Employers realized long ago the benefits derived from providing their employees with smartphones, tablets or other handheld devices. Those benefits include gains in employee productivity and morale, resulting from employees having the flexibility to work from the road or during non-business hours. For many years, employers frequently chose to issue BlackBerrys to their work forces for these reasons. Employers also issued BlackBerrys to their work forces because the BlackBerry allowed employers to retain a high level of control over data access and security.1 However, since 2009, sales of BlackBerrys have declined dramatically,2 and more recently BlackBerry usage among businesses has substantially decreased while usage of iPhones and Android-based smartphones is on the rise.3
Consistent with these changes in the market for smartphones, employees are increasingly asking their employers that they be excused from using employer-issued mobile devices. Instead, employees overwhelmingly appear to be asking to connect to company email and data networks using their own smartphones. A survey of 3,000 workers reported by McKinsey last summer indicates that 80 percent of smartphones used for work are employee-owned.4
Employees who choose to use their personal devices for work not only avoid the inconvenience of juggling multiple mobile devices, but also have the benefit of choosing the device that best suits their personal preferences. The trend of employees using their own personal devices to access their employer’s email and other data networks has been dubbed “Bring Your Own Device” or “BYOD.”
Though BYOD is already a fact of life in numerous workplaces, many employers have not yet modified their policies to address privacy issues arising from employees using their personal mobile devices for business purposes. When employer-issued BlackBerry devices are issued to employees, employers could exercise complete control over the devices, as well as provide security protocols governing when the employer can access the device and erase sensitive data from the device. However, when the employee owns the device, employers must consider whether and how to secure sensitive employer data on mobile devices the employer does not control.
How does an employer gain access to an employee’s personal device while steering clear of the employee’s private information that may also be contained on the device? To what extent is the employer’s sensitive data subject to being compromised if the device is lost or stolen? Does the employer have a need to wipe all data from the device to protect the employer’s sensitive data, including the employee’s photos, contacts and personal email? These questions raise concerns regarding employer compliance with state and federal privacy laws regarding access to and monitoring of electronic data and communications.
In this article, we examine state and federal privacy laws relevant to BYOD and provide recommendations for employers in crafting policies to address BYOD.
Various state and federal laws prohibit unauthorized access to electronic communications and invasion of privacy. Federal law prohibits intentional unauthorized access to employees’ personal electronic devices. The Electronic Communications Privacy Act of 1986 (ECPA) was enacted to amend existing wiretap laws to regulate emerging forms of electronic communications. The Stored Communications Act (SCA) contained in Title II of the ECPA, provides that “whoever intentionally accesses without authorization a facility through which an electronic communication service is provided…and thereby obtains, alters or prevents authorized access to a wire or electronic communication while it is in electronic storage…shall be punished as provided….” 18 U.S.C. § 2701(a)(1). The statute includes a civil action as well as criminal punishment. 18 U.S.C. §2701(b). However, the SCA permits access to a stored communication when consent is provided by the user. 18 U.S.C. §2701(c)(2).
New York Penal Law likewise prohibits eavesdropping, defined as “unlawfully engag[ing] in wiretapping, mechanical overhearing of a conversation, or intercepting or accessing electronic communication.” New York Penal Law §250.05 (McKinney 2000). The statute defines “intercepting or accessing electronic communication” as intentionally “acquiring, receiving, collecting, overhearing or recording of an electronic communication without consent from the sender or intended receiver….” New York Penal Law §250.00(6) (McKinney 2000). Eavesdropping is a Class E felony and may carry a punishment of up to four years in prison.
New York does not recognize a common law right of privacy.5 However, many other states have adopted a cause of action for intrusion upon seclusion from the Second Restatement of Torts. This cause of action provides civil liability for intentional physical intrusion upon the solitude or seclusion of another. Restatement (Second) of Torts §652B. The physical intrusion need not be into a person’s space or senses. Id. It may be an investigation or examination of a person’s personal concerns or effects, including electronic devices. Id.
