Searchable: Digital Privacy in the Workplace
by Shaun Hassett
BYOD (bring your own device) policies are prevalent in modern organizations, with employees frequently allowed to use personal devices for business purposes. However, issues arise when the data on the employee-owned mobile device, or the mobile device itself, becomes the subject of an investigation. For instance, companies handling data governed by certain compliance laws such as PCI-DSS (Payment Card Industry Data Security Standard) or HIPAA (Health Insurance Portability and Accountability Act of 1996) may find that a device belonging to an employee is subject to immense scrutiny if data stored on the device becomes compromised.
Accessing an employee’s personal device, however, is not as easy as simply asking the employee to turn it over and providing a replacement. The company must obtain the employee’s consent or else risk running afoul of statues that prohibit a company’s access to personal devices without consent, such as the Store Communications Act.
One strategy for obtaining an employee’s consent is through a user agreement. User agreements have been used successfully to define the terms by which an employee may access company information using a personal device, as well as the terms by which the company can control the device that the employee uses for such access. At a minimum, such a user agreement should: (1) clearly establish that the employee has no expectation of personal privacy in her mobile device if she accesses corporate data or engages in corporate communications; (2) clearly disclose what actions a corporation may take with respect to that device if it becomes the focus of an investigation; (3) inform employees that using an employee-owned device to access corporate information is a privilege; (4) inform the employee that the corporation has the right to completely wipe the device if it is reported lost or stolen, or is unconnected from the network for a period of time; (5) require the employee to activate security features such as a password or PIN code; and (6) require the employee to turn over the device (and any passwords) upon request in the event of an investigation and for at least as long as is required to extract the relevant data. Clear user agreements are essential if employees are going to be permitted to access company data on personal devices.
Importantly, any user agreement should be easily accessible. Burying the agreement in an employee handbook creates the possibility for the employee to argue ignorance of the agreement and its terms. Also, implementing click-to-accept agreements prior to installation of software on mobile devices can allow for access to company data.
The intimate and potentially sensitive nature of personal information creates a heightened level of scrutiny when attempts are made to access an individual’s personal device, even when policies and agreements are in place that attempt to abolish privacy expectations. And, if those policies and agreements are unclear companies can be subject to invasion of privacy and similar other claims. Companies also should consider the effect that monitoring or accessing any personal email account or personal data on employee-owned devices may have on employee relations, even if such practices may be legally defensible.
Legal and employee-relation problems that result from investigating employee-owned mobile devices can be further curtailed by limiting the scope of the investigation to what is absolutely necessary to satisfy legal requirements. A company should cease its investigation once it has what is needed to answer discovery, produce the necessary documents, or determine whether regulated data was accessed. The original cause of the investigation may not justify downloading every bit of data and accessing the employee’s own data.
In conclusion, companies can minimize legal stumbles and tension in relationships with employees by: (1) setting clear expectations that an employee must allow access to the device in exchange for the ability and convenience of viewing company data, (2) separating company data from the employee’s own data where possible, and (3) setting limits on how far an investigation can go.
Shaun Hassett is an associate at Alston & Bird LLP. He can be reached at firstname.lastname@example.org