. After the suit was filed, the company archived everything saved on her work computer to preserve evidence.

The saved files included e-mails she sent via a personal, password-protected account. The company didn’t access the account directly, but copies of the messages had been automatically saved to her browser’s cache.

Some of the e-mails were conversations between the employee and her attorney, which contained evidence the company felt would help its case.

After the employer presented the messages in court, the employee claimed her rights to privacy and attorney-client privilege had been violated.

The company argued the employee had no such rights — its computer use policy stated that anything done on workplace computers could be monitored.

But the court disagreed. The judge ruled the employee had a “reasonable expectation of privacy,” because the policy didn’t mention that e-mails sent using a personal account would be saved to her hard drive.

It didn’t matter that she sent the e-mails at work — since the account was password-protected and not administered by the company, she reasonably assumed the company wouldn’t be able to read them.

Add to that the fact that the e-mails were between the employee and her lawyer, and the court ruled the company was at fault when it read the messages and tried to submit them as evidence.

What can companies monitor?

In most cases, whether monitoring is legal or not comes down to one question: Who owns the e-mail?

In other words, are the messages stored on the company’s network or by a third party (as is the case with personal accounts, like Yahoo and Gmail)?

While employers are normally within their rights to monitor employees’ work e-mail, courts will usually draw the line when the data’s stored by a third party.

Also, keep in mind:

• Have a clear-cut computer use policy – Employees can also win in court when they show they have a “reasonable expectation” of privacy. So inform all employees that their Web use at work will be monitored — and think twice before conducting any monitoring that isn’t clearly mentioned in the policy.
• Train managers – Some supervisors will go to great lengths when they suspect an employee of wrongdoing. But they should be warned that an investigation could become an invasion of privacy.

Cite: Stengart v. Loving Care Agency

The suit concerned a breach of Aetna’s job application database, which contained “the e-mail addresses of 450,000 job applicants, along with the social security numbers of current and former employees.”

Applicants’ social security numbers, telephone numbers for addresses, and employment histories were also in the system.

Aetna sent out warning letters to 65,000 current and former employees after it discovered the breach had occurred, and offered them a year’s worth of free credit monitoring.

A number of applicants subsequently were sent so-called “phishing” e-mails from a source pretending to be Aetna, asking them for even more personal information, supposedly to add to their job application.

The judge in the case threw out the class action, stating in a 14-page opinion that the alleged damage to the plaintiffs was speculative only, with no concrete proof. “At best, plaintiff has alleged a mere possibility of an increased risk of identity theft, which is insufficient for purposes of standing, and he certainly has not asserted a credible threat of identity theft.”

Lesson: This case seems to set a condition that real, provable harm to the plaintiff is a necessary condition for a data breach-related lawsuit. Also, taking prompt action by notifying those affected by the breach can help prevent ID theft, and therefore shield the company from liability.

However, this case is surely just an opening skirmish in what promises to be a long legal war.

The legal liability for getting hacked is getting real, as a few recent news stories demonstrate — and Congress is working on even tougher rules.

That puts a bigger security burden than ever on your company. Just promising to do better next time may not cut it.

Take these recent news stories:

1. The Federal Trade Commission (FTC) recently made the biggest fine ever on a company whose records were stolen by a hacker. Data broker ChoicePoint was fined $275,000 for allowing two major data attacks, affecting more than 160,000 U.S. consumers. The attacks included the theft of social security numbers and other personal information.
2. A federal judge shot down a recent offer by stockbroker TDAmritrade to settle claims based on a 2007 data breach that compromised names, addresses, phone numbers and trading information of potentially all of its more than 6 million retail and institutional customers. The solution that the company had worked out (which involved having a third-party analytics firm discover if any identity theft had happened, plus an offer of free security software for customers) was rejected as “very temporary fixes.” The company will have to do far better, according to the judge.
3. In Maine, a decision is pending from the state Supreme Court on whether companies can be charged by consumers and banks for the time and money involved in resolving problems and reissuing cards compromised by stolen data. Regional supermarket chain Hannaford Brothers (no relation) had data about 4.2 million debit and credit card customers stolen.

As a Computerworld article dealing with the Maine case states:

“In most cases, courts have held that since consumers are compensated for any loss by the card-issuing bank they have little reason to seek other damages from the breached entity. They have also tended to reject the idea that consumers must be compensated for damages that they could suffer in the future as a result of a data breach.”

But that may be changing — whichever decision Maine’s high court makes is expected to influence judges in other jurisdictions. And, meanwhile, Congress is poised to pass Personal Data Privacy and Security Act, which would require notification of victims and hold companies liable for breaches (mirroring several state laws already on the books). The cost of inadequate data security may be about to get a lot higher.