SlideShare a Scribd company logo

BALANCING CORPORATE DATA ACCESS AND EMPLOYEE PRIVACY IN BYOD POLICIES

J
John M. Scifo II
1 of 5
Download to read offline
BYOD: BALANCING DATA CONTROL, ACCESS, AND PRIVACY !!!! Addendum ! While the legal issues presented by a corporate BYOD policy are quite vast and untested, due to the length limitations, this paper has a narrow scope of analysis, in that it focuses solely on the balancing of an employee’s right to a reasonable expectation of privacy against the corporate need for data security. Also, sorry for the lengthy footnotes, they are mostly quotes from the judicial decisions supporting the conclusions and rules I arrive at. ! ! of !2 6
BYOD: BALANCING DATA CONTROL, ACCESS, AND PRIVACY In the technology’s infantile stages, corporations were able to have employee’s sign away any and all expectations of electronic privacy through the issuance of corporate-owned devices. However, as “Mobile Device” (“MD”) capability has advanced and employees have simultaneously become more tech-savvy, the previous standard-issue corporate mobile device model has become impractical and obsolete. In light of such market and social developments, the “Bring Your Own Device” (“BYOD”) movement has gained momentum. Correspondingly, the legal issues presented by a corporate BYOD policy are ever present and, if they remain unaddressed, they can potentially have extensively adverse implications for a corporation across a wide spectrum of fields. A BYOD policy must be drafted with consideration of these legal issues so as to avoid potential gaps in policy that can, and will, expose the corporation to regulatory and/or civil liability. A BYOD policy inherently entails the use of a singular device for both private and professional matters by corporate employees. Issues arise because the personally owned devices may store and/or access data that employers have neither the privilege nor right to access or monitor.  Threatening this1 employee right to privacy, however, is the fact that, in the technology age, corporate owned and controlled data will undoubtedly be stored and/or accessed by employees on such devices.  Because this2 data is owned and controlled by the corporate entity, a corporation will often have a statutorily imposed duty to monitor, secure, and control the data received, stored, and accessed on these devices by employees.  As a consequence of these competing interests held by the employer and employee, a BYOD3 policy must strike a delicate balance between the two that will allow for each party to sufficiently pursue their interests without excluding the other. Although the case law is lacking in any directly analogous precedent, recent cases suffice to illustrate a trending pattern that may provide insight for corporations hoping to implement a BYOD policy while limiting data breach and privacy intrusion liability exposures alike. Employee privacy is governed by the common law reasonable expectation of privacy standard, which is derived from the tort of inclusion on seclusion.  The reasonableness of a privacy expectation4 ! of !3 6 ! Such protected information could include personal photos or the employee’s medical information.1 ! Such access to data could be had by either email or direct access to the secure corporate servers.2 ! See 18 U.S.C. §§ 2511 (1) (1); 2510 (12) (1994); Massachusetts Data Privacy Act, Mass. Gen. L. ch. 93H; NEV. REV. STAT.3 603A.215 (This is specifically applicable to information defined as “Personally Identifiable Information”, corporations typically have a statutory duty to protect through encrypted storage and transfer.). ! Restatement (Second) of Torts § 652B (1977) (Under the common law tort of intrusion on seclusion, one who “intentionally4 intrudes, physically or otherwise, upon the solitude or seclusion of another or his private affairs or concerns, is subject to liability to the other for invasion of his privacy, if the intrusion would be highly offensive to a reasonable person.” Accordingly, in such suits, the plaintiff must establish that the intrusion would be “highly offensive” to the ordinary reasonable man; quantitatively, the tortfeasor’s conduct must be “strongly objected” to by the reasonable man.).
BYOD: BALANCING DATA CONTROL, ACCESS, AND PRIVACY under the common law has both a subjective  and objective  component; there must be a subjective5 6 expectation of privacy that is objectively reasonable. In a BYOD context, the inquiry would consider factors such as: (1) the company policy on electronic communications and electronic devices, (2) the degree to which the employer educated its employees on the policies, and (3) who owns the device on which the information in question was stored/accessed. 7 The crux of the judicial inquiry appears to be the corporate policy, and employee education of such, utilized by the private employer in question. In Loving Care, the court held that despite a corporate policy stating otherwise, a REP had been fostered due to combination of the policy’s allowing employees to use company-owned computers for personal pursuits and the plaintiff having safeguarded her personal, non-company email through use of password protection.  Respectively, these factors constituted the8 standard’s objective and subjective components.  Similarly, the Convertino court held a reasonable9 expectation of privacy existed where the employee was not prohibited from using company email for personal use.  Inversely, the courts have consistently held against the existence of a REP when an10 employer has given explicit notice to its employees that their electronic activity will be monitored. 