- ABA Groups
- Resources for Lawyers
- Career Center
- About Us
Kimberly Peretti is a partner in the Washington, DC, office of Alston & Bird LLP, where she co-leads the Security Incident Management and Response Group. Bruce Sarkisian is an associate in the Atlanta office of the same firm. In addition, Kim serves as Co-Chair, and Bruce serves as Co-Vice-Chair, of the E-Privacy Law Committee in the ABA Section of Science & Technology Law. Kim can be reached at Kimberly.Peretti@alston.com, and Bruce can be reached at Bruce.Sarkisian@alston.com.
With BYOD (bring your own device) nearly a foregone conclusion in many organizations, one of the next puzzles to solve will be what happens when data on an employee-owned mobile device, or the mobile device itself, becomes the subject of an investigation. In these circumstances, companies must have the legal right to access both the device and the data it contains as well as the forensic tools to extract and review the data.
Employees of organizations that must comply with legal requirements such as PCI-DSS (Payment Card Industry Data Security Standard) or HIPAA (Health Insurance Portability and Accountability Act of 1996) may find their devices subject to more scrutiny if the devices are compromised while storing regulated data. Indeed, any organization could find itself in trouble if it can’t obtain email or SMS messages or other data stored on an employee-owned mobile device when the information becomes subject to litigation holds and resulting discovery requests.
The solution might not be as simple as asking the employee for the device and providing a replacement while forensics is conducted. If there is no agreement between the employer and employee regarding the use of personal mobile devices for business purposes (including sending corporate communications and accessing corporate data), the company has lost a way to compel the employee to produce the device. Employee devices will likely have personal information, such as photos, music, contacts, email, and text messages, that the employee does not want to lose even temporarily or want an employer to see.
The federal Stored Communications Act, 18 U.S.C. § 2701 (SCA), and similar state statutes, may affect company access to personal devices. Under the SCA, a precondition for violating the statute is access to stored communications “without authorization” or if one “exceeds an authorization.” The SCA’s “without authorization” language in effect creates a consent exception. An effective user agreement, as described below, should provide the consent required to avoid running afoul of the SCA.
Clear user agreements are essential if employees are going to access company data on personal devices. Successful user agreements should:
Recent developments at the state and federal level regarding the monitoring of social media might be relevant here. Several states, including California, Delaware, Illinois, Maryland, Michigan, New Jersey, and Washington, have enacted legislation prohibiting school officials and/or employers from requiring individuals to provide credentials (i.e., user name and password) to their social media accounts (e.g., Twitter or Facebook) in order for the school official or employer to access those accounts.
At the federal level, lawmakers recently reintroduced a bipartisan proposal, the Social Networking Online Protection Act, which similarly prohibits employers and other third parties from requiring employees and potential employees to disclose their credentials for social media networks.
Although this state and federal legislation is narrowly aimed at privacy concerns related to social media accounts, it could signal a willingness of legislators to take a closer look at drawing firm boundaries with respect to personal data and personal accounts. Any attempt to restrict employers from requesting passwords or PINs to personal devices could present a challenge to conducting investigations.
Just as important as any terms in the agreement is making sure the agreement is accessible to employees, not just buried in an employee handbook. A clear agreement will do an employer less good if employees could make a colorable claim that they did not know about the user agreement. On mobile devices, this problem could be solved by requiring employees to click a button on the device’s screen to indicate their assent to the employer’s user agreement before the employees are allowed to install software that will enable access to company data.
The rules of behavior were showstoppers. They were turnoffs for some, who said they were not going to volunteer to do bring your own device, but for others, they were no problem. Explaining the rules in plain language helped people really understand what the program is, what is involved and if they’re OK with it or not.
Because of the potentially intimate and sensitive nature of an employee’s own data (e.g., text messages, photos, personal email), access to this data creates a somewhat heightened level of scrutiny even where policies and agreements attempt to abolish any privacy expectations. Indeed, case law has addressed whether employees have a heightened expectation of privacy in personal accounts such that monitoring or access could constitute tortious conduct, such as invasion of privacy or intrusion on seclusion. For example, in Fischer v. Mt. Olive Lutheran Church, 207 F. Supp. 2d 914, 928 (W.D. Wis. 2002), the court denied summary judgment in an invasion of privacy claim where an employee’s personal Hotmail account was accessed, holding that “it is disputed whether accessing plaintiff’s email account is highly offensive to a reasonable person and whether plaintiff’s email account is a place that a reasonable person would consider private.” Companies also should consider the effect that monitoring or accessing any personal email account or personal data on employee-owned devices may have on employee relations, even if such practices may be legally defensible.
One key to avoiding legal and employee-relation problems when investigating employee-owned mobile devices is to limit the scope of the investigation to what is absolutely necessary to satisfy legal requirements. The investigation should stop when the company has what it needs to answer discovery, produce the necessary files, or determine whether regulated data was accessed. The original cause of the investigation may not justify tearing the device apart and accessing the employee’s own data.
Even with the legal right to access the employee-owned device, companies still need to have capabilities that allow them to extract and review the data on the device. Unfortunately, mobile device forensics are not as developed as forensics for traditional enterprise computing tools.
For the investigation to hold up under legal scrutiny, the investigator must obtain an accurate, complete, and forensically sound image from the employee-owned mobile device. It is estimated that less than 40 percent of the smartphone models on the market can be imaged. In fact, on Apple iOS, the security is proving so effective that bypassing the PIN or password may be a challenge for investigators. Thus, unless the employee can be compelled to provide the PIN or password, as discussed above, obtaining valuable or critical evidence from the device may be difficult. Android devices present their own forensics issues, because the software that performs the forensics must be programmed to work across an entire spectrum of Android device versions.
In litigation, when responding to ediscovery, it may be difficult to physically extract data involving files on a mobile device, such as deleted SMS messages and actual files and folders.
One way to ease the difficulty with forensics may be to limit the type of employee-owned mobile devices that are allowed to be used for corporate purposes. That way, only devices from which data may be reasonably extracted in the event of a forensic investigation will be allowed.
Once a company has the capabilities necessary to access the data on employee-owned devices, the company must ensure that it does not access too much data—especially personal data—for the reasons outlined above. Many mobile device management (MDM) programs on the market today can separate company data on a mobile device from personal data on the device by putting the corporate data in a “container.” This feature has several advantages:
The “containerized” structure could help shield the company from claims that the company improperly “accessed” an employee’s personal accounts in violation of the SCA. For example, in Shefts v. Petrakis 1:10-cv-01104-JBM-BGC # 249 (order on issue of the defendant’s authority to access the plaintiff’s company email), the court found that the defendant could not be held to have “accessed” text messages that it never saw, even though it had the ability to see such messages. Thus, a company using the container structure could reasonably argue that it only “accessed” the company data in the container, and was not interested in the employee’s data outside of the container, even if the employer had the ability to see the employee’s data as well.
Although the law has yet to be fully formed in the area of access to and investigation of employee-owned devices, a set of basic ground rules can help companies navigate the law as it develops. Companies can minimize legal missteps and tension in relationships with employees by: