The New York Times recently reported that Hillary Rodham Clinton used a personal email address for work and personal matters while she served as Secretary of State. Many employees could probably appreciate why Ms. Clinton chose to use a private email address for work purposes. She enjoyed the convenience of carrying one mobile device instead of two. That’s the same reason the Bring Your Own Device movement has been rapidly gaining momentum.
The convenience of commingling professional and personal online accounts comes at a price. One danger is unauthorized disclosure of confidential information. Work-related information stored in an employee’s personal online account is not subject to security measures like firewalls, anti-virus software, and metadata scrubbing programs. Private online accounts may be vulnerable to cyberattacks, putting the confidentiality of their contents at risk. While such records might not concern national security matters as in the Clinton controversy, they could contain personnel information, medical history, or trade secrets, the disclosure of which could violate data privacy laws like HIPAA and the Sarbanes-Oxley Act, not to mention hurting a company’s competitive edge or creating a public relations debacle.
Another risk is noncompliance with recordkeeping policies. Work rules dictating how long work files are kept before they’re disposed help organizations manage the task of responding to information inquiries like discovery requests in litigation. In some jurisdictions, an organization’s failure to produce a document in discovery because it was destroyed in compliance with the organization’s document retention policy generally is not considered unlawful destruction of evidence. (Note: Hawaii’s court rules were amended this year to recognize such a defense). But spotty enforcement of a document retention policy could destroy that defense. Popular ways of transferring work files include forwarding them to a personal email address or uploading them to a personal cloud storage account. Such practices could result in work files being kept beyond their authorized retention period, thus casting doubt on whether an organization actually follows its document retention policy.
Managing these risks begins with adopting a formal policy on use of personal accounts for work purposes and training employees to follow the policy. Without a policy in place, employees might have few qualms about using their personal accounts for work. Consult with a lawyer with data privacy experience to ensure that your policy manages legal risks.
If your company decides to prohibit the transfer of work data to external locations, enforce that policy diligently. Work with your IT department or outside vendors to implement physical and software safeguards against unauthorized transfers. Conduct audits to ensure compliance with the policy.
Another strategy is to offer solutions that allow employees to work outside of the office conveniently without having to use their personal accounts. Consider hosting a private cloud storage site where employees can share files in a secured environment under your control. Also popular is virtual desktop software that allows employees to access their workstation remotely in a controlled environment.
Don’t wait until your employees’ data handling practices make the headlines before taking action to protect the confidentiality of your work files.
The FTC released two guides on the privacy and security issues related to the Internet of Things. The first is a staff report based on discussions in an FTC-hosted workshop on the subject held on November 19, 2013. In addition to summarizing the workshop discussions, the report contains staff’s recommendations in the IoT space. This prompted a FTC Commissioner (Joshua Wright) to dissent from the decision to issue the report. In Commissioner Wright’s view, it is premature to publish staff recommendations in this area without further research, data, and analysis. The dissenting statement can be found here.
The report discusses the benefits of IoT as well as three risks:
- enabling unauthorized access and misuse of personal information;
- facilitating attacks on other systems; and
- creating risks to personal safety
The report also discusses Fair Information Practice Principles including security, data minimization, notice, and choice. Click here to read the full report.
Along with the staff report, the FTC issued a guide called “Careful Connections” that provides recommendations on building security into IoT applications. Download the guide here.
Suppose an email from your company’s in-house attorney instructs you to preserve all documents relating to an ex-employee who is threatening to sue for wrongful termination. In the days before smartphones and cloud storage, this would have been a relatively limited exercise: paper documents would be set aside and files on the company server would be backed up. But work-related data can be stored in many places today, including personal devices of employees. Is a company required to preserve such data?