11 Ultimately, an analysis of the recent common law decisions pertaining employee privacy in a private employer context demonstrates that an employee is likely to possess a REP that outweighs a corporate monitoring interest when (1) a corporation’s company policy grants its employees permission to utilize its electronic devices for personal uses and (2) the employee takes reasonable steps to ensure the ! of !4 6 ! See Stengart v. Loving Care Agency, Inc., 201 N.J. 300, 316, 990 A.2d 650, 663 (2010) (In determining the subjective5 expectation of privacy in the plaintiff’s emails, the court noted that the employee “plainly took steps to protect the privacy of those emails and shield them from her employer by not using an employer-based email account and by not saving her personal email account’s password on her laptop… In other words, she had a subjective expectation of privacy.”). ! See Id. (In determining the objective expectation of privacy in the plaintiff’s emails, the court noted that “employer's written6 policy on electronic communications did not address the use of personal, web-based e-mail accounts accessed through company equipment nor did it warn employees that contents of e-mails sent via personal accounts could be forensically retrieved and read by employer.”). ! See Id.7 ! Id.8 ! Id,9 ! Convertino v. U.S. Dep't of Justice, 674 F. Supp. 2d 97, 110 (D.D.C. 2009) (“On the facts of this case, Mr. Tukel's expectation10 of privacy was reasonable. The DOJ maintains a policy that does not ban personal use of the company e-mail. Although the DOJ does have access to personal e-mails sent through this account, Mr. Tukel was unaware that they would be regularly accessing and saving e-mails sent from his account…”). ! City of Ontario, Cal. v. Quon, 130 S. Ct. 2619, 177 L. Ed. 2d 216 (2010) (No REP to personal text messages sent from11 corporate phone where employer’s policy explicitly stated, “… [The employer] reserves the right to monitor and log all network activity including email and Internet use, with or without notice. Users should have no expectation of privacy or confidentiality when using these resources.”); Scott v. Beth Israel Med. Ctr. Inc., 17 Misc. 3d 934, 847 N.Y.S.2d 436 (Sup. Ct. 2007) (“Where a[n] [employer]’s electronic communications policy, of which [plaintiff] has actual and constructive notice, prohibit[s] personal use of [employer]’s email system and state[s] that the employer reserved the right to monitor, access, and disclose communications transmitted on [employer]’s email server at any time without prior notice…”, there is no reasonable expectation of privacy.); Holmes v. Petrovich Dev. Co., 191 Cal. App. 4th 1047, 1068-69, 119 Cal. Rptr. 3d 878, 896 (2011) (Plaintiff used her employer's company e-mail account after being warned that it was to be used only for company business, that e-mails were not private, and that the company would randomly and periodically monitor its technology resources to ensure compliance with the policy).
BYOD: BALANCING DATA CONTROL, ACCESS, AND PRIVACY confidentiality of the information accessed on a corporate owned device or server. Obviously, however, the novelty of the issues presented by BYOD lay within the fact that the employer owns the data in question, rather than the device itself. The bright lines therefore begin to dim upon attempting to strike a balance between the employee’s privacy interest and corporate monitoring interest. A solution, however, has recently availed itself. In 2012, the court in Mintz v. Mark Bartelstein & Associates, Inc.  ruled that when an employer12 has contributed to the cost of the mobile device or account, they are a proportional owner of the device and the employee consequently has a “limited expectation of privacy”.  Identifying which activity is13 protected by a limited privacy expectation is to be determined on a case-by-case basis after consideration of: (1) ownership of the phone, (2) company policy and the known use of the phone, and (3) nature of the data in question.  Additionally, the dictum offered by SCOTUS in Quon infers that any data accessed,14 sent, stored, or received through an employee’s mobile device that does not come into contact with a private, company owned server may be subject to an employee’s REP, consequently placing it beyond the scope of a corporation’s legally permissible access and control.  It is in viewing the Quon dictum in15 conjunction with the Mintz holding that the boundaries of each interest begins to become clear. The limited privacy expectation of Mintz protects the employee from being punished for personal activities pursued outside of their role as an employee. Simultaneously, the Quon dictum limits the scope of corporate review to information stored/accessed through corporate servers. Therefore, while corporations utilizing BYOD most likely will not be able to monitor their employee’s personal text messages, email, and social media  , they can minimize liability by (1) providing explicit and transparent16 notice of the policy to their employees, (2) limiting activity monitoring to include only that pertinent to business matters, and (3) ensuring that any and all corporate owned data, including email accounts, is ! of !5 6 ! 885 F. Supp. 2d 987 (C.D. Cal. 2012).12 ! Id. (“…[W]hile the employer paid for employee’s mobile telephone account, and has issued employment manual advising13 employees not to use company equipment for personal reasons and stating that employer had the right to review all email, voice mail, and telephone messages on company equipment, [the] employer knew that the mobile telephone approval to use the phone for personal reasons. Contrarily, the fact that the employer paid for the majority of the cellular bill and device would have made it unreasonable for Mintz to believe that he retained exclusive ownership of the phone and had a full privacy expectation.”). ! Id. (Ownership is determined by who pays for what, while the nature of the data depends on inquires such as (1) was the data14 accessed or stored on a corporate device/server, (2) is the data password protected, and (3) did the employee make an active effort to secure the privacy of the data.). ! City of Ontario, Cal. v. Quon, 130 S. Ct. 2619, 2625, 177 L. Ed. 2d 216 (2010) (“…a text message sent on one of the City's15 pagers was transmitted using wireless radio frequencies from an individual pager to a receiving station owned by Arch Wireless. It was routed through Arch Wireless' computer network, where it remained until the recipient's pager or cellular telephone was ready to receive the message, at which point Arch Wireless transmitted the message from the transmitting station nearest to the recipient. After delivery, Arch Wireless retained a copy on its computer servers. The message did not pass through computers owned by the City.”). ! Monitoring of social media pertains to employment law and would most likely be covered by a separate corporate policy.16
BYOD: BALANCING DATA CONTROL, ACCESS, AND PRIVACY stored on private, secure servers. The employees can then access such data on their mobile devices through virtualization IT solutions. 17 ! of !6 6 ! See http://www.zdnet.com/blog/consumerization/10-byod-mobile-device-management-suites-17 you-need-to-know/422.

