By Lauren E. Douglas
The year 2021 marks the forty-eighth anniversary of the mobile phone[1] and the eighty-third anniversary of the programmable computer.[2] It is no secret that mobile devices are significantly more powerful than their inventors could have ever predicted.[3] What started as clunky, cumbersome machinery has transformed into the backbone of society as we know it.[4]
Many aspects of corporate success are rooted in the evolution of the mobile device.[5] To aid in their success, the majority of employers now permit the cross-use of electronic devices for personal and professional purposes—a movement known as “Bring Your Own Device” and lovingly referred to as “BYOD” for short.[6] More specifically, the BYOD phenomenon is a practice whereby employees[7] use their own electronic devices[8] to do their jobs on the employers’ platforms.[9] The BYOD practice is loved by employees and employers alike[10] and drives corporate activity in ways nearly unimaginable even ten years ago.[11] In fact, in 2018, the BYOD market was predicted to reach nearly $367 billion by 2022.[12] In the wake of the COVID-19 pandemic, the true number is likely even higher.[13] Pandemic or no pandemic, it is clear that the BYOD era is here to stay.[14]
Despite the rising popularity of the BYOD workstyle, very few businesses actually enforce formal BYOD policies and instead simply allow employees to access corporate data on their own devices free of internal regulation.[15] A study conducted in 2016 revealed that, even though roughly 70 percent of employees conduct work-related activities on their personal devices, only 39 percent of companies have a formal BYOD policy in place.[16] This is dangerous; if companies do not regulate their BYOD practices, they risk breaches of sensitive corporate data and violations of federal privacy laws.[17]
The Tension Between Privacy Interests and Data Protection
Perhaps the most problematic issue that comes with implementing a BYOD policy is determining to what extent an employer can legally monitor and access its employee’s personal devices.[18] The American Bar Association describes balancing the employers’ interests in data security with the employees’ rights of privacy as “the single greatest challenge” to a successful BYOD program.[19] With that said, it must be recognized that employees enjoy a heightened right to privacy regarding information stored on their own personal devices as compared to employer-provided devices.[20] Such protection may be found in both statutory and common law.
Specifically, the Computer Fraud and Abuse Act of 1986 (“CFAA”)[21] imposes criminal and civil penalties on individuals and companies that “intentionally access a computer without authorization or exceeds authorized access” to obtain “information from any protected computer.”[22] The CFAA began as a means to protect government computers from hackers, but today the law reaches every computer connected to the internet.[23] Of course, in 2021, computers are not the only devices used to conduct work. Luckily, federal case law establishes that, in addition to desktop and laptop computers, the CFAA protects devices such as cell phones,[24] tablet devices, and even videogame systems.[25] To supplement the CFAA, employees might also claim a violation of the Electronic Communications Privacy Act (“ECPA”), a subsection of the Stored Communications Act (“SCA”) that protects the privacy of electronic communications in electronic storage.[26]
So far, courts addressing the new BYOD privacy dichotomy seem reluctant to construe statutory protection broadly in favor of plaintiff-employees who had their personal devices wiped clean of all information. For instance, in Rajaee v. Design Tech Homes, Ltd.,[27] a company remotely deleted all of an employee’s work and personal files from his mobile device after he resigned.[28] The device was connected to the employer’s data server, allowing for remote access to email and calendar platforms.[29] The employee sued for damages under the ECPA and the CFAA, but the court rejected both claims, reasoning that the personal data lost was not “electronic storage” as defined under the ECPA and was not a qualified “loss” under the CFAA.[30] Such stringent readings of these statutes makes asserting a viable claim for lost personal data caused by the employer a very difficult feat for employees.[31]
Because technology moves light-years faster than the development of law,[32] the CFAA and ECPA are two of the closest statutes to the BYOD issue; there is currently no federal or state legislation directly addressing BYOD policies.[33] Similarly, the relevant case law is negligible.[34] It is thus vital for employers to create and implement comprehensive, transparent, and officially documented BYOD programs. Thorough BYOD policies are important because, with the lack of statutory law on point, courts in many cases will look directly to the provisions in the BYOD policy to “determine the bounds of permissible employer conduct.”[35]
Private employees generally retain privacy interests in common law so long as their expectations are “reasonable.”[36] When considering whether an employee has a reasonable expectation of privacy in electronic communications, courts tend to balance the following factors: (1) account ownership;[37] (2) device ownership;[38] (3) the security level of the communication;[39] and (4) published employer policies and whether they were routinely enforced.[40] No one factor is dispositive and different courts may weigh factors differently.[41] Because two of the four factors essentially look for whether a BYOD program exists, employers can cover a significant number of bases simply by drafting a formal policy.[42]