In addition, a few states have enacted statutes specifically requiring employers to give notice when monitoring employees’ activities on electronic devices. For example, a Delaware statute provides that employers shall not monitor telephone, email, or Internet usage unless the employee is given notice every day that these resources are accessed, or the employee acknowledges the relevant policy. 19 Del. C. §705 (2008). A Connecticut statute requires that employers who engage in electronic monitoring give written notice informing employees that monitoring will occur and post “in a conspicuous place which is readily available for viewing” the types of monitoring that may occur. Conn. Gen. Stat. §31-48d (2008). New York, Massachusetts and Pennsylvania all have similar legislation pending.6
Sitton v. Print Direction, Inc., 718 S.E.2d 532 (Ga. Ct. App. 2011) provides one recent example of an employee challenging an employer’s access to the employee’s personal laptop computer on privacy grounds. Though involving an employee-owned laptop computer, the legal issues addressed by the court certainly may have applicability to employee-owned mobile devices.
In Sitton, the plaintiff Larry Sitton filed suit against his employer Print Direction Inc. (PDI) after his employment was terminated for conducting a competing business during his employment by PDI. PDI provided employees with a laptop for work-related tasks; however, Sitton chose to use his own computer to connect to PDI’s network and conduct his work. PDI also provided employees with an employee manual which prohibited employees from taking outside jobs with competitors of PDI.
During his time at PDI, Sitton brokered more than $150,000 in print jobs for a competing print brokerage business that his wife had started and on which Sitton served as a manager. Sitton, 718 S.E.2d at 535. Upon hearing of Sitton’s competing business, the president and CEO of PDI, William Stanton Jr., entered Sitton’s office where Sitton’s personal laptop was located. The CEO moved the computer’s mouse to find Sitton’s emails on the screen, and printed certain emails relating to outside printing companies. The emails were located in a separate email account from Sitton’s PDI-issued account, and confirmed Sitton’s violations. Id.
Sitton filed suit alleging computer trespass and invasion of privacy under state law, and invasion of privacy based on unreasonable intrusion upon seclusion under the common law. The trial court entered judgment against Sitton and awarded damages to PDI. Sitton appealed, and the Court of Appeals of Georgia affirmed the lower court’s decision.
Sitton sued under the Georgia Computer Systems Protection Act (OCGA), which provides civil liability and a civil remedy for criminal offenses. Under the OCGA, computer theft, invasion and trespass require that the action be taken “with knowledge” that the use of the computer or examination of another’s data was “without authority,” and that the actions were taken with the requisite intent to take, obtain or convert personal property, delete data, obstruct or interfere with data or examine any personal data. Id. at 535–36.
The court reasoned that Stanton had proper authority to inspect Sitton’s personal computer pursuant to the computer usage policy located in PDI’s employee manual. The policy was not limited to PDI-owned equipment. It allowed PDI to inspect contents of electronic devices in the course of an investigation triggered by indications of unacceptable behavior. Id.
Sitton also sued PDI for common law invasion of privacy, alleging intrusion upon his seclusion and solitude into his private affairs. In order to prove unreasonable intrusion, a plaintiff must show a “physical intrusion.” However, this requirement can be met by showing that the defendant monitored the plaintiff’s activities or conducted surveillance of the plaintiff. Id. at 537. The court concluded that no such intrusion took place because, even if reviewing Sitton’s emails was considered “surveillance,” it was reasonable in light of the situation. Stanton acted specifically in response to an investigation of improper employee behavior. Id.
Employers who choose to implement BYOD programs should carefully craft a BYOD acceptable use policy, which takes into account privacy concerns under federal and state privacy laws. Ideally, a BYOD policy should be separate from any existing policy governing use of company-issued devices. The policy should detail security measures the company will take to protect its data, occasions for monitoring and accessing an employee’s device, and proper procedures that the employee agrees to take in conjunction with the company if the device is lost or stolen. Most importantly, the BYOD policy must provide employee consent to employer access and monitoring of the device. While consent to access and monitor an employee’s device may be stated expressly in the BYOD policy, for avoidance of doubt employers may also choose to obtain written acknowledgment from employees stating they have received and understand the policy.
The BYOD policy should identify the devices to which it applies. For example, the policy may state that it applies to all “Smartphones including iPhones, Androids, BlackBerrys, Windows phones, and tablets including iPads and Androids that the employee wishes to use to access employer email or other employer data.”
These policy provisions will assist the employer in managing and securing each device. Employers should further specify which operating systems, models or versions of each device are permitted consistent with compatibility with software used by the company. The larger variety of operating systems employees use, the more difficult control and monitoring will be for the employer.