Recommended

spy after employees
spy after employeesspy after employees
spy after employeesJuscutum
 
Employees’ Privacy Rights In The Digital Age
Employees’ Privacy Rights In The Digital AgeEmployees’ Privacy Rights In The Digital Age
Employees’ Privacy Rights In The Digital AgeWendi S. Lazar, Outten & Golden LLP
 
Data protection training emea new joiners. mandatory quiz
Data protection training emea new joiners. mandatory quizData protection training emea new joiners. mandatory quiz
Data protection training emea new joiners. mandatory quizDeborahchiesa
 
CCPA: What You Need to Know
CCPA: What You Need to KnowCCPA: What You Need to Know
CCPA: What You Need to KnowIronCore Labs
 
1307 Privacy Act
1307 Privacy Act1307 Privacy Act
1307 Privacy ActZowie Murray
 
Cyber law assignment
Cyber law assignmentCyber law assignment
Cyber law assignmentRini Mahade
 
The Development of E-Commerce in Nigeria - Olushola Abiloye
The Development of E-Commerce in Nigeria - Olushola AbiloyeThe Development of E-Commerce in Nigeria - Olushola Abiloye
The Development of E-Commerce in Nigeria - Olushola AbiloyeAcas Media
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)BenjaminShalevSalovi
 

Recommended

spy after employees
spy after employeesspy after employees
spy after employeesJuscutum
 
Employees’ Privacy Rights In The Digital Age
Employees’ Privacy Rights In The Digital AgeEmployees’ Privacy Rights In The Digital Age
Employees’ Privacy Rights In The Digital AgeWendi S. Lazar, Outten & Golden LLP
 
Data protection training emea new joiners. mandatory quiz
Data protection training emea new joiners. mandatory quizData protection training emea new joiners. mandatory quiz
Data protection training emea new joiners. mandatory quizDeborahchiesa
 
CCPA: What You Need to Know
CCPA: What You Need to KnowCCPA: What You Need to Know
CCPA: What You Need to KnowIronCore Labs
 
1307 Privacy Act
1307 Privacy Act1307 Privacy Act
1307 Privacy ActZowie Murray
 
Cyber law assignment
Cyber law assignmentCyber law assignment
Cyber law assignmentRini Mahade
 
The Development of E-Commerce in Nigeria - Olushola Abiloye
The Development of E-Commerce in Nigeria - Olushola AbiloyeThe Development of E-Commerce in Nigeria - Olushola Abiloye
The Development of E-Commerce in Nigeria - Olushola AbiloyeAcas Media
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)BenjaminShalevSalovi
 
Banking Law Bulletin - 3 tips for banking lawyers to avoid the stormy cloud (...
Banking Law Bulletin - 3 tips for banking lawyers to avoid the stormy cloud (...Banking Law Bulletin - 3 tips for banking lawyers to avoid the stormy cloud (...
Banking Law Bulletin - 3 tips for banking lawyers to avoid the stormy cloud (...Tania Mushtaq
 
Cyber law assignment
Cyber law assignmentCyber law assignment
Cyber law assignmentAnusha Kadayyanmath
 
The Case for Mandatory Data Breach Disclosure Laws
The Case for Mandatory Data Breach Disclosure LawsThe Case for Mandatory Data Breach Disclosure Laws
The Case for Mandatory Data Breach Disclosure LawsBrian Honan
 
Logs & The Law: What is Admissible in Court?
Logs & The Law: What is Admissible in Court?Logs & The Law: What is Admissible in Court?
Logs & The Law: What is Admissible in Court?loglogic
 
Privacy Breaches In Canada It.Can May 1 2009
Privacy Breaches In Canada It.Can May 1 2009Privacy Breaches In Canada It.Can May 1 2009
Privacy Breaches In Canada It.Can May 1 2009canadianlawyer
 
Cyber law and ipc codes
Cyber law and ipc codesCyber law and ipc codes
Cyber law and ipc codesRakesh Otari
 
Cyber law case Assignment
Cyber law case AssignmentCyber law case Assignment
Cyber law case Assignment9945446746
 
Cyber law assignment
Cyber law assignmentCyber law assignment
Cyber law assignmentVarsha Mali
 
Cyber law11
Cyber law11Cyber law11
Cyber law11maradabudkinsantosh
 
Cyber Law With case studies
Cyber Law With case studies Cyber Law With case studies
Cyber Law With case studies Bhagya Bgk
 
National workshop on handling cybercrime ,1st feb 2014 it act,2000
National workshop on handling cybercrime ,1st feb 2014 it act,2000National workshop on handling cybercrime ,1st feb 2014 it act,2000
National workshop on handling cybercrime ,1st feb 2014 it act,2000Karnika Seth
 
Appreciation of Digital Evidence in Sri Lankan Law
Appreciation of Digital Evidence in Sri Lankan LawAppreciation of Digital Evidence in Sri Lankan Law
Appreciation of Digital Evidence in Sri Lankan LawTalwant Singh
 
Electronic evidence digital evidence in india
Electronic evidence digital evidence in indiaElectronic evidence digital evidence in india
Electronic evidence digital evidence in indiaAdv Prashant Mali
 
electronic transactions law lecture series: lecture 1 introduction
electronic transactions law lecture series: lecture 1 introductionelectronic transactions law lecture series: lecture 1 introduction
electronic transactions law lecture series: lecture 1 introductionCaroline B Ncube
 
E Commerce Platform Data Ownership and Legal Protection
E Commerce Platform Data Ownership and Legal ProtectionE Commerce Platform Data Ownership and Legal Protection
E Commerce Platform Data Ownership and Legal Protectionijtsrd
 