Best Practices for Employers
Despite the lack of concrete legal guidelines surrounding the BYOD phenomenon, an employer can mitigate the majority of its concerns by implementing a formal BYOD policy. An effective policy should “emphasize security and contain clear instructions” regarding acceptable and unacceptable activities on personally owned devices that have access to corporate information systems.[43] Additionally, an employer’s BYOD policy should make clear that “any and all company information and emails” on all personal devices remain “the sole property” of the company, and that the employer “in its sole discretion” may access and delete any company data that “may be in jeopardy.”[44] No threat is too small when it comes to business use of personal devices, and providing express notice to employees is the very best way to mitigate legal liability surrounding BYOD policies.[45]
In addition to implementing a comprehensive, written BYOD policy, many companies—especially those that handle sensitive information—are utilizing Mobile Device Management (“MDM”) service providers to help mitigate the technical risks associated with allowing employees to access company data on their own devices.[46] In essence, MDM broadens the scope of BYOD protection and is “designed to fill security gaps” in employee use of personal devices.[47] MDM allows employers to exercise control over the device, monitor applications, and remotely wipe the device if it is lost or stolen—clearly a worthwhile addition to any BYOD policy.[48]
The Bottom Line
An astonishing number of employees and employers engage in the BYOD workstyle. While BYOD practices often increase employee satisfaction and performance, and decrease employer costs, they come with inherent risks that cannot be ignored, such as data breaches and violations of federal privacy law. Employers can mitigate many of these risks by implementing a strong written BYOD policy that clearly delineates the employers’ rights of access to each device. Now more than ever, actively and uniformly enforcing a BYOD policy is the best mechanism to alleviate legal risks while the law plays catch-up with the modern technological workplace.
[1] Charlee Dyroff, Here’s How Much Cellphones Have Actually Changed Over the Years, Insider (July 25, 2018, 12:42 PM), https://www.insider.com/the-history-of-the-cellphone-2018-7#the-first-phone-weighed-over-two-pounds-1.
[2] When Was the First Computer Invented?, Computer Hope (June 30, 2020), https://www.computerhope.com/issues/ch000984.htm.
[3] See Dyroff, supra note 1 (“Over the past half-century, the cell phone has . . . evolved to connect us in ways that [its inventors] perhaps never imagined.”). In fact, it is estimated that “the number of mobile-connected devices now exceeds the number of people on Earth.” Danielle Richter, “Bring Your Own Device” Programs: Employer Control Over Employee Devices in the Mobile E-Discovery Age, 82 Tenn. L. Rev. 443, 458 (2015) (quoting Stephen Wu, A Legal Guide to Enterprise Mobile Device Management: Managing Bring Your Own Device (BYOD) and Employer-Issued Device Programs 1 (2013)).
[4] See Lindsey Blair, Note, Contextualizing Bring Your Own Device Policies, 44 J. Corp. L. 151, 152 (2018) (describing the impact of mobile devices on the corporate environment).
[5] See Richter, supra note 3, at 443.
[6] See Blair, supra note 4, at 152 (“BYOD policies rapidly expanded during the 2010s in [information-technology] communities and have [since] become increasingly common in other professional fields.”).
[7] For purposes of this post, the terms “employer” and “employers” refer only to private employers. Similarly, the terms “employee” and “employees” refer only to employees of private employers.
[8] Although the term “BYOD” may refer to personal use by employees of employer-owned devices, BYOD is more often understood as employee use of a personally owned device to conduct work activities. With BYOD, the Genie Is Out of the Bottle, So Deal with It, 23 No. 1 N.C. Emp. L. Letter 5 (M. Lee Smith ed., 2013). The latter is the only form of BYOD that is discussed in this post.
[9] Id. Such platforms include company email, calendar, and data servers. Id.
[10] Employees favor BYOD policies because they provide the “freedom to ‘work and collaborate the way they prefer’” on devices familiar to them; employers favor BYOD policies because they cut costs and allow for a “‘more mobile, productive, [accessible], and satisfied’ workforce.” Melinda L. McLellan et al., Wherever You Go, There You Are (With Your Mobile Device): Privacy Risks and Legal Complexities Associated with International “Bring Your Own Device” Programs, 21 Rich. J. L. & Tech., no. 3, 2014, at 1, 1.
[11] Id.
[12] Anna Johansson, Growth of BYOD Proves It’s No Longer an Optional Strategy, BetaNews, https://betanews.com/2017/05/12/growth-of-byod-proves-its-no-longer-an-optional-strategy/ (last visited Mar. 11, 2021).
[13] See Alice Selvan, Adopting a BYOD Policy Amid the COVID-19 Era, ManageEngine (Dec. 3, 2020), https://blogs.manageengine.com/desktop-mobile/mobile-device-manager-plus/2020/12/03/adopting-a-byod-policy-amid-the-covid-19-era.html (describing how COVID-19 forced companies previously against the BYOD concept to accept it, as a substantial amount of remote work would not even be possible without it).
[14] See Richter, supra note 3, at 459 (“The growth of technology [in the] workplