“BYOD” “SOS”!
HOW EMPLOYERS CAN PROTECT THEMSELVES WHEN WIPING COMPANY DATA FROM A FORMER EMPLOYEE’S CELL PHONE
In the last few years, there has been a significant increase in employer policies allowing their employees to bring their own cell phones (or other devices) to work. Coupled with that, there has been a surge of press on employers’ ability to monitor and remotely wipe their employees’ personal cell phones once the employment relationship ends. As more employees bring their own devices to work, employers have largely unfettered access to any given employee’s photos, files, contacts, etc. According to a July 2013 survey by the data protection firm Acronis, Inc., twenty-one (21) percent of companies perform “remote wipes” when an employee resigns or is terminated. Despite the growing use of cell phone wiping technology, the practice remains in “legal limbo.”
At present, there are no federal or state statutes that specifically govern employee cell phone policies (often referred to as “bring your own device” (“BYOD”) policies). To date, the only reported case specifically regarding employer wiping of an employee’s personal cell phone comes from the United States District Court for the Southern District of Texas. In that case, Saman Rajaee used his personal smartphone(an iPhone 4) to conduct his business in the home construction industry for over twelve years. Rajaee’s iPhone was connected to his employer’s Microsoft Exchange Server, allowing him to remotely access email, contacts, and a work calendar provided by Defendants. In February 2013, Rajaee gave his employer his two-week notice, and the employer immediately terminated him. A few days later, Rajaee’s phone was remotely wiped by the employer’s IT department – deleting both personal data and work-related data.
Rajaee subsequently sued his former employer, under the Electronic Communications Privacy Act (“ECPA”), the Computer Fraud and Abuse Act (“CFAA”), and the Texas Theft Liability Act, alleging that the employer’s actions caused him to lose “more than 600 business contacts collected during the course of his career, family contacts, family photos, . . . business records, irreplaceable business and personal photos and videos, and numerous passwords.” Rajaee’s claims ultimately failed, as the Court found that neither the ECPA nor the CFAA applied to Rajaee’s personal data on his iPhone. While this case is relatively anti-climactic, it nonetheless highlights employer vulnerability to litigation when it remotely wipes an employee’s personal device. Below are some steps that you can take to protect yourself if you choose to implement a cell phone wiping policy.
1. GET IT IN WRITING: In the above case, Rajaee claimed that he had never read or signed a cell phone wiping policy. When it comes to “BYOD” cell phone policies, an employer should inform its employees of the rule(s), and have them sign a copy of the policy. If the employee does not agree to abide by the cell phone wiping policy, they can choose to not have work email, contacts or other information on their personal device.
2. BE SPECIFIC – NO SURPRISES:The cell phone wiping policy should state the following:
By connecting the device to the company network or using it for company business, the user expressly agrees that he or she authorizes, and permits, the company to access the device and securely remove its data at any time the company deems necessary, either during the relationship, or after.
If the employee does not make the device available within a certain reasonable period of time after demand, the company is authorized to remotely wipe the entire device and restore it to its factory settings in order to ensure that its data was securely removed from the device.
3. CONSIDER “STRATEGIC WIPING”: Many companies have begun to employ improved IT systems which surgically remove only employer data from an employee’s cell phone. Although this software is likely more costly, it may prevent employers from the cost of litigation in the long run.
4. ENCOURAGE HEALTHY BACKUP USE: Encourage employees (perhaps in the text of the policy) to back up their personal information (photos, contacts, songs) to their personal computer or to iCloud once a week in case the employer needs to remotely wipe data for security or other reasons.
As this area of the law rapidly evolves, employers must stay ahead of the curve of employee privacy, while maintaining the security of their clients and other employees.
This article is not legal advice but should be considered general guidance in the area of employment law. Jordan Payne is an employment attorney; others at the firm handle business and other matters. You can contact us at 784-3200 (telephone). Skelton Taintor & Abbott is a full service law firm providing legal services to individuals, companies, and municipalities throughout Maine. The firm has been in operation since 1853.