Can You Monitor Your Employees’ Communications?
Can You Monitor Your Employees’ Communications?Can You Monitor Your Employees’ Communications?
Can You Monitor Your Employees’ Communications?Human Resources & Payroll
 
Uchi data local presentation 2020
Uchi data local presentation 2020Uchi data local presentation 2020
Uchi data local presentation 2020Christo W. Meyer
 
2011 10 19 Raj Goel Isc2 Secure Boston Cloud Computing Oversharing Over Colle...
2011 10 19 Raj Goel Isc2 Secure Boston Cloud Computing Oversharing Over Colle...2011 10 19 Raj Goel Isc2 Secure Boston Cloud Computing Oversharing Over Colle...
2011 10 19 Raj Goel Isc2 Secure Boston Cloud Computing Oversharing Over Colle...Raj Goel
 
Cohen & Grigsby Commercial & Complex Litigation Newsletter - Hot Topics that ...
Cohen & Grigsby Commercial & Complex Litigation Newsletter - Hot Topics that ...Cohen & Grigsby Commercial & Complex Litigation Newsletter - Hot Topics that ...
Cohen & Grigsby Commercial & Complex Litigation Newsletter - Hot Topics that ...CohenGrigsby
 
Cyber law cases and sections
Cyber law cases and sectionsCyber law cases and sections
Cyber law cases and sectionsvijayjituri
 
Unit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrUnit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrTushar Rajput
 
httpsdigitalguardian.comblogsocial-engineering-attacks-common.docx
httpsdigitalguardian.comblogsocial-engineering-attacks-common.docxhttpsdigitalguardian.comblogsocial-engineering-attacks-common.docx
httpsdigitalguardian.comblogsocial-engineering-attacks-common.docxadampcarr67227
 

More Related Content

What's hot

Banking Law Bulletin - 3 tips for banking lawyers to avoid the stormy cloud (...
Banking Law Bulletin - 3 tips for banking lawyers to avoid the stormy cloud (...Banking Law Bulletin - 3 tips for banking lawyers to avoid the stormy cloud (...
Banking Law Bulletin - 3 tips for banking lawyers to avoid the stormy cloud (...Tania Mushtaq
 
The Case for Mandatory Data Breach Disclosure Laws
The Case for Mandatory Data Breach Disclosure LawsThe Case for Mandatory Data Breach Disclosure Laws
The Case for Mandatory Data Breach Disclosure LawsBrian Honan
 
Logs & The Law: What is Admissible in Court?
Logs & The Law: What is Admissible in Court?Logs & The Law: What is Admissible in Court?
Logs & The Law: What is Admissible in Court?loglogic
 
Privacy Breaches In Canada It.Can May 1 2009
Privacy Breaches In Canada It.Can May 1 2009Privacy Breaches In Canada It.Can May 1 2009
Privacy Breaches In Canada It.Can May 1 2009canadianlawyer
 
Cyber law and ipc codes
Cyber law and ipc codesCyber law and ipc codes
Cyber law and ipc codesRakesh Otari
 
Cyber law case Assignment
Cyber law case AssignmentCyber law case Assignment
Cyber law case Assignment9945446746
 
Cyber law assignment
Cyber law assignmentCyber law assignment
Cyber law assignmentVarsha Mali
 
Cyber Law With case studies
Cyber Law With case studies Cyber Law With case studies
Cyber Law With case studies Bhagya Bgk
 
National workshop on handling cybercrime ,1st feb 2014 it act,2000
National workshop on handling cybercrime ,1st feb 2014 it act,2000National workshop on handling cybercrime ,1st feb 2014 it act,2000
National workshop on handling cybercrime ,1st feb 2014 it act,2000Karnika Seth
 
Appreciation of Digital Evidence in Sri Lankan Law
Appreciation of Digital Evidence in Sri Lankan LawAppreciation of Digital Evidence in Sri Lankan Law
Appreciation of Digital Evidence in Sri Lankan LawTalwant Singh
 
Electronic evidence digital evidence in india
Electronic evidence digital evidence in indiaElectronic evidence digital evidence in india
Electronic evidence digital evidence in indiaAdv Prashant Mali
 
electronic transactions law lecture series: lecture 1 introduction
electronic transactions law lecture series: lecture 1 introductionelectronic transactions law lecture series: lecture 1 introduction
electronic transactions law lecture series: lecture 1 introductionCaroline B Ncube
 
E Commerce Platform Data Ownership and Legal Protection
E Commerce Platform Data Ownership and Legal ProtectionE Commerce Platform Data Ownership and Legal Protection
E Commerce Platform Data Ownership and Legal Protectionijtsrd
 
Can You Monitor Your Employees’ Communications?
Can You Monitor Your Employees’ Communications?Can You Monitor Your Employees’ Communications?
Can You Monitor Your Employees’ Communications?Human Resources & Payroll
 
Uchi data local presentation 2020
Uchi data local presentation 2020Uchi data local presentation 2020
Uchi data local presentation 2020Christo W. Meyer
 
2011 10 19 Raj Goel Isc2 Secure Boston Cloud Computing Oversharing Over Colle...
2011 10 19 Raj Goel Isc2 Secure Boston Cloud Computing Oversharing Over Colle...2011 10 19 Raj Goel Isc2 Secure Boston Cloud Computing Oversharing Over Colle...
2011 10 19 Raj Goel Isc2 Secure Boston Cloud Computing Oversharing Over Colle...Raj Goel
 