Costco Wholesale recently faced that issue in an employment discrimination and retaliation lawsuit. See Cotton v. Costco Wholesale Corp., 2013 WL 3819974 (D. Kan. July 24, 2013). The plaintiff asked Costco to produce text messages on the personal cell phones of two of its employees who mentioned the plaintiff or his allegations. Costco objected on the grounds that the discovery request required it to invade the privacy of its employees, and there was no indication that the employees sent inappropriate text messages or used their personal phones for work purposes. The court denied the request, determining that Costco did not have possession, custody, or control of the text messages.
Although the court in the Cotton case ruled that the employer had no duty to produce information stored on the personal devices of the employees in question, the outcome might have been different if the facts had changed even slightly. Courts in other jurisdictions might also have taken a contrary approach.
The law in this area is far from clear, but following the guidelines below will help a company address e-discovery issues in their policy on personal electronic devices. An easy way to remember the guidelines is to think of the acronym “APPS”:
- Access: Reserve the right to access personal devices that store work-related data. Access is crucial if the company is legally required to collect and produce data residing in the personal devices of an employee.
- Permission: Clearly specify what personal devices employees are authorized to use for work-related purposes, if any. Consider keeping a log of authorized personal devices and require employees to update the log whenever they start using a new authorized device or retire an existing one. Your company’s document retention policy should extend to authorized devices.
- Privacy: Notify employees that they should have no expectation of privacy to data stored on a personal device if they use the device for work purposes. This prevents the company from being liable for invasion of privacy should it need to search the contents of a personal device to respond to a discovery request.
- Segregation: If possible, segregate work-related content from personal content on personal devices. Segregation can be implemented with software solutions, but if that is not feasible, at a minimum, instruct and train employees who use a personal device for work on how to keep their personal information separate from work data stored on the device. For example, storage of work-related data in a personal cloud storage account should be prohibited.
Follow the above guidelines to avoid getting caught off-guard by e-discovery requests.
(Photo credit: Wikipedia)
“Smile, you’re on Candid Camera.” Originally coined on the eponymous TV show, that catchphrase is becoming more of common refrain in the workplace. Any employee with a smartphone can easily record an office conversation in secret. But are such covert recordings legal? And what control, if any, does management have over the making of such recordings?
The Law of Recording Face-to-Face Conversations
A majority of states (approximately 37) follow the one-person consent rule for recording face-to-face conversations. This rule authorizes the recording of a conversation so as long as one person in the conversation consents. The consenting party can also be the person recording the conversation. Practically speaking, this means it is legal to record a conversation with another person without his or her knowledge.
Most other states require the consent of all participants in the conversation. Covert recording of face-to-face conversations would not be permitted in states that follow the all-party consent rule.
Workplace Bans on Covert Recordings
Even if covert recordings are legal, management may regulate the practice if done so consistently with the right of employees to engage in concerted activity, which is protected under Section 7 of the National Labor Relations Act (NLRA). A recent National Labor Relations Board decision illustrates this. Whole Foods Market, Inc., Case No. 01-CA-096965 (Oct. 30, 2013). The case involved a challenge to a company policy that banned employees from recording conversations without prior management approval. The company’s stated purpose for the policy was “to eliminate a chilling effect to the expression of views that may exist when one person is concerned that his or her conversation with another is being secretly recorded.”
The administrative law judge (ALJ) in the case upheld the policy. The ALJ noted that there is no protected right to record conversations in the workplace, but even if there were such a right, management may regulate the exercise of that right. It was not adopted in response to union activity, and it was clearly tied to the company’s core value of fostering open and honest dialogue about company matters. The ALJ disagreed that the policy could reasonably be interpreted as a restriction on using social media to communicate and share information about work conditions through video recordings made at the workplace. The policy regulated a means of communication as opposed to the protected activity itself. It also did not prohibit employees from making recordings during non-work time. The policy therefore did not violate Section 7 rights.
The Whole Foods Market decision suggests questions that management should consider when drafting a work rule against covert recordings to ensure that the rule does not violate the NLRA:
- Is the rule clearly linked to a purpose besides preventing employees from engaging in Section 7 activity?
