BYOD and Employee Privacy--Factors to Consider

Let’s say that your company has a “Bring Your Own Device” (BYOD) policy permitting employees to use personal mobile devices for work.  Do your employees have a reasonable expectation that their mobile device information is private, even if some of that information is work-related?  Can an employer compel access to that information?

A recent case sheds some light on the factors a court will use to determine if employees can consider their mobile device information private – Mintz v. Mark Bartelstein & Associates, Inc., No. CV 12-02554 SVW (SSx), 2012 WL 3553351 (C.D. Cal. Aug. 12, 2012).  The case is in the U.S. District Court for the Central District of California in Los Angeles.  For a copy of the decision, click here.

The facts of the case concern the common scenario of an employee who leaves an employer in order to join a competitor.  In this case, Plaintiff Aaron Mintz left Defendant Mark Bartelstein & Associates, Inc., doing business as Priority Sports & Entertainment (Priority), in order to join a competitor.  Mintz claims Priority illegally accessed his email, while Priority contends Mintz stole trade secrets and conspired with his new employer to steal Priority clients.

Priority served a subpoena on Mintz’s cell phone carrier, AT&T, to gain access to certain text messages.  Priority also wanted data about the texts, including their dates, times, originating and receiving telephone numbers, and originating cell site and sector.  Finally, Priority wanted similar data about incoming and outgoing calls associated with Mintz’s AT&T account, including the calls’ durations.  Mintz sought relief from the court to quash (stop) the subpoena.

The court decided that the Stored Communications Act prohibits AT&T from disclosing the content of Mintz’s text messages in response to Priority’s subpoena.  The court stated, though, that Priority could seek the text message content from Mintz directly.  The court did not reach the question of whether privacy concerns would preclude compelling Mintz to turn over the content of his text messages to Priority.

Nonetheless, the more interesting part of the decision concerned factors bearing on whether Mintz had a reasonable expectation of privacy over the non-content information about the communications, such as date, time, duration (of the calls), and sending and receiving phone numbers.  The court held that California’s privacy laws governed whether Mintz had a privacy interest in precluding disclosure of this information. It then listed a number of factors bearing on the question of whether Mintz had a reasonable expectation of privacy.

Factors increasing Mintz’s expectation of privacy included:

  • Mintz’s phone number was a personal one before he began working for Priority.
  • Priority permitted Mintz to make personal calls with the phone, as stated in Priority’s policy.
  • Mintz paid for part of the cost of his phone.
  • Priority had no record that Mintz agreed to the policy in the company employment manual stating that Priority has the right to review communications on company equipment.
  • Mintz denied reading this policy or agreeing to it.

Factors decreasing Mintz’s expectation of privacy included:

  • Priority paid for part of the cost of Mintz’s phone, making it unreasonable for him to believe he retained exclusive ownership of the phone.
  • Priority distributed a copy of an employment manual, including to Mintz, saying that Priority has the right to review communications.

After analyzing these factors, the court held that Mintz had a limited expectation of privacy, but compelled AT&T to disclose the data Priority wanted, subject to an agreed-upon protective order requiring Priority’s attorneys to preserve the data’s confidentiality.  In essence, the court took a middle ground between allowing the subpoena to go forward without protecting Mintz’s privacy and stopping the disclosure altogether.

Companies drafting BYOD and mobile device policies can draw several lessons from this decision. First, companies wishing to maximize control and issue their own devices should provide the phone number for a phone given to an employee, pay for the entire cost of the device, permit no personal use, and obtain (and archive) a signed acknowledgment in which employees agree to the policy.

Second, companies with BYOD policies will have to accept that employees will have a greater expectation of privacy than a non-BYOD workplace.  The phone account may predate employment and may be in the employee’s name. The employer will know that personal calls, texts, and emails will be made using the device.  And if the employer does not pay all of the cost of the device, the employee will have a greater expectation of privacy.  These factors may be unavoidable with a BYOD policy.

Nonetheless, an employer can provide employees with a copy of a mobile device policy or mobile device provisions in a larger policy, such as an employment manual, employee handbook, or acceptable use policy.  The policy can say that the employer can and will monitor communications with the device. Employers can also obtain the employees’ signatures on an acknowledgement form agreeing to the policy. Finally, they will need to have a contract management or archiving process in place to preserve copies of signed forms.  Obtaining a signature on a document does not good if the employer can’t find the form when a dispute arises with an employee months or years after the employee signed the form.  With these processes in place, an employer using BYOD can increase control and minimize, but not eliminate, the risk of not being able to access information from or about the device from an employee who does not want to disclose it.

Stephen Wu

Partner, Cooke Kobrick & Wu LLP

http://www.ckwlaw.com/Information-Security-and-Privacy-Law-Resources/

swu@ckwlaw.com

← View more Blogs

This document was retrieved from http://www.rsaconference.com/blogs/29/wu/byod-and-employee-privacy-factors-to-consider on Sun, 20 Apr 2014 14:23:23 -0400.
© 2014 EMC Corporation. All rights reserved.