Cohen & Grigsby Commercial & Complex Litigation Newsletter - Hot Topics that ...
Cohen & Grigsby Commercial & Complex Litigation Newsletter - Hot Topics that ...Cohen & Grigsby Commercial & Complex Litigation Newsletter - Hot Topics that ...
Cohen & Grigsby Commercial & Complex Litigation Newsletter - Hot Topics that ...CohenGrigsby
 
Cyber law cases and sections
Cyber law cases and sectionsCyber law cases and sections
Cyber law cases and sectionsvijayjituri
 

What's hot (20)

Banking Law Bulletin - 3 tips for banking lawyers to avoid the stormy cloud (...
Banking Law Bulletin - 3 tips for banking lawyers to avoid the stormy cloud (...Banking Law Bulletin - 3 tips for banking lawyers to avoid the stormy cloud (...
Banking Law Bulletin - 3 tips for banking lawyers to avoid the stormy cloud (...
 
Cyber law assignment
Cyber law assignmentCyber law assignment
Cyber law assignment
 
The Case for Mandatory Data Breach Disclosure Laws
The Case for Mandatory Data Breach Disclosure LawsThe Case for Mandatory Data Breach Disclosure Laws
The Case for Mandatory Data Breach Disclosure Laws
 
Logs & The Law: What is Admissible in Court?
Logs & The Law: What is Admissible in Court?Logs & The Law: What is Admissible in Court?
Logs & The Law: What is Admissible in Court?
 
Privacy Breaches In Canada It.Can May 1 2009
Privacy Breaches In Canada It.Can May 1 2009Privacy Breaches In Canada It.Can May 1 2009
Privacy Breaches In Canada It.Can May 1 2009
 
Cyber law and ipc codes
Cyber law and ipc codesCyber law and ipc codes
Cyber law and ipc codes
 
Cyber law case Assignment
Cyber law case AssignmentCyber law case Assignment
Cyber law case Assignment
 
Cyber law assignment
Cyber law assignmentCyber law assignment
Cyber law assignment
 
Cyber law11
Cyber law11Cyber law11
Cyber law11
 
Cyber Law With case studies
Cyber Law With case studies Cyber Law With case studies
Cyber Law With case studies
 
National workshop on handling cybercrime ,1st feb 2014 it act,2000
National workshop on handling cybercrime ,1st feb 2014 it act,2000National workshop on handling cybercrime ,1st feb 2014 it act,2000
National workshop on handling cybercrime ,1st feb 2014 it act,2000
 
Appreciation of Digital Evidence in Sri Lankan Law
Appreciation of Digital Evidence in Sri Lankan LawAppreciation of Digital Evidence in Sri Lankan Law
Appreciation of Digital Evidence in Sri Lankan Law
 
Electronic evidence digital evidence in india
Electronic evidence digital evidence in indiaElectronic evidence digital evidence in india
Electronic evidence digital evidence in india
 
electronic transactions law lecture series: lecture 1 introduction
electronic transactions law lecture series: lecture 1 introductionelectronic transactions law lecture series: lecture 1 introduction
electronic transactions law lecture series: lecture 1 introduction
 
E Commerce Platform Data Ownership and Legal Protection
E Commerce Platform Data Ownership and Legal ProtectionE Commerce Platform Data Ownership and Legal Protection
E Commerce Platform Data Ownership and Legal Protection
 
Can You Monitor Your Employees’ Communications?
Can You Monitor Your Employees’ Communications?Can You Monitor Your Employees’ Communications?
Can You Monitor Your Employees’ Communications?
 
Uchi data local presentation 2020
Uchi data local presentation 2020Uchi data local presentation 2020
Uchi data local presentation 2020
 
2011 10 19 Raj Goel Isc2 Secure Boston Cloud Computing Oversharing Over Colle...
2011 10 19 Raj Goel Isc2 Secure Boston Cloud Computing Oversharing Over Colle...2011 10 19 Raj Goel Isc2 Secure Boston Cloud Computing Oversharing Over Colle...
2011 10 19 Raj Goel Isc2 Secure Boston Cloud Computing Oversharing Over Colle...
 
Cohen & Grigsby Commercial & Complex Litigation Newsletter - Hot Topics that ...
Cohen & Grigsby Commercial & Complex Litigation Newsletter - Hot Topics that ...Cohen & Grigsby Commercial & Complex Litigation Newsletter - Hot Topics that ...
Cohen & Grigsby Commercial & Complex Litigation Newsletter - Hot Topics that ...
 
Cyber law cases and sections
Cyber law cases and sectionsCyber law cases and sections
Cyber law cases and sections
 

Similar to BALANCING CORPORATE DATA ACCESS AND EMPLOYEE PRIVACY IN BYOD POLICIES

Unit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrUnit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrTushar Rajput
 
httpsdigitalguardian.comblogsocial-engineering-attacks-common.docx
httpsdigitalguardian.comblogsocial-engineering-attacks-common.docxhttpsdigitalguardian.comblogsocial-engineering-attacks-common.docx
httpsdigitalguardian.comblogsocial-engineering-attacks-common.docxadampcarr67227
 
The Evolution of Data Privacy - A Symantec Information Security Perspective o...
The Evolution of Data Privacy - A Symantec Information Security Perspective o...The Evolution of Data Privacy - A Symantec Information Security Perspective o...
The Evolution of Data Privacy - A Symantec Information Security Perspective o...Symantec
 