- Does the rule leave open alternative channels for employees to communicate about Section 7 activity?
- Does the rule allow employees to make recordings during non-work hours?
A ban on covert recordings is more likely to withstand a legal challenge if management can answer “yes” to each of these questions.
Supervisor snoops into former employee’s personal Gmail account after she returns company-issued Blackberry — Lazette v. Kulmatycki, 2013 WL 2455937 (N.D. Ohio June 5, 2013)
The line between personal and business use of electronic devices is increasingly getting blurry, especially as more and more workers carry dual-use devices (devices designed for both work and personal use) like smartphones and tablets. Businesses can benefit from the increases in productivity and morale resulting from this trend, but they also face new privacy concerns. The recent case of Lazette v. Kulmatycki (N.D. Ohio June 5, 2013), highlights this risk.
Verizon issued a Blackberry smartphone to its employee, Sandi Lazette. Lazette set up a personal Gmail account on the phone with Verizon’s permission. Lazette returned the Blackberry to her supervisor when she stopped working for Verizon, understanding that the phone would be “recycled” for use by another Verizon employee. Lazette thought she had deleted her personal Gmail account before returning the phone, but she had not. Over the next eighteen months, Lazette’s supervisor read 48,000 emails in her Gmail account without her knowledge or authorization, and shared the contents of certain emails with others.
Lazette sued Verizon and her supervisor for claims including violation of the Stored Communications Act (SCA) and invasion of privacy. A federal court ruled that Lazette’s supervisor was potentially liable under the SCA for reading personal emails that Lazette had not previously opened, and that Verizon could be vicariously liable for the supervisor’s actions. The court also allowed Lazette’s privacy claim to move forward.
LegalTXTS Lesson: Lazette teaches important lessons about protecting the privacy of personal employee data on work devices, including dual-use devices.
1. Don’t read your employees’ personal messages—even if they are readily accessible. Management should treat an employee’s personal account as private, even if restrictions to accessing the count are minimal or non-existent. A person does not need to hack into an account or otherwise circumvent access restrictions to electronic communications to be liable under the SCA. Lazette’s Gmail account was accessible to her supervisor for no reason other than the fact that Lazette failed to delete her account from her Blackberry. Yet, the court ruled that Lazette’s negligence did not give her former employer implied consent to read her private emails. The simple act of opening an unread message in an employee’s personal email account was enough to create liability under the SCA.
2. Construe grants of access narrowly. If an employee allows a supervisor access to his or her personal email account for work purposes, that is not a grant of access to everything in the account. In Cheng v. Romo (D. Mass. Nov. 28, 2012), an employee of a medical imaging company gave his supervisor the password to his Yahoo! email account. Although the employee did not attach conditions to sharing the password, his unstated objective was to share radiologic images that were emailed directly to him. Years later, the supervisor logged into the account to read emails about the status of the company. In the lawsuit that followed, the court allowed the employee’s SCA and invasion of privacy claims to go to trial. Cheng teaches that management should err on the side of preserving privacy if given access to an employee’s private online account for a specific work purpose or no stated reason at all.
3. Thoroughly purge personal data from company-issued electronic devices before reusing them. Companies commonly reuse electronic devices (e.g., desktop and laptop computers, cell phones, PDAs, tablets) for work purposes after it has been returned or repaired. Employees can leave behind personal data on devices such as saved passwords, emails, web history, internet cookies, and the like. Set and enforce policies requiring the purging of all such data from electronic devices before the devices are issued to another employee.
4. Clarify employee expectations of privacy upfront if implementing mobile device management (MDM) tools. One measure for mitigating the risk of security breaches relating to dual-use mobile devices is the use of MDM tools controls such as the ability to “remotely wipe” a device should it get lost or compromised. MDM measures could raise privacy concerns if they result in alteration or destruction of personal data on a dual-use device. To mitigate such concerns, a company should devise policies clarifying upfront the expectations to privacy that employees should to have if they choose to use a dual-use device at work.