Wednesday, July 17, 2013

Who owns personal email on an employer-issued smartphone?

The following scenario is playing out in companies all over America. A company issues a smartphone to an employee. The company owns and pay for the device, but allows the employee to use the device for personal reasons, including accessing a personal email account, such as Gmail. The employee returns the phone, but does not first erase her personal email from the device. Is it legal for the employer, who owns and pays for the phone, to access the employee’s personal email account after the device’s return?

According to Lazette v. Kulmatycki (N.D. Ohio 6/5/13), the answer is no. In Lazette, the facts alleged are significantly worse than my fact-pattern above. After Lazette returned the phone, her supervisor, over the course of 18 months, surreptitiously read 48,000 of Lazette’s personal emails, including those involving her family, career, financials, health, and other personal matters.

The meat of the decision concerns whether the employer violated the Stored Communications Act (although Lazette also brought federal- and state-law wiretap claims, and common law claims for invasion of privacy and intentional infliction of emotional distress. The Stored Communications Act prohibits the unauthorized access of personal email and other Internet accounts. Think of it as an anti-wiretapping law for the Internet. The court refused to dismiss the Stored Communications Act claim, concluding that Lazette had pleaded sufficient facts in her complaint for the case to proceed to discovery. if you are at all interested in the SCA, what it covers, and how it works, I commend this case to your reading list.

Aside from the legal intricacies of the Stored Communications Act, this case raises important practical considerations about the risks companies are taking via the use of mobile devices at work. Smartphones aren’t going away. Indeed, if you’re anything like me, it’s become more of an appendage than a phone. So, how should companies manage the risks of these devices under increasing judicial scrutiny and application of the Stored Communications Act? Let me offer three practical tips:

  1. Draft a policy. Under the Stored Communications Act, personal data is sacred. Telling employees that they do not have any expectation of privacy in company-owned mobile devices might not save you from a Stored-Communications-Act claim if one employee surreptitiously accesses another employee’s personal email account. For sure, have a policy that spells out an employee’s reasonable lack-of-privacy expectations, but have a similar policy statement prohibiting employees from accessing the personal email or other Internet account of others.
  2. Wipe the device. Curiosity might have killed the cat, but you shouldn’t let it kill your company. Left to their own devices, people will snoop. Don’t give them the opportunity to do so. When a mobile device is returned by an employee, wipe it clean of all personal information and data.
  3. But, quarantine it first. I suggest, however, that before you wipe a device you pause to make sure that you don’t need any data on the device. Once it’s wiped, it’s going to be very hard, if not impossible, to recover that data. Are there pending lawsuits for which data on that phone might be discoverable? If so, you better save it until you can determine what, if anything, needs to be preserved or produced. Are you concerned that the ex-employee might have been talking to a competitor or walked off with your trade secrets or other confidential or proprietary information? if so, you better check the phone to see if there is any evidence you can use to build your claim before you wipe it clean.

(Hat tip: Privacy & Information Security Law Blog)