Data protection & security breakfast briefing master slides 28 june-final
Data protection & security breakfast briefing master slides 28 june-finalData protection & security breakfast briefing master slides 28 june-final
Data protection & security breakfast briefing master slides 28 june-finalDr. Donald Macfarlane
 
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_finalData Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_finalDr. Donald Macfarlane
 
Data Breaches
Data BreachesData Breaches
Data Breachessstose
 
An Indian Outline on Database Protection
An Indian Outline on Database ProtectionAn Indian Outline on Database Protection
An Indian Outline on Database ProtectionSinghania2015
 
Answer the Below Question. APA format. 300 words.Textbook .docx
Answer the Below Question. APA format. 300 words.Textbook .docxAnswer the Below Question. APA format. 300 words.Textbook .docx
Answer the Below Question. APA format. 300 words.Textbook .docxnolanalgernon
 
BYOD: Advice for Employers and Employees
BYOD: Advice for Employers and EmployeesBYOD: Advice for Employers and Employees
BYOD: Advice for Employers and EmployeesCassie McGarvey, JD
 
Pubcon Privacy Legal Presentation by David Mink
Pubcon Privacy Legal Presentation by David MinkPubcon Privacy Legal Presentation by David Mink
Pubcon Privacy Legal Presentation by David MinkMatt Siltala
 
Crossing the streams: How security professionals can leverage the NZ Privacy ...
Crossing the streams: How security professionals can leverage the NZ Privacy ...Crossing the streams: How security professionals can leverage the NZ Privacy ...
Crossing the streams: How security professionals can leverage the NZ Privacy ...Chris Hails
 
Data Breach White Paper
Data Breach White PaperData Breach White Paper
Data Breach White PaperTodd Ruback
 
Data Breach White Paper
Data Breach White PaperData Breach White Paper
Data Breach White Paperspencerharry
 
Draft Bill on the Protection of Personal Data
Draft Bill on the Protection of Personal DataDraft Bill on the Protection of Personal Data
Draft Bill on the Protection of Personal DataRenato Monteiro
 
359763713 other rev
359763713 other rev359763713 other rev
359763713 other revKestone
 
Data Security and Regulatory Compliance
Data Security and Regulatory ComplianceData Security and Regulatory Compliance
Data Security and Regulatory ComplianceLifeline Data Centers
 

Similar to BALANCING CORPORATE DATA ACCESS AND EMPLOYEE PRIVACY IN BYOD POLICIES (20)

Unit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrUnit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hr
 
httpsdigitalguardian.comblogsocial-engineering-attacks-common.docx
httpsdigitalguardian.comblogsocial-engineering-attacks-common.docxhttpsdigitalguardian.comblogsocial-engineering-attacks-common.docx
httpsdigitalguardian.comblogsocial-engineering-attacks-common.docx
 
The Evolution of Data Privacy - A Symantec Information Security Perspective o...
The Evolution of Data Privacy - A Symantec Information Security Perspective o...The Evolution of Data Privacy - A Symantec Information Security Perspective o...
The Evolution of Data Privacy - A Symantec Information Security Perspective o...
 
Data protection & security breakfast briefing master slides 28 june-final
Data protection & security breakfast briefing master slides 28 june-finalData protection & security breakfast briefing master slides 28 june-final
Data protection & security breakfast briefing master slides 28 june-final
 
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_finalData Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
 
Data Breaches
Data BreachesData Breaches
Data Breaches
 
An Indian Outline on Database Protection
An Indian Outline on Database ProtectionAn Indian Outline on Database Protection
An Indian Outline on Database Protection
 
GDPR: how IT works
GDPR: how IT worksGDPR: how IT works
GDPR: how IT works
 
Dpl november colombia
Dpl november colombiaDpl november colombia
Dpl november colombia
 
Answer the Below Question. APA format. 300 words.Textbook .docx
Answer the Below Question. APA format. 300 words.Textbook .docxAnswer the Below Question. APA format. 300 words.Textbook .docx
Answer the Below Question. APA format. 300 words.Textbook .docx
 
BYOD: Advice for Employers and Employees
BYOD: Advice for Employers and EmployeesBYOD: Advice for Employers and Employees
BYOD: Advice for Employers and Employees
 
Pubcon Privacy Legal Presentation by David Mink
Pubcon Privacy Legal Presentation by David MinkPubcon Privacy Legal Presentation by David Mink
Pubcon Privacy Legal Presentation by David Mink
 
Crossing the streams: How security professionals can leverage the NZ Privacy ...
Crossing the streams: How security professionals can leverage the NZ Privacy ...Crossing the streams: How security professionals can leverage the NZ Privacy ...
Crossing the streams: How security professionals can leverage the NZ Privacy ...
 
Data Breach White Paper
Data Breach White PaperData Breach White Paper
Data Breach White Paper
 
Data Breach White Paper
Data Breach White PaperData Breach White Paper
Data Breach White Paper
 
Draft Bill on the Protection of Personal Data
Draft Bill on the Protection of Personal DataDraft Bill on the Protection of Personal Data
Draft Bill on the Protection of Personal Data
 
359763713 other rev
359763713 other rev359763713 other rev
359763713 other rev
 
GPDR_Get-Data-Protection-Right
GPDR_Get-Data-Protection-RightGPDR_Get-Data-Protection-Right
GPDR_Get-Data-Protection-Right
 
Data Security and Regulatory Compliance
Data Security and Regulatory ComplianceData Security and Regulatory Compliance
Data Security and Regulatory Compliance
 
Cloud Security Law Issues--an Overview
Cloud Security Law Issues--an OverviewCloud Security Law Issues--an Overview
Cloud Security Law Issues--an Overview
 

