The new trend in information technology is "consumerization" — the movement toward the consumer gadget market influencing corporate information technology usage. Employees’ desire to use, for work purposes, the latest in technology and top-selling consumer smartphones, tablets and other smart devices at work is driving consumerization. Mobile devices allow workers to access all of their work information at anytime, anywhere and with any device.
Technology advances impact workplace privacy. While mobile devices offer more functionality, employers potentially have access to more private information about or generated by employees. Moreover, another hot technology trend — "bring your own device" or "BYOD" policies — is becoming more popular. The term BYOD refers to companies that allow their employees to use mobile devices of their choice, which the employees may have purchased themselves. Under BYOD policies, employees can use their devices for personal purposes. BYOD policies potentially give employers even more access to sensitive employee information than they would if they issued mobile devices themselves and allowed only occasional personal use.
Why Things Are Different Now
In some sense, today’s use of mobile devices resembles technology seen in the late 1990s when people began using cellphones. Laptops were the mobile computing platform of choice. Some people also used pagers, which could receive and sometimes send text messages. With these devices, employees could communicate by voice and text, use software applications (on laptops), gain remote access to computer networks, and take pictures and video (using external cameras). Eventually, cellular plans allowed laptops to connect to the Internet via cellular networks. So what’s different now?
A number of changes make today’s mobile devices different than the mobile devices of yesteryear. The following are the top differences, but this list is by no means exhaustive. First, the ecosystem of applications now available is making the smartphone another computing platform. Starting with the iPhone and continuing with Android and BlackBerry competitors, phones have become another computing platform in ways entirely different than the personal digital assistants popular a dozen years ago. The smartphone has become an extension of its user, connecting the user to the Internet and providing applications that fulfill a substantial set of computing needs for which we formerly depended on laptops.
Second, the tablet computer has emerged as a popular platform. It is cannibalizing the laptop and netbook market, and in many ways is more useful than phones with relatively small screens.
Third, cloud computing and online services permit people to synchronize data over desktops, laptops, tablets and phones. One of the problems with old PDAs was the clumsiness involved in sharing data between them and PCs. Cloud services have overcome that problem.
Fourth, mobile devices use different operating systems than PCs, and the difference has data collection implications for e-discovery purposes, ease of use, security and technical support.
Fifth, modern mobile devices have geolocation capabilities and applications that can take advantage of geolocation in ways that devices of yesteryear could not.
Finally, people are using today’s mobile phones for photos and video more frequently than previous mobile devices. Cameras on mobile phones are high quality and are replacing handheld cameras and camcorders.
Privacy Liability and Rights
California employees, like all California citizens, have an inalienable right to privacy under Article 1, Section 1 of the state Constitution. Likewise, the common law protects employees against privacy intrusions. Employers face privacy liability under both the Constitution and the tort of intrusion if they violate their employees’ privacy. Liability under both depends on, first, the nature of the intrusion upon an employee’s reasonable expectation of privacy; and second, the offensiveness or seriousness of the intrusion. The second factor takes into account any justification or relevant interests of the employer. Government employers face additional possible privacy liability for unreasonable searches and seizures of their employees in violation of the Fourth Amendment.
The most important issue in a privacy analysis of any employee monitoring program is whether the employee has a reasonable expectation of privacy in the conduct being monitored. Determining the expectation of privacy requires an analysis of the facts and circumstances in each case. The workplace may diminish expectations of privacy, but employees have at least some expectation of privacy. An employer can significantly reduce the expectation of employee privacy if it communicates a policy that clearly describes the kind of monitoring it plans to undertake, and tells employees that they should have no expectation that their monitored conduct will be private. Indeed, a review of the case law suggests that the presence or absence of a clear policy communicated to employees is the key factor in distinguishing between facing or avoiding liability.
In Hernandez v. Hillsides, 47 Cal.4th 272, 288 (2009), the California Supreme Court recognized that employers have some latitude to impose reasonable computer and Internet use policies and discipline employees for violating them. Moreover, the courts will not second-guess employers’ monitoring policies to say that they should have chosen less intrusive monitoring methods. Employers are not limited to choosing the least intrusive method of meeting their legitimate monitoring objectives.
Managing the Mobile Revolution at Work
In light of the above privacy principles applying to employer mobile device management practices, the pre-BYOD conventional wisdom suggested that employers create clear acceptable use policies minimizing the expectation of privacy. For instance, one court favorably cited literature recommending employer policies, saying that electronic communications are to be used solely for company business and that the company reserves the right to monitor or access all employees’ Internet and email usage. Employers could emphasize that they will keep copies of employee Internet or email passwords, and that passwords should not be considered an assurance of privacy.
Consumerization and BYOD, however, require a more nuanced analysis of how to draw privacy lines. Under BYOD policies, employers are allowing more personal usage of devices as employees may have purchased the device themselves and may be paying for some of the data and usage charges. Many employers now use mobile device management software to create a partial or complete demarcation between employer data and applications using a virtual secured "sandbox." Sandboxing keeps business data and applications separate from other data and applications — which the employee can use for personal purposes. Given BYOD’s changes in technology, usage patterns and customs, companies will need to decide on where to draw privacy lines in accordance with their own business and technology environment and specific needs, including functionality, flexibility, security and privacy.
Factors to consider when drawing lines on the expectation of privacy over mobile device usage include:
• Are there some employees who are in sensitive positions or have access to sensitive data to such an extent that the risk of BYOD is too high? For these employees, the company may decide that it should issue them a device and monitor all device communications. BYOD is not for every company, and even if a company has a BYOD policy for some employees, it may want to require others to use company-issued devices.
• Who should buy and pay for the device? When employees buy and pay for the device, their expectation of privacy is greater.
• What applications and data will the company permit on the device?
• Should employees be permitted to use cameras, social media mobile apps, Bluetooth and other mobile-specific device features? If data from these capabilities are on the phone, employers will have more access to employee data.
• Should employees be allowed to lend their devices to others, such as family members?
• What procedures will be followed if the employer needs the device back for investigations or to respond to a discovery request? Without sandboxing, it may be impossible for employers to collect data from a device used for personal purposes without having access to some personal data.
Mobile devices provide compelling new features and functionality for workers. At the same time, employers and employees will need to understand privacy concerns associated with mobile device usage. Employees have privacy rights, and employers should develop policies and procedures that create a clear understanding of what is private and what is not. Communicating clear policies to which employees have agreed in writing helps set expectations and reduce the risk of privacy liability. In setting policies, employers, in consultation with employees, should take into account mobile-specific features and capabilities to decide what makes sense for their particular businesses.
Stephen Wu is a partner with the Silicon Valley-based law firm Cooke Kobrick & Wu. He advises clients on information technology matters in areas including privacy, information security, data breach response, computer fraud and secure e-commerce. He can be reached at firstname.lastname@example.org or 650-917-8045.