A recent court decision holding that employees can claim the Fifth Amendment and refuse to unlock password-protected smartphones, even though the phones were issued by their employer for company business, demonstrates the increasing difficulty companies face in managing and protecting corporate information. The holding in SEC v. Huang, No. 15-269 (E.D. Pa. Sept. 23, 2015), arose following an SEC insider trading action against two former Capital One data analysts. Capital One had provided the SEC with the smartphones used by its employees, which had been issued by Capital One and which were used by the employees to conduct company business. However, the SEC was not able to access documents on the phones without first inputting the passcodes used to protect the phones. The company did not know the passcode, and as a matter of policy, did not ever require employees to provide the bank with their smartphone passcodes. Citing the Fifth Amendment privilege against self-incrimination, the employee defendants refused the SEC’s demand to reveal the passwords, and the SEC moved the court for an order compelling production.
In considering the SEC’s motion to compel, the court noted the importance of the issue:
We now consider another perspective on the interplay of mobile technology, employer rights and former employees' Fifth Amendment protections from disclosing personal secret passcodes created by Defendants, with their former employer's consent, to access the smartphones owned by their former employer.
Huang, at page 1. The court reviewed the long history of Fifth Amendment jurisprudence, noting that more than a decade ago, the Supreme Court differentiated the act of revealing “the combination to a wall safe” from “being forced to surrender the key to a strongbox,” as the first was testimonial rather than physical in nature. U.S. v. Hubbell, 530 U.S. 27 (2000). That opinion has been cited to allow a defendant to refuse to produce his computer passcodes, and the Eleventh Circuit has held that the Fifth Amendment protects an individual accused of possessing child pornography from having to decrypt a hard drive. See In re Grand Jury Duces Tecum Dated March 25, 2011, 670 F.3d 1335 (11th Cir. 2012); United States v. Kirschner, 823 F. Supp. 2d 665 (E.D. Mich.2010). In contrast, providing fingerprints to unlock a smartphone has been deemed not testimonial in nature. See Virginia v. Baust, No. CR14-1439 (Va. Cir. Ct. Oct. 28, 2014).
The SEC claimed that the two former employee defendants were corporate custodians of business records, which are not subject to Fifth Amendment protection, and thus should be compelled to disclose the passcodes to enable the SEC to obtain the business records. The court disagreed, finding that the SEC “is not seeking business records[,] but Defendants’ personal thought processes.” It highlighted the fact that Capital One had instructed its employees not to share or keep any records of the passcodes to find that “the act of producing their personal passcodes is testimonial in nature.” Thus, the court refused to order the employees to reveal the smartphone passcodes.
The Bottom Line: In a world where employer-issued smartphones are increasingly commonplace and used to conduct critical business in real-time, the Huang decision poses new challenges not only for government investigators, but also for companies seeking to protect and manage corporate information. In light ofHuang, companies would be wise to evaluate their device and password policies to ensure that they address the new and emerging technological and business realities.