Privacy minefields lurk even in corporate-owned devices
Some enterprises are rethinking BYOD and returning to policies that only permit corporate-owned mobile devices in the workplace in order to improve security and reduce legal liability.
But even an enterprise that only allows corporate-owned devices is not exempt from legal risk, as a recent court case in the Northern District of Ohio demonstrates (Lazette v. Kulmatycki).
As related by Joshua Konvisser--with the law firm of Pillsbury Winthrop Shaw Pittman--in a blog, an employee--Lazette--turned in her corporate-liable Blackberry device when she left the company in question. She thought she had deleted her personal emails, but she hadn't, and her former boss read some 48,000 personal emails over the course of a number of months.
The court found that the boss was at fault for reading Lazette's personal emails, even though they resided on a corporate-owned device. "What is more interesting about the case is the way in which the court twisted and turned existing laws that did not quite fit the situation," commented Konvisser.
The three groups of laws examined by the court were the Stored Communications Act, anti-wiretapping laws and privacy laws.
The SCA protects against intentional access to stored communications held for the purpose of backup protection. The court found that the defendant's unread personal emails were "stored" communications covered by the SCA, but that the emails she had read were not "stored" and therefore not covered by the act. "Those emails Lazette read before Kulmatycki got to them are not protected under the SCA, while those she read after are," explained Konvisser.
Second, anti-wiretapping laws prevent the unauthorized interception of communications. The court decided that because Lazette had already sent her emails to her computer, in addition to the BlackBerry, her boss had not intercepted her emails and the anti-wiretapping laws did not apply.
"Under this logic, it would be interesting to consider if Lazette could demonstrate that her computer was offline while Kulmatycki received and read certain emails on the Blackberry, those emails would fall within the wiretapping laws," Konvisser speculated.
However, the court sidestepped the question of whether Kulmatycki violated Lazette's right to privacy under Ohio law, but acknowledged that the state's privacy law could apply in these types of cases. "This would be a factual determination as to whether Lazette had a reasonable expectation of privacy and would be subject to state law (meaning that the same facts could conceivably lead to different results in different states)," Konvisser explained.
The convoluted nature of the court's reasoning should give enterprises pause. Clearly, another court in another state could rule differently, possibly resulting in large fines and damages against enterprises that fail to protect the privacy of current and former employees.
To prevent this outcome, enterprises should institute strong privacy guarantees in their mobile policies, particularly for personal information on smartphones, whether corporate-owned or personally owned. These policies should be backed up by technology, such as containerization, that clearly separate work from personal information on the device.
That separation goes both ways--employees would not be able to access sensitive corporate data from their personal workspace, and employers would not be able to access information from the personal space on the phone. -- Fred