Privacy of Employee Data on Dual-Use Devices
Supervisor snoops into former employee’s personal Gmail account after she returns company-issued Blackberry — Lazette v. Kulmatycki, 2013 WL 2455937 (N.D. Ohio June 5, 2013)
The line between personal and business use of electronic devices is increasingly getting blurry, especially as more and more workers carry dual-use devices (devices designed for both work and personal use) like smartphones and tablets. Businesses can benefit from the increases in productivity and morale resulting from this trend, but they also face new privacy concerns. The recent case of Lazette v. Kulmatycki (N.D. Ohio June 5, 2013), highlights this risk.
Verizon issued a Blackberry smartphone to its employee, Sandi Lazette. Lazette set up a personal Gmail account on the phone with Verizon’s permission. Lazette returned the Blackberry to her supervisor when she stopped working for Verizon, understanding that the phone would be “recycled” for use by another Verizon employee. Lazette thought she had deleted her personal Gmail account before returning the phone, but she had not. Over the next eighteen months, Lazette’s supervisor read 48,000 emails in her Gmail account without her knowledge or authorization, and shared the contents of certain emails with others.
Lazette sued Verizon and her supervisor for claims including violation of the Stored Communications Act (SCA) and invasion of privacy. A federal court ruled that Lazette’s supervisor was potentially liable under the SCA for reading personal emails that Lazette had not previously opened, and that Verizon could be vicariously liable for the supervisor’s actions. The court also allowed Lazette’s privacy claim to move forward.
LegalTXTS Lesson: Lazette teaches important lessons about protecting the privacy of personal employee data on work devices, including dual-use devices.
1. Don’t read your employees’ personal messages—even if they are readily accessible. Management should treat an employee’s personal account as private, even if restrictions to accessing the count are minimal or non-existent. A person does not need to hack into an account or otherwise circumvent access restrictions to electronic communications to be liable under the SCA. Lazette’s Gmail account was accessible to her supervisor for no reason other than the fact that Lazette failed to delete her account from her Blackberry. Yet, the court ruled that Lazette’s negligence did not give her former employer implied consent to read her private emails. The simple act of opening an unread message in an employee’s personal email account was enough to create liability under the SCA.
2. Construe grants of access narrowly. If an employee allows a supervisor access to his or her personal email account for work purposes, that is not a grant of access to everything in the account. In Cheng v. Romo (D. Mass. Nov. 28, 2012), an employee of a medical imaging company gave his supervisor the password to his Yahoo! email account. Although the employee did not attach conditions to sharing the password, his unstated objective was to share radiologic images that were emailed directly to him. Years later, the supervisor logged into the account to read emails about the status of the company. In the lawsuit that followed, the court allowed the employee’s SCA and invasion of privacy claims to go to trial. Cheng teaches that management should err on the side of preserving privacy if given access to an employee’s private online account for a specific work purpose or no stated reason at all.
3. Thoroughly purge personal data from company-issued electronic devices before reusing them. Companies commonly reuse electronic devices (e.g., desktop and laptop computers, cell phones, PDAs, tablets) for work purposes after it has been returned or repaired. Employees can leave behind personal data on devices such as saved passwords, emails, web history, internet cookies, and the like. Set and enforce policies requiring the purging of all such data from electronic devices before the devices are issued to another employee.
4. Clarify employee expectations of privacy upfront if implementing mobile device management (MDM) tools. One measure for mitigating the risk of security breaches relating to dual-use mobile devices is the use of MDM tools controls such as the ability to “remotely wipe” a device should it get lost or compromised. MDM measures could raise privacy concerns if they result in alteration or destruction of personal data on a dual-use device. To mitigate such concerns, a company should devise policies clarifying upfront the expectations to privacy that employees should to have if they choose to use a dual-use device at work.
Related articles
The Electronic Wake Employees Leave Behind
Employer sues ex-employee for not updating his LinkedIn profile — Jefferson Audio Visual Systems, Inc. v. Light, 2013 WL 1947625 (W.D. Ky. May 9, 2013).
What would you do if your ex-employee told everybody he still works for you? One company’s response was to sue. In the first case of its kind, the company decided to sue its former employee for fraud for not updating his LinkedIn profile.
