Privacy issues are increasing Pedro Miguel Sousa
The proliferation of smartphones and tablets and an increasing desire to use these devices for both personal and business communications has prompted many employers to consider or implement Bring Your Own Device (BYOD) policies. Allowing employees to use wireless devices for personal and business use can contribute to increased efficiency and job satisfaction, and it can provide cost-effective solutions for employers. BYOD programs can pose risks, however, especially in an environment where entities and government agencies around the world are increasingly subject to cyber attacks and breaches that compromise the confidentiality and integrity of their own information, as well as personal information of their employees and customers.
Privacy concerns and security lapses are becoming some of the fastest-growing sources of litigation in the United States. As a result, employers must remain aware of the variety of ways that data breaches can occur, such as hacking or phishing attacks, negligent employees or contractors, loss or theft of devices, improper disposal of data, and system glitches. Employers must ensure that employees’ devices are appropriately configured and managed to protect the confidentiality and integrity of business information but not impede investigations or their ability to comply with applicable laws. Numerous mobile device management companies offer a variety of technologies to maintain the security of business data on wireless devices. Requiring appropriate security measures, such as encryption and strong passwords, is a must.
The UK intervention
The growing popularity of BYOD programs has generated guidance from authorities such as the UK Information Commissioner’s Office (for data controllers subject to the UK Data Protection Act 1998) and the White House (for U.S. federal agencies). Developing and implementing an effective BYOD program is not a “one size fits all” approach, however; it requires an examination of the type of data that an entity collects and maintains and how the data is being handled and stored, as well as collaboration and input from information technology (IT), human resources (HR), and legal departments. It also requires consideration of a host of U.S. and international laws, rules, and regulations. While a comprehensive survey of the BYOD legal landscape is beyond the scope of this article, some relevant issues from a U.S. legal perspective are described below.
The US legal landscape
The US privacy and data security landscape is comprised of a host of sector-specific laws, many of which apply to the BYOD context. For example, companies must understand whether and to what extent they must comply with federal laws governing the handling of sensitive health, financial, and credit information, and whether their monitoring of employees’ activities could amount to violations of computer crimes laws. In addition, most states have their own consumer protection and computer crimes laws, data breach notification and data security laws, and laws governing the protection of Social Security numbers, which vary. Industry standards also apply. Complying with all applicable laws and requirements can be a challenge depending on an entity’s size and operations.
US courts address the issues
Many courts have addressed employees’ expectations of privacy in the workplace, but case law specific to BYOD is still developing. Some recent cases are instructive, and reinforce the importance of having in place a precise, reasonably tailored use policy that employees must acknowledge and agree to. In Lazette v. Kulmatycki, No. 3:12CV2416 (N.D. Ohio June 5, 2013), the court rejected a motion to dismiss a complaint alleging that the plaintiff’s former employer, Verizon Wireless, and supervisor violated the federal Stored Communications Act (SCA) when her supervisor read thousands of e-mail messages sent to the employee’s personal e-mail account that were stored on a company-issued smartphone.
The court held that the SCA applies to unauthorized access to employees’ personal e-mail accounts, and that the supervisor violated the SCA by viewing the plaintiff’s e-mails without authorization (although the ruling was limited to unopened e-mails). In United States v. Finazzo, No. 10-cr-457 (E.D.N.Y. Feb. 19, 2013), the court denied the plaintiff’s motion to preclude the government from introducing at trial an e-mail that the plaintiff sent to his attorney using his company e-mail account. The court found that the plaintiff had no reasonable expectation of privacy in a communication made through a company e-mail account because the company had a clear written policy that limited personal use of company systems, reserved the company’s right to monitor use, and made it “abundantly clear” to employees that they had no right to privacy when using the company’s systems.
Implementing a BYOD Programme
Incorporating appropriate protections and implementing appropriate policies at the start can help mitigate these issues. An essential first step is to map the data and determine the type of information that employees have access to, where and how it is stored, and how it is shared. It is also important to have a written BYOD policy in place that employees acknowledge and agree to so that each party’s rights are clearly defined.
BYOD policies must be tailored to individual employers, their businesses, and the type of information that employees have access to. Employers must balance the privacy rights of employees against their own needs and requirements, such as security, legal discovery, and managing information stored on personal devices when employees leave or when a device is lost or stolen. BYOD policies must take into account applicable laws, as well as existing company policies and practices. In addition, Fair Labor Standards Act requirements may impact the extent to which non-exempt employees can use their wireless devices for business purposes.
What BYOD policies should contain
While BYOD policies will vary, some issues to consider include:
• For security purposes, what types of devices and apps are and are not permitted.
• Employees’ expectations of privacy and the employer’s right to access (physically or remotely) personal devices for legitimate business purposes, delete data in certain circumstances, and install security software to protect its data.
• Requirements to promptly notify the employer if a device is lost or stolen.
• Prohibitions on sharing devices with others.
• Prohibitions or restrictions on the use of personal e-mail accounts to conduct business and downloading or transferring certain data to personal devices.
• Restrictions on websites that can be accessed via the corporate network and/or establishment of separate networks through which such sites can be accessed.
• Requirements to implement password protection (including strong passwords) and keep devices current with security patches, anti-virus protection, and the like.
• Requirements to comply with laws applicable to use of a device while operating a motor vehicle.
Once a policy is in place, it is important to conduct ongoing training to educate employees regarding the use of personal devices for business purposes. In addition, it is prudent to perform routine audits to ensure compliance and take appropriate action if devices are being misused or policies are violated.
The legal landscape continues to evolve as existing laws are applied to new technologies, devices, and means for conducting business. The increasing popularity of BYOD programs and allowing employees to use the same device for personal and business use will continue to shape the legal framework. This makes it even more important for companies to carefully assess the IT, HR, and legal aspects as they introduce new practices into the workplace.
ABOUT THE AUTHOR
Tracy Marshall, Esq. is a Partner in the Washington, DC office of Keller and Heckman LLP. She assists clients with a range of business and regulatory matters, including privacy, data security and digital media issues. She graduated from Washington and Lee University in 1997 and received her J.D. from American University Washington College of Law in 2002.She can be contacted by e-mail at firstname.lastname@example.org or by phone at (202) 434-4234.