The BYOD policy should provide that the employee must present any mobile devices to the employer’s IT department prior to connecting to the company network, and that the employee consents to the employer installing proper security protocol and necessary office software. The BYOD policy should also specifically address device security. For example, in order to prevent unauthorized access, the BYOD policy should specify that devices must be password protected, using a company-provided password application. These password applications may require longer, more complex passwords than generally available on smartphones. The BYOD policy should also provide that if the device is lost or stolen, the employee must notify the company within 24 hours.
Through a carefully crafted BYOD policy, employers may be able to eliminate any expectation of privacy on employee-owned smartphones used for business purposes. However, employers may decide instead to acknowledge a zone of privacy for employee’s personal usage. In such cases, the BYOD policy may state that employees have a reasonable expectation of privacy on their personal devices, but that the employer nevertheless has the right to monitor or access the device for specified reasons. For example, the employer may access the device “to protect against security risks, investigate employee misconduct, upon need for preservation or notice of discovery, and upon employee breach of contract or termination.”
The BYOD policy also should provide that the employer may access the device to remotely wipe data if the device is lost or stolen or if the IT department detects a breach in policy, a virus or other security threat. The BYOD policy should state that employers may be required to wipe the entire device if personal and company data are intermingled or the employer detects a security threat and therefore employees are encouraged to backup all photos, contacts and personal information on the device. To the extent feasible or desirable, the policy may provide that the employer may endeavor to avoid erasing the employee’s non-work-related information on the device.
The BYOD policy also should address the nature of the employer data that the employee will be permitted to access using the employee’s personal device. For example, the BYOD policy may state that employees will not download sensitive or privileged data onto their personal devices unless the data is downloaded into a company-provided folder or email box. The policy should specify the extent to which the employer’s IT department will be available to support the employee’s use of the personal device.
The policy also should state that the company will not be responsible for lost or damaged personal data as a result of company services, applications or downloaded information. This policy provision not only allows an employer to secure data but also allows employers efficiently to locate sensitive or relevant data on an employee’s personal device when necessary. A release regarding IT support would be a prudent measure for employers, because third-party software and data will often slow speed and decrease space on a personal device.
Jeffrey S. Klein and Nicholas J. Pappas are partners at Weil, Gotshal & Manges. Kendra Okposo, an associate at the firm, assisted with the preparation of this article.
1. Lisa Ellis, BYOD: From company-issued to employee owned devices, MCKINSEY&COMPANY (June 2012), available at http://www.mckinsey.com/Search.aspx?q=byod.
2. BlackBerry’s Spectacular Decline, ROYAL PINGDOM (Sept. 25, 2012), http://royal.pingdom.com/2012/09/25/blackberry-spectacular-decline/ (last visited Nov. 26, 2012).
3. See Trevor Mogg, iPhone overtakes BlackBerry to become top phone for business users, DIGITAL TRENDS (Nov. 16, 2011), http://www.digitaltrends.com/mobile/iphone-overtakes-blackberry-to-become-top-phone-for-business-users/ (last visited Nov. 26, 2012); see also Alan Cohen, Am Law Tech Survey 2012: “Both Sides Now,” CORPORATE COUNSEL (Nov. 5, 2012), http://www.law.com/corporatecounsel/PubArticleCC.jsp?id=1352632492788&Am_Law_Tech_Survey_2012_Both_Sides_Now&slreturn=20121026154245 (last visited Nov. 26, 2012); see also The BlackBerry as Black Sheep, NY TIMES (Oct. 15, 2012), available at http://www.nytimes.com/2012/10/16/technology/blackberry-becomes-a-source-of-shame-for-users.html?_r=0.
4. See ELLIS, supra note 1.
5. See Stephano v. News Group Publications, Inc., 474 N.E.2d 580, 584 (N.Y. 1984).
6. See H.R. 1862, 2009, Gen. Assem. (Mass. 2009) (Massachusetts bill calling for written general and specific notice to all employees potentially affected by employer monitoring); S. 363. 2009, Gen. Assem. (Pa. 2009), §2(b) (Pennsylvania bill providing that any employer who engages in electronic monitoring without having provided the employee with notice is liable to the employee for relief); A. 3871, 2009-2010, Reg. Sess. (N.Y. 2009) (New York bill requires employers to provide written notice of monitoring to employees upon hiring, and once each year, informing employees of the types of monitoring that may occur).