Jefferson Audio Visual Systems, Inc. (JAVS) fired its sales director, Gunnar Light, after he mishandled a potentially lucrative deal and made defamatory statements about JAVS to a prospective customer. Shortly afterwards, JAVS filed a lawsuit against Light alleging various claims, including fraud. JAVS argued that Light was fraudulent in failing to update his LinkedIn profile to reflect that he was no longer a JAVS employee. A Kentucky federal court dismissed the fraud claim because JAVS failed to show that it was defrauded by Light’s LinkedIn profile. At most, JAVS alleged that the profile tricked others. Under Kentucky law, a party claiming fraud must itself have relied on the fraudulent statements.
LegalTXTS Lesson: JAVS’ actions against its ex-employee might have been rather extreme, but the case is a reminder that ex-employees can leave behind an electronic wake that is damaging. Because computer technology is an integral part of work life, management needs to be intentional in disengaging ex-employees from the electronic systems and online persona of the organization. Each organization must determine for itself what measures for dealing with such post-termination issues are feasible, effective, and consistent with its objectives, but here are some suggestions:
1. Promptly update the organization’s website, social media profiles, and any other official online presence to reflect that the former employee no longer works for the organization.
2. Specify who owns Internet accounts handled by the ex-employee for the organization’s benefit and the information stored in the accounts. This includes social media accounts and cloud storage accounts (e.g., DropBox, Google Drive, SkyDrive) to the extent they contain proprietary data. As part of this measure, be sure to obtain the information needed to access the accounts, including any updates to login credentials.
3. Restrict the amount of access to which former employees, as well as current employees whose departure is imminent, have to workstations, databases, and networks of the organization. Limiting access helps to prevent theft of trade secrets and proprietary information. Many CFAA lawsuits have been spawned by a failure to take this precaution.
4. Check if the employee left behind anything that would enable him or her to gain unauthorized access to company systems, like malware, viruses, or “back doors.”
5. Enable systems that allow of erasure of the organization’s data from electronic devices used by the ex-employee to remotely access the work network, such as smartphones, laptops, and tablet computers.
6. Establish guidelines on employee use of the company’s intellectual property on personal internet profiles (e.g., Facebook, Twitter, LinkedIn), including trademarks and trade names.
A Hack By Any Other Name
The Computer Fraud and Abuse Act (CFAA) criminalizes forms of “hacking” other than actually breaking into a computer system — United States v. Nosal, 2013 WL 978226 (N.D .Cal. Mar. 12, 2013)
Nosal is back. This is the case that spawned a Ninth Circuit decision narrowing the reach of the CFAA to hacking activity. The case returned to the trial court after the Ninth Circuit decision. The trial court recently convicted the defendant (David Nosal) of violating the CFAA. But before analyzing the decision, let’s take a brief look at the background.
Nosal is a former employee of Korn/Ferry, an executive search and recruiting firm. After leaving Korn/Ferry, Nosal obtained access to Korn/Ferry’s confidential and proprietary data with help from others. In some instances, Nosal got Korn/Ferry employees to give their passwords to outsiders to enable them to access the firm’s computer systems. In another instance, a Korn/Ferry employee logged onto the firm’s computer system using her password and then allowed a non-employee to use the system. Nosal used the stolen data to start his own executive search business. Nosal and his co-conspirators were indicted for violating the CFAA by exceeding authorized access to Korn/Ferry’s computers “knowingly and with intent to defraud.”
An en banc panel of the Ninth Circuit held that the CFAA’s prohibition on accessing computers “without authorization” or “exceeding authorized access” is limited to violations of restrictions on access to information, not restrictions on its use. The Ninth Circuit reasoned that the CFAA primarily targets hacking rather than misappropriation of information. The Ninth Circuit returned the case to the trial court to determine if Nosal violated the CFAA under its interpretation of the statute.
Nosal tried to persuade the trial court to push the Ninth Circuit’s rationale one step further. Nosal argued that, since the CFAA is an anti-hacking statute, it is violated only when someone circumvents technological barriers to access to a computer. Under this narrow interpretation, not every form of unauthorized access to a computer necessarily violates the CFAA. The trial court disagreed with Nosal’s interpretation because the Ninth Circuit did not base CFAA liability on the manner in which access is restricted. Moreover, password protection is a form of a technological access barrier, and Nosal and his co-conspirators clearly bypassed password restrictions.
