It should come as no surprise that more and more employees are being asked to use smartphones, tablets or other handheld devices in the performance of their jobs. At the same time, employees often have strong preferences about the types of devices they want to use, and many do not want to carry multiple devices. Initially, many employers issued BlackBerrys to their employees and relied on the security that those devices provided. Now, companies are beginning to see the benefits of allowing employees to bring their own devices – or “BYOD” as it has been dubbed – and as a result, the already-murky world of employee privacy rights has just become even more opaque. Whether your organization has implemented a BYOD policy or is still struggling with the intermingling of personal and work-related communications on employer-issued devices, some best practices are starting to emerge.
As an initial matter, it is always best to clarify and be specific as possible with respect to what employees can expect regarding the privacy of their personal information. The U.S. District Court for the Northern District of Ohio recently issued an opinion in Lazette v. Kulmatycki, 2013 U.S. Dist. LEXIS 81174 (N.D. Ohio June 5, 2013), in which it denied a motion to dismiss the plaintiff’s complaint for invasion of privacy and the violation of various federal laws where the supervisor used a company-owned BlackBerry mobile device to access a former employee’s personal email. Among other things, the court found that such access may violate the Stored Communications Act (SCA), 18 U.S.C. § 2701, et seq.
In the Lazette case, the former employee was permitted to use her device for personal email, which she believed she had deleted prior to returning the device to her employer. After her employment ended, the plaintiff alleged that her supervisor subsequently accessed 48,000 email messages and shared some personal information with third parties.
The court held that the SCA applied to this case and that the supervisor could be liable for accessing the information because he did not have authority to do so. Moreover, the court held that the employer could be vicariously liable. The fact that the device was owned by the company did not satisfy the requirement for authorization.
Various state and federal laws prohibit unauthorized access to electronic communications and invasion of privacy. Federal law prohibits intentional unauthorized access to employees’ personal electronic devices. The Electronic Communications Privacy Act of 1986 (ECPA) amended wiretapping laws and regulates other forms of electronic communications. The Stored Communications Act (SCA) contained in Title II of the ECPA, provides that “whoever intentionally accesses without authorization a facility through which an electronic communication service is provided … and thereby obtains, alters or prevents authorized access to a wire or electronic communication while it is in electronic storage … shall be punished as provided….” 18 U.S.C. § 2701(a)(1). The statute includes a civil action as well as criminal penalties. 18 U.S.C. §2701(b). The SCA does permit access to a stored communication, however, when consent is provided by the user. 18 U.S.C. §2701(c)(2).
What does this recent decision mean as you consider or review a BYOD policy? First, if your company already has a BYOD policy, the policy language should be examined to ensure that employees have clear and precise notice of your company’s privacy policies. Second, employers must tread carefully when accessing employees’ personal information or email messages – regardless of what a policy provides or who owns the device. The policy should identify those instances in which access may be appropriate or required. Third, be certain you have the employee’s informed consent before accessing such personal information. These steps are necessary not only to avoid running afoul of common law privacy claims, but also to reduce potential exposure to statutory claims under federal or state law.
Employers who choose to implement BYOD programs should carefully craft a BYOD acceptable use policy, which takes into account privacy concerns under federal and state laws. As a best practice, the policy should identify security precautions the company will take to protect its data, and under what circumstances it will monitor and access an employee’s device. The policy should also address the company’s procedures if the device is lost or stolen. Moreover, in light of the recent opinion in Lazette, the BYOD policy should provide employee consent to employer access and monitoring of the device.
Through a carefully crafted BYOD policy, employers may be able to eliminate any expectation of privacy even on employee-owned smartphones used for business purposes. In the alternative, employers may decide instead to acknowledge a zone of privacy for employee’s personal usage. In such cases, the BYOD policy may state that employees have a reasonable expectation of privacy on their personal devices, but that the employer still has a right to monitor or access the device for specified reasons. For example, the employer may access the device “in order to protect its confidential or proprietary information, in the event of a litigation hold, in the course of a company investigation or upon termination of employment.”
The BYOD policy also should provide that the employer may access the device to remotely wipe data if the device is lost or stolen or in the event of a security threat or breach. The BYOD policy should state that employers may be required to wipe the entire device if personal and company data are intermingled or if the employer detects a threat, and therefore employees are encouraged to back up all photos, contacts and personal information on the device. The policy also should disavow company responsibility for lost or damaged personal data, applications, photos or downloaded information.
In the end, the lesson from the Lazette decision is that your policy should be clear and precise in managing employee privacy expectations and setting forth the company’s interests and the measures it may take to protect them. As more and more companies develop a BYOD policy, courts are likely to continue to redefine the scope of what is personal and private and potentially “off limits.” By anticipating situations that can arise in the workplace, an employer can successfully navigate these murky waters while we wait for further guidance from the courts.