With the introduction of technology, the workplace has been changing now more than ever before. Smart phones, laptops, and 3G network, have made working from home, or almost anywhere outside of work, easy. If an employee has access to sensitive or private information away from the protections of the workplace via a mobile device, and the device is not protected, an issue may arise about the safety of that information. Another concern is whether an employer has a legal right to search an employee’s mobile device.
WHAT IS A MOBILE DEVICE?
A mobile device includes smart phones, laptops, tablets, thumb drives, home computers, and online services such as webmail or online storage programs. Today, many employers allow their employees to work on these mobile devices. This is known as a Bring Your Own Device (BYOD) policy.
There are two categories of BYOD in the workplace: (1) the employee owns the device and the employee performs both personal and professional work on the device; and (2) a device the employer owns, but lends, or subsidizes, to the employee, and the employee uses the device for both work and personal functions.
LACK OF ENCRYPTION MAY POSE SERIOUS CONSEQUENCES
It is extremely important that employers ensure that not only their own devices are equipped with security protections, but also ensure that employees who engage in BYOD have secured their own devices. The Massachusetts Eye and Ear Infirmary paid $1.5 million dollars to settle potential violations of HIPAA when one of their doctors had his unencrypted laptop stolen. The laptop contained patient names, addresses, phone numbers, and other identifiable information. Although it was the doctor’s personal laptop, the employer was penalized. This serves as a warning to all employers with a BYOD policy to ensure all employees are complying with proper security protections for their mobile devices. For example, many employees access their work email accounts from a mobile device. The employee must protect these devices due to the risk of hackers accessing the information or security breaches if the device is lost or stolen.
Employee Owned Mobile Devices:
In Wood v. Town of Warsaw, a North Carolina court compelled a supervisor to turn over his home computer in a wrongful termination case, even though the supervisor claimed he did not use his personal computer for work. The Court determined that in the age of technology, it is increasingly common for work to be conducted outside of the office and it was likely that relevant information would be found on the hard drive. This ruling serves as an early indication that an employee’s personal device may be searched by an employer, especially if the employee is using the device for work-related activity. As a result, if an employee sent emails from a work account via a personal device, then that device would be subject to a reasonable search by the employer because the employer has a right to review those records. Therefore, following the Wood case, even if the employee owns the device, the employer’s ability to conduct a reasonable search of the device will depend on whether the employee is using the device for work and whether the employer has a legitimate interest in viewing the mobile device. A legitimate interest may include responding to employee misconduct or a harassment allegation, improving customer service, or making sure the employee is actually working.
Employer Owned Mobile Devices:
The result in Wood should be juxtaposed against a situation where an employer owns the mobile device but allows an employee to use the device for work. In this situation, the employer is able to search the device as long as the search is reasonable and for a legitimate purpose, and the employee was aware that the device was subject to a search. An employee is typically notified that a search is possible when the employee agrees to a BYOD policy. The U.S. Supreme Court determined in City of Ontario v. Quon that there are special needs in the workplace that will sometimes justify an employer’s investigation of employee devices. In City of Ontario, the employer distributed pagers to SWAT team members to use for work. An employee’s text messages were investigated to determine whether the limits of the contract met the needs of the City because the employee continually went over his allotted message quota. The employer discovered that the majority of the employee’s messages were personal. The search of the employee’s phone did not violate his Fourth Amendment right against unreasonable searches because the investigation was narrow in scope, was not excessively intrusive on the employee’s privacy expectations, and the employer’s search was motivated by a legitimate work-related purpose. In sum, if the employer owns the device, then following the City of Ontario case, the employer can search the device as long as the employee is aware of this consequence beforehand, the search is reasonable, and the search is in the pursuit of a legitimate purpose.
EMPLOYER RIGHTS IN IDAHO
Although Idaho has not addressed the issue of mobile devices in the workplace, Idaho has shown an inclination to uphold an employer’s right to view employee data held on the employer’s property. In Alamar Ranch, LLC v. County of Boise, an Idaho District Court upheld the employer’s right to access the employee’s work email account, which included personal emails, because the employer’s policy indicated that emails were company property and that it was unreasonable for an employee to think that sending emails from her company email would be confidential. A lesson to be learned here is to ensure that your company has a policy in place to address employer and employee rights to personal data when using company property.
EMPLOYERS OBLIGATIONS TO MONITOR
Employers may have an obligation to monitor mobile devices that are owned by the employer. In Doe v. XYC Corp., the Superior Court of New Jersey determined that the employer had a duty to monitor an employee’s work computer as soon as the employer had a suspicion that one of its employees was using the computer to look up child pornography. Therefore, if an employer is on notice that one of its employees is using a mobile device that could result in harm to another employee, or third party, then the employer has a duty to investigate the employee’s activities. The law has not addressed whether this obligation extends to mobile devices that are strictly owned by an employee.
INSIGHTS FOR EMPLOYERS
1. Writing a Policy: A challenging, but important, task for companies who allow employees to use mobile devices for work, is developing a policy that defines exactly what information needs to be protected and how to protect it. Here are some tips to consider when drafting such a policy:
- Warn employees about the risks of agreeing to a BYOD policy, whether with an employer owned device or employee owned device.
- Get the employee to consent to the agreement if partaking in the BYOD policy.
- Define what “acceptable use” means when using a mobile device for work.
- Make it mandatory that employees use appropriate encryption software and passwords so sensitive business information is protected. Employer should ensure compliance for each employee and require that passwords change frequently.
- Clarify ownership of the device by notifying the employee that when they conduct business within the scope of employment on a mobile device, that the device is creating records that belong to the company and are subject to be searched.
- Include a disclaimer for lost information and/or property in the event of a search.
- Inform the employee that they have no privacy expectation with respect to the device.
- Discuss the conditions that occur with respect to the device being sold, stolen, lost, replaced, or if the employee terminates employment.
- Inform the employee of the consequences that could arise from failing to comply with the policy (i.e. suspension, reprimand, termination).
2. Conducting an Investigation: When conducting an investigation of a mobile device, the investigation must be reasonable and as narrow as possible. Here are some guidelines:
- Hire an experienced, professional investigator.
- Have a disciplined and controlled investigation process.
- Keep detailed notes of the investigation.
- Communicate with the expert on what type of information is sought, so as to limit the intrusiveness on the employee’s privacy. For example, Blackberry developed software that allows an employee to separate personal and work-related information on their mobile devices. Such technology would ensure employee privacy because the employer could limit the search to business-related material without having to weed through an employee’s personal data.
Please contact a Gjording Fouser lawyer at 208.336.9777 if you would like any additional information about this topic or any other employment issues facing your company.