U.S. Employees Need a Federal Data Protection Law
The adoption and proliferation of mobile devices that are personal to employees but are used to service the needs of the business, or "Bring your own Device to Work," BYOD, as it is called, is the latest nightmare for employee privacy in the workplace. While the U.S. government has taken a backseat and piecemeal approach to protecting the rights of its citizens when it comes to data privacy and protection, the need for legislation is most wanting in the private workplace. The coupling of companies' dual-use-device mobile strategy with the escalating number of hours Americans spend on mobile devices has blurred the lines between employees' work and their private lives, eroding any semblance of personal privacy. Although federal and state legislation have attempted to protect consumers from loss and theft of their data, employees have been left to fend for themselves.
Unfortunately, with no federal legislation protecting both an employee's privacy and a company's need to protect data, there is an impending legal crisis for both employer and employee. Most employees don't understand the implications of using their own devices at work. Companies have attempted to write new employee technology policies and some, to force employees to sign waivers of liability for lost data when entering BYOD programs.
One problem is that employees often don't read these policies or seek legal advice to help them understand the waivers. Accordingly, when their iPads are wiped clean or their irreplaceable information is lost or destroyed, they are shocked. When their personal data becomes subject to discovery requests by a third party in a lawsuit or if they bring their own lawsuit for discrimination or retaliation, they are outraged to learn that when they signed on to the company's BYOD policy, they gave up other protected rights. Whether these policies or waivers are even legally valid in the context of BYOD remains to be seen, as there is no clear legal precedent.
In addition, most employees have no idea how remote wipe outs or active sync devices work. They often don't know about special software that their employer may use that can track them in real time (deliberately or accidentally)—whether they are on vacation, at a basketball game, in a hotel or on a remote work assignment. If the employee's personal device is lost or stolen, the employer may use the device's GPS in an attempt to locate it. This strategy remains in the gray area between legal monitoring of an employee's whereabouts in an earnest attempt to recover what may be confidential information on one hand, and illegal tracking which may be an invasion of privacy on the other.
While BYOD policies were established to save companies money while accommodating both the preferences of employees toward certain devices and their mobility, the BYOD initiatives are further eroding any healthy division between work and private life. While actual working time is increasing for many workers, less time is actually spent in the workplace and it is increasingly more difficult for employees to draw the line between work and non-work time.
Equally disturbing to employers is the fact that their data is being stored, viewed and transmitted on devices they do not own or control, posing risks to their trade secrets and opening them up to potential litigation from employees over personal disclosures, security breaches and property destruction. In addition, wage and hour claims can and will be raised regarding the definition of when an employee is performing work.
Another problem is that families, not just employees, have access to and use these devices. Devices go with them to the beach, into bedrooms and to hospitals. While companies can attempt to reduce some of these risks through the use of Mobile Device Management software (MDM), or by enhancing their technology policies or instituting employee waivers, none of these fixes will provide an equal playing field for the parties or provide a consistent set of rules for maneuvering in this dual use world. Without a broad and meaningful federal policy, this situation will worsen as the technology gets smarter.
Limited Protection of Data
Driven by the pervasive issues with consumer protection of personal data and the proliferation of the Internet and online shopping, Congress and state legislatures have passed some meaningful laws that obligate businesses to provide security and notifications when personal data has been compromised. However, these laws give limited redress to employees whose data has been deleted, transferred or worse, disseminated to third parties without their permission or knowledge. Below is a summary of some of the current legislation and cases.
A partial remedy for both employer and employee was offered by Congress when it passed the Electronic Communication Privacy Act (ECPA), 18 U.S.C. §§ 2510 et seq., and two of its subsections, the Stored Communications Act (SCA), 18 U.S.C. §§2701 et seq., and the Wiretap Act, 18 U.S.C. §§2511 et seq.. The SCA prohibits individuals from accessing, without authorization, stored electronic communications, and the Wiretap Act prohibits individuals from accessing, without authorization, electronic information while it is in transit.
Most recently, the U.S. District Court for the Northern District of Ohio confirmed in Lazette v. Kulmatycki, No. 12 Civ. 2416, 2013 WL 2455937 (N.D. Ohio June 5, 2013), that employers who intentionally access employees' personal email on a dual use device will be liable under the SCA and may also be liable under state privacy laws. In Lazette, a former employee was permitted to use her device for personal email, which she believed she had deleted prior to returning the device to the company. After her employment ended she alleged that her supervisor subsequently accessed 48,000 email messages over months and shared some of her personal information with third parties. While the plaintiff also claimed a violation of the Wiretap Act in this case, the court did not agree that the employer's behavior constituted an "interception" of transmitted electronic communications, such as when employers monitor employees' telephone calls without notice or use spyware on their employees' computers.
In an earlier New York decision, Pure Power Boot Camp v. Warrior Fitness Boot Camp, 759 F.Supp.2d 417 (S.D.N.Y. 2010), the court confirmed that employers who intentionally access employees' personal email accounts without permission will be liable under the SCA even if the employer's technology policy clearly gives the company blanket authorization to do so. In Pure Power Boot Camp, following an employee's separation from employment, the employer accessed the employee's personal online Hotmail account and other personal email accounts by using the username and password saved on the employer's computer.