Nosal next argued that his co-conspirators did not act “without authorization” because they used a valid password issued to a Korn/Ferry employee. The court wasn’t enamored with this argument either. Whether an act is authorized must be viewed from the perspective of the employer who maintains the computer system. Clearly, an employer would not authorize an employee to allow another person to use his or her password. Nosal attempted to analogize consensual use of an employee’s computer password to consensual use of an employee’s key to gain physical access to a building, a situation that Nosal argued would not violate trespass law. The court also rejected this argumen.
Finally, Nosal argued that the Korn/Ferry employee who engaged in “shoulder surfing” (i.e., logging into the firm’s computer system and then letting another person use the system) did not engage in unauthorized “access.” The court found no difference between an employee who gives her password to an outsider and an employee who logs into the firm’s computer system with her password and then lets an outsider use the system. Both situations qualify as “access” under the CFAA.
LegalTXT Lesson: The CFAA targets hacking instead of misappropriation (so the Ninth Circuit says), but hacking could take various forms. According to the latest Nosal decision, the CFAA criminalizes at least these forms: (a) breaking into a computer system; (b) letting an outsider use your password to access a system; (c) logging into a system with your password and then letting an outsider use the system.
Related articles
Hawaii Legislature Advances Bill to Ban Employer Access to Social Media Accounts of Job Applicants and Employees
Hawai‘i has jumped on the bandwagon of states (along with 31 other states, according to the National Conference of State Legislatures) introducing legislation to ban employers from requesting access to social media accounts of job applicants. Several bills on the subject were introduced in this year’s legislative session, but the one that appears to have the best chance of becoming law is HB713 H.D. 2 S.D. 1 (HB713). The bill has passed the House and gained the approval of two Senate committees. Next up for the bill is review by the Senate Judiciary Committee. As HB713 gains traction, let’s take a look at what it says and some issues it raises in its current form.
SUMMARY OF HB713, H.D. 2
HB713 would insert a new section into the Hawai‘i statute governing discriminatory employment practices, Hawai‘i Revised Statutes (HRS) chapter 378, part I. The proposed law would apply to both job applicants and existing employees. Employers are prohibited from gaining access to a “personal account,” which is defined as:
An account, service, or profile on a social networking website that is used by an employee or potential employee exclusively for personal communications unrelated to any business purposes of the employer. This definition shall not apply to any account, service, profile, or electronic mail created, maintained, used, or accessed by an employee or potential employee for business purposes of the employer or to engage in business-related communications.
Specifically, an employer may not “require, request, suggest, or cause” an employee or job applicant to: (1) turn over access to his or her personal account; (2) access his or her personal account while the employer looks on; or (3) divulge any personal account. An employer also may not fire, discipline, threaten, or retaliate against an employee or job applicant for turning down an illegal request for access.
There are exceptions, however.
- An employer may conduct an investigation to ensure compliance with law, regulatory requirements, or prohibitions against work-related employee misconduct based on receipt of specific information about activity on a personal online account or service by an employee or other source.
- An employer may conduct an investigation of an employee’s actions based on the receipt of specific information about unauthorized transfer of the employer’s proprietary information, confidential information, or financial data to a personal online account or service.
- An employer may monitor, review, access, or block electronic data (a) stored on an electronic communications device that it pays for in part or in whole, or (b) traveling through or stored on an employer’s network, in compliance with state and federal law.
- An employer may get an employee’s login credentials to access an electronic communications device supplied or paid for in whole or in part by the employer.
- An employer may get an employee’s login credentials to access accounts or services provided by the employer or “by virtue of the employee’s employment relationship with the employer” or that the employee uses for business purposes.
- HB713 specifies that the proposed law is not intended to prevent an employer from complying with other law or the rules of self-regulatory organizations, and that the proposed law should not be construed to conflict with federal law.
OBSERVATIONS AND CONCERNS
Shoulder surfing nixed. The bill appears to make “shoulder surfing” by an employer illegal per se. Suppose an employee tells his boss, “Man, you cannot believe the whales my friend saw on her boat this weekend! She sent me a video of it on Facebook.” Intrigued, the boss says he wants to see the video. The employee obliges by logging on to her Facebook account while her boss watches over her shoulder. Did the boss unlawfully “request” that the employee grant him access to her “personal account”? Technically, yes. Note that HB713 has no exception for voluntary consent of the employee.