BALANCING CORPORATE DATA ACCESS AND EMPLOYEE PRIVACY IN BYOD POLICIES

  • 1. BYOD: BALANCING DATA CONTROL, ACCESS, AND PRIVACY !!!! Addendum ! While the legal issues presented by a corporate BYOD policy are quite vast and untested, due to the length limitations, this paper has a narrow scope of analysis, in that it focuses solely on the balancing of an employee’s right to a reasonable expectation of privacy against the corporate need for data security. Also, sorry for the lengthy footnotes, they are mostly quotes from the judicial decisions supporting the conclusions and rules I arrive at. ! ! of !2 6
  • 2. BYOD: BALANCING DATA CONTROL, ACCESS, AND PRIVACY In the technology’s infantile stages, corporations were able to have employee’s sign away any and all expectations of electronic privacy through the issuance of corporate-owned devices. However, as “Mobile Device” (“MD”) capability has advanced and employees have simultaneously become more tech-savvy, the previous standard-issue corporate mobile device model has become impractical and obsolete. In light of such market and social developments, the “Bring Your Own Device” (“BYOD”) movement has gained momentum. Correspondingly, the legal issues presented by a corporate BYOD policy are ever present and, if they remain unaddressed, they can potentially have extensively adverse implications for a corporation across a wide spectrum of fields. A BYOD policy must be drafted with consideration of these legal issues so as to avoid potential gaps in policy that can, and will, expose the corporation to regulatory and/or civil liability. A BYOD policy inherently entails the use of a singular device for both private and professional matters by corporate employees. Issues arise because the personally owned devices may store and/or access data that employers have neither the privilege nor right to access or monitor.  Threatening this1 employee right to privacy, however, is the fact that, in the technology age, corporate owned and controlled data will undoubtedly be stored and/or accessed by employees on such devices.  Because this2 data is owned and controlled by the corporate entity, a corporation will often have a statutorily imposed duty to monitor, secure, and control the data received, stored, and accessed on these devices by employees.  As a consequence of these competing interests held by the employer and employee, a BYOD3 policy must strike a delicate balance between the two that will allow for each party to sufficiently pursue their interests without excluding the other. Although the case law is lacking in any directly analogous precedent, recent cases suffice to illustrate a trending pattern that may provide insight for corporations hoping to implement a BYOD policy while limiting data breach and privacy intrusion liability exposures alike. Employee privacy is governed by the common law reasonable expectation of privacy standard, which is derived from the tort of inclusion on seclusion.  The reasonableness of a privacy expectation4 ! of !3 6 ! Such protected information could include personal photos or the employee’s medical information.1 ! Such access to data could be had by either email or direct access to the secure corporate servers.2 ! See 18 U.S.C. §§ 2511 (1) (1); 2510 (12) (1994); Massachusetts Data Privacy Act, Mass. Gen. L. ch. 93H; NEV. REV. STAT.3 603A.215 (This is specifically applicable to information defined as “Personally Identifiable Information”, corporations typically have a statutory duty to protect through encrypted storage and transfer.). ! Restatement (Second) of Torts § 652B (1977) (Under the common law tort of intrusion on seclusion, one who “intentionally4 intrudes, physically or otherwise, upon the solitude or seclusion of another or his private affairs or concerns, is subject to liability to the other for invasion of his privacy, if the intrusion would be highly offensive to a reasonable person.” Accordingly, in such suits, the plaintiff must establish that the intrusion would be “highly offensive” to the ordinary reasonable man; quantitatively, the tortfeasor’s conduct must be “strongly objected” to by the reasonable man.).
  • 3. BYOD: BALANCING DATA CONTROL, ACCESS, AND PRIVACY under the common law has both a subjective  and objective  component; there must be a subjective5 6 expectation of privacy that is objectively reasonable. In a BYOD context, the inquiry would consider factors such as: (1) the company policy on electronic communications and electronic devices, (2) the degree to which the employer educated its employees on the policies, and (3) who owns the device on which the information in question was stored/accessed. 7 The crux of the judicial inquiry appears to be the corporate policy, and employee education of such, utilized by the private employer in question. In Loving Care, the court held that despite a corporate policy stating otherwise, a REP had been fostered due to combination of the policy’s allowing employees to use company-owned computers for personal pursuits and the plaintiff having safeguarded her personal, non-company email through use of password protection.  Respectively, these factors constituted the8 standard’s objective and subjective components.  Similarly, the Convertino court held a reasonable9 expectation of privacy existed where the employee was not prohibited from using company email for personal use.  Inversely, the courts have consistently held against the existence of a REP when an10 employer has given explicit notice to its employees that their electronic activity will be monitored. 