Privacy Concerns with BYOD Policies
Although in previous years it was routinely the case that a new employee who needed to be available remotely would be given an employer-owned device, employers are increasingly turning away from that model in favor of what has come to be known as BYOD, whereby employees are permitted to use their personal mobile devices, often a smartphone, for work. In most cases, the employer asks that the employee agree to certain conditions.
These conditions are usually spelled out in a BYOD or mobile-device policy. A typical BYOD policy may include rules governing network access, permitted software, and expectations of conduct. Because BYOD policies are almost always implemented unilaterally by employers, there is a temptation to include strongly worded waivers of privacy, granting the employer broad rights to seize and access an employee’s device as part of an internal company investigation. Where remote access is a necessary feature of the job, such waivers effectively become compulsory conditions of employment.
Although BYOD policies vary, these waivers create privacy issues with regard to whether and how an employer may request, seize, or access an employee’s device as part of an internal company investigation. For example, if the employer has to investigate claims of sexual harassment by an employee, the employer may want to access the alleged harasser’s text messages. Existing law tends to deal with such searches in one of two ways.
First, if an employee feels that his or her rights were somehow violated in the search, the employee may bring a common-law action for invasion of privacy. In such a case, a court analyzes the competing interests, the employee’s expectations of privacy, and the employer’s legitimate interests in accessing the information. For example, in City of Ontario, California v. Quon, 560 U.S. 746 (2010), the Supreme Court found that the legitimate business interests of the government (as the employer) justified the search of a police officer’s text messages—paid for by the employee but received on an employer-provided device—for a non-investigatory work-related purpose despite recognizing that the officer had a reasonable expectation of privacy in the messages. Such analysis is inherently fact-specific and focuses heavily on whether the employee has a reasonable expectation of privacy—on which a written waiver of privacy has considerable bearing.
Second, employees have brought actions under the federal Stored Communications Act, which restricts unauthorized access to electronic communications stored by a remote host, or similar state laws. Pure Power Boot Camp v. Warrior Fitness Boot Camp, 587 F. Supp. 2d 548 (S.D.N.Y. 2008) (finding a violation where an employer accessed an employee’s Hotmail email account by using the passwords saved in the employee’s Internet browser). The Stored Communications Act may have no force, however, where the access is authorized by a strongly drafted BYOD policy or where data are stored locally on the device itself.
Given the potential impact that such waivers and agreements can have on this analysis, at least one state has issued guidance to employers on the issue. The Texas Workforce Commission, a Texas governmental agency that offers employers and employees services and information relevant to employment matters, advises employers to include in any company mobile-device policy language making it “clear to employees that the employer reserves the right to physically and digitally search any devices with storage or memory capabilities that they might bring to work and to make copies of any files found therein.”
The status quo is currently tilted heavily in favor of employers mostly because employers have the greater bargaining power when it comes to drafting policies and conditioning employment on the acceptance of such policies. Nonetheless, there remains uncertainty. To begin with, the effectiveness of these compulsory waivers of unprecedented scope remains largely untested. Nor is it obvious what impact the Supreme Court’s decision in Riley may have on privacy analyses in the employment context. Lastly and potentially most importantly, as discussed below, new legislation at the state level is threatening to turn this entire analysis on its head.
Recent “Social Media” and “Online Account” Privacy Laws Are Encroaching on BYOD
Although not passed to address employer BYOD policies, state legislatures have begun laying the groundwork to provide employees with more privacy expectations with recent state laws restricting employer access to employee online accounts and social media. Following the lead set by Maryland in 2012, over a dozen states (including Arkansas, California, Colorado, Illinois, Maryland, Michigan, New Jersey, New Mexico, Oklahoma, Oregon, Tennessee, Utah, Washington, and Wisconsin) have now enacted legislation prohibiting employers from requesting access to employee or applicant online accounts of various types.
For example, Louisiana just passed in May 2014 new legislation prohibiting an employer from requesting or requiring “an employee or applicant to disclose any username, password, or other authentication information that allows access to the employee’s or applicant’s personal online account.” Louisiana House Bill 340 (2014). Similar legislation has been introduced in a majority of states, a catalogue of which can be found on the website for the National Conference of State Legislatures.
The language of these statutes as well as their obvious intent has strong implications for the privacy issues inherent in BYOD.
First, some of these laws may in the future be found already applicable to searches of employee smartphones. As smartphone software becomes more “always-online” and dependent on non-local “cloud” services, the boundaries between the device and the online accounts that are accessed by the device will continue to blur and may potentially disappear. In the case of the Louisiana law described above, the password to access a smartphone may also allow access to the employee’s email that is hosted on an online account but viewable through the device. In such a case, the existing law may already have a powerful effect depending on how Louisiana courts choose to interpret it.
Even laws targeted narrowly at “social media” run the risk of being overrun by the growing scope of that term as products from companies like Facebook and Google expand and integrate the services they offer within a single user account. It may in some cases not be obvious to an employer which data are local and which are held in an online “social” account merely accessible through the device.
Second, even where these new laws are themselves found inapplicable, the ball is already rolling on increasing personal privacy. A recent Pew survey found that a majority of Americans of both parties believe that laws protecting online privacy should be stronger. And this country is still wrestling with the revelations of the National Security Administration’s wiretapping of the phone, email, and Internet records of everyday Americans. The strength and unanimity of the opinion in Riley and the speed with which these laws have swept through state legislatures is a testament to how much interest there is in protecting individual privacy.
Parties on both sides, those representing employers and employees, need to recognize that this issue includes many uncharted waters, which may involve risks for both sides. These developments have two obvious implications for the present.
First, employers need to scrutinize BYOD policies to ensure compliance with “social media” and “online account” privacy laws they may not have originally considered relevant. Boilerplate BYOD policies may already be ineffective or may become ineffective in the near future. Some states are setting up their own standards for when a search is permitted. For example, Tennessee’s online-account privacy law permits an employer to “require an employee to cooperate in an investigation” if the employer has “specific information about an unauthorized transfer of the employer’s proprietary information, confidential information, or financial data[.]” Understanding and integrating these sorts of standards into not just BYOD policies but also manager training are essential for avoiding potentially costly enforcement actions and private litigation.
Second, greater attention needs to be paid to the possible future implications that present legislation may have for future technology. If the last decade has taught us anything, it is that technology grows quickly and in unanticipated directions. Both employers and employee advocates should be proactive in lobbying for thoughtful, nimble legislation that respects the certainty that it may be used in unanticipated ways as is already becoming a possibility here.
Keywords: litigation, employment law, labor relations, cell phone, smartphone, privacy, bring your own device, social media
Teresa D. Teare and Colin P. Glynn are attorneys with Shawe & Rosenthal LLP in Baltimore, Maryland.