“Friending” employees might become illegal. Employers and employees sometimes connect on the same social network. While it isn’t always a good idea for an employer to “friend” an employee, it’s not illegal to do so—unless, perhaps, HB713 becomes the law. HB713 bans an employer from requesting that an employee “divulge any personal account.” Yet, that’s exactly what a friend request does—it requests access to portions of a social media account that can be viewed only by the account owner’s “friends.” The “divulge” language probably was intended to reach situations where an employer demands that an employee hand over access to another employee’s personal account. But as written, HB713’s prohibition against divulging any personal account could be interpreted to apply to innocent “friending.”
The line between personal and private is blurry. In a perfect world, employees would use business social media accounts strictly for business purposes and conduct all of their personal social media activity using separate social media accounts. That’s a best practice, not necessarily reality. The line between personal and business can get blurry in the social media space. It’s not unusual for employees to talk about work or promote their company within their personal social networks. If the employee uses his or her personal account for work purposes, shouldn’t the employer, who might have responsibility for the actions of its employee, be entitled to access the employee’s personal account in certain circumstances? On the other hand, to what extent must an employee use his or her personal account for work-related interactions before the employer should be allowed access to the account? These are difficult issues.
To address the issue, the latest draft of the bill tightens up the definition of “personal account” a bit and specifies that an employer may obtain login credentials from an employee to access “[a]ny accounts or services provided by the employer or by virtue of the employee’s employment relationship with the employer or that the employee uses for business purposes.” This language is somewhat vague. For example, what does “by virtue of the employer’s employment relationship with the employer” mean? It might well be that HB713 is trying to draw artificial distinctions between personal and work social media accounts when in practice, the distinction is sometimes fuzzy at best.
HB713 still has a few hurdles to overcome before it becomes law. Here at LegalTXTS, we’ll keep an eye out for the status of the bill.
Read MoreCourt Says Sharing a Video on Vimeo Doesn’t Fit the SCA
Sharing a link to unauthorized video capture of proprietary information is not a violation of Stored Communications Act—Castle Megastore Group, Inc. v. Wilson, 2013 WL 672895 (D. Ariz. Feb. 25, 2013)
In closing arguments to the jury at the O.J. Simpson murder trial, defense attorney Johnnie Cochran famously quipped, “If it doesn’t fit, you must acquit.” Plaintiff’s attorneys looking to add a Stored Communications Act (SCA) claim to their complaint would do well to heed Cochran’s advice. There have been a rash of cases dismissing ill-fitted SCA claims (see my recent posts here and here). Castle Megastore Group, Inc. v. Wilson is the latest.
Castle Megastore Group, Inc. (CMG) sued its former employees for allegedly sharing confidential company information with other companies while they were still employed at CMG. CMG claimed that Flynn, who was employed by CMG as its “Social Media Specialist,” violated the SCA by posting a video of a confidential CMG managers meeting on Vimeo, a third party website, and sending co-workers the link to the video and the password to his personal Vimeo account.
This scenario didn’t fit into within the prohibitions of the SCA, the court said. CMG argued that Vimeo was an “electronic communication service” within the meaning of the SCA, that the defendants knew the video contained confidential content before accessing it, and that Flynn lacked authority to give others access to the video. The court agreed that Vimeo is an electronic communication service, but Vimeo is where Flynn shared the video, not where he obtained it. The CMG did not allege that Flynn obtained the video through unauthorized access to a CMG-owned electronic communication service. Flynn was authorized to grant access to his personal Vimeo account. Sharing a link and password to that account did not violate the SCA, the court ruled.
LegalTXTS Lesson: Read the SCA carefully before making a claim under it. Understand how the various concepts in the statute (like “access,” “without authorization,” “facility,” and “electronic communication service”) fit together. Just because one or more of the concepts is present in a given situation doesn’t mean you’ve a viable SCA claim.
Read More
About the Author
View Elijah's LinkedIn Profile
Follow me on Twitter
Subscribe to this blog via RSS
Connect with me on Google+