11 Ultimately, an analysis of the recent common law decisions pertaining employee privacy in a private employer context demonstrates that an employee is likely to possess a REP that outweighs a corporate monitoring interest when (1) a corporation’s company policy grants its employees permission to utilize its electronic devices for personal uses and (2) the employee takes reasonable steps to ensure the ! of !4 6 ! See Stengart v. Loving Care Agency, Inc., 201 N.J. 300, 316, 990 A.2d 650, 663 (2010) (In determining the subjective5 expectation of privacy in the plaintiff’s emails, the court noted that the employee “plainly took steps to protect the privacy of those emails and shield them from her employer by not using an employer-based email account and by not saving her personal email account’s password on her laptop… In other words, she had a subjective expectation of privacy.”). ! See Id. (In determining the objective expectation of privacy in the plaintiff’s emails, the court noted that “employer's written6 policy on electronic communications did not address the use of personal, web-based e-mail accounts accessed through company equipment nor did it warn employees that contents of e-mails sent via personal accounts could be forensically retrieved and read by employer.”). ! See Id.7 ! Id.8 ! Id,9 ! Convertino v. U.S. Dep't of Justice, 674 F. Supp. 2d 97, 110 (D.D.C. 2009) (“On the facts of this case, Mr. Tukel's expectation10 of privacy was reasonable. The DOJ maintains a policy that does not ban personal use of the company e-mail. Although the DOJ does have access to personal e-mails sent through this account, Mr. Tukel was unaware that they would be regularly accessing and saving e-mails sent from his account…”). ! City of Ontario, Cal. v. Quon, 130 S. Ct. 2619, 177 L. Ed. 2d 216 (2010) (No REP to personal text messages sent from11 corporate phone where employer’s policy explicitly stated, “… [The employer] reserves the right to monitor and log all network activity including email and Internet use, with or without notice. Users should have no expectation of privacy or confidentiality when using these resources.”); Scott v. Beth Israel Med. Ctr. Inc., 17 Misc. 3d 934, 847 N.Y.S.2d 436 (Sup. Ct. 2007) (“Where a[n] [employer]’s electronic communications policy, of which [plaintiff] has actual and constructive notice, prohibit[s] personal use of [employer]’s email system and state[s] that the employer reserved the right to monitor, access, and disclose communications transmitted on [employer]’s email server at any time without prior notice…”, there is no reasonable expectation of privacy.); Holmes v. Petrovich Dev. Co., 191 Cal. App. 4th 1047, 1068-69, 119 Cal. Rptr. 3d 878, 896 (2011) (Plaintiff used her employer's company e-mail account after being warned that it was to be used only for company business, that e-mails were not private, and that the company would randomly and periodically monitor its technology resources to ensure compliance with the policy).
  • 4. BYOD: BALANCING DATA CONTROL, ACCESS, AND PRIVACY confidentiality of the information accessed on a corporate owned device or server. Obviously, however, the novelty of the issues presented by BYOD lay within the fact that the employer owns the data in question, rather than the device itself. The bright lines therefore begin to dim upon attempting to strike a balance between the employee’s privacy interest and corporate monitoring interest. A solution, however, has recently availed itself. In 2012, the court in Mintz v. Mark Bartelstein & Associates, Inc.  ruled that when an employer12 has contributed to the cost of the mobile device or account, they are a proportional owner of the device and the employee consequently has a “limited expectation of privacy”.  Identifying which activity is13 protected by a limited privacy expectation is to be determined on a case-by-case basis after consideration of: (1) ownership of the phone, (2) company policy and the known use of the phone, and (3) nature of the data in question.  Additionally, the dictum offered by SCOTUS in Quon infers that any data accessed,14 sent, stored, or received through an employee’s mobile device that does not come into contact with a private, company owned server may be subject to an employee’s REP, consequently placing it beyond the scope of a corporation’s legally permissible access and control.  It is in viewing the Quon dictum in15 conjunction with the Mintz holding that the boundaries of each interest begins to become clear. The limited privacy expectation of Mintz protects the employee from being punished for personal activities pursued outside of their role as an employee. Simultaneously, the Quon dictum limits the scope of corporate review to information stored/accessed through corporate servers. Therefore, while corporations utilizing BYOD most likely will not be able to monitor their employee’s personal text messages, email, and social media  , they can minimize liability by (1) providing explicit and transparent16 notice of the policy to their employees, (2) limiting activity monitoring to include only that pertinent to business matters, and (3) ensuring that any and all corporate owned data, including email accounts, is ! of !5 6 ! 885 F. Supp. 2d 987 (C.D. Cal. 2012).12 ! Id. (“…[W]hile the employer paid for employee’s mobile telephone account, and has issued employment manual advising13 employees not to use company equipment for personal reasons and stating that employer had the right to review all email, voice mail, and telephone messages on company equipment, [the] employer knew that the mobile telephone approval to use the phone for personal reasons. Contrarily, the fact that the employer paid for the majority of the cellular bill and device would have made it unreasonable for Mintz to believe that he retained exclusive ownership of the phone and had a full privacy expectation.”). ! Id. (Ownership is determined by who pays for what, while the nature of the data depends on inquires such as (1) was the data14 accessed or stored on a corporate device/server, (2) is the data password protected, and (3) did the employee make an active effort to secure the privacy of the data.). ! City of Ontario, Cal. v. Quon, 130 S. Ct. 2619, 2625, 177 L. Ed. 2d 216 (2010) (“…a text message sent on one of the City's15 pagers was transmitted using wireless radio frequencies from an individual pager to a receiving station owned by Arch Wireless. It was routed through Arch Wireless' computer network, where it remained until the recipient's pager or cellular telephone was ready to receive the message, at which point Arch Wireless transmitted the message from the transmitting station nearest to the recipient. After delivery, Arch Wireless retained a copy on its computer servers. The message did not pass through computers owned by the City.”). ! Monitoring of social media pertains to employment law and would most likely be covered by a separate corporate policy.16
  • 5. BYOD: BALANCING DATA CONTROL, ACCESS, AND PRIVACY stored on private, secure servers. The employees can then access such data on their mobile devices through virtualization IT solutions. 17 ! of !6 6 ! See http://www.zdnet.com/blog/consumerization/10-byod-mobile-device-management-suites-17 you-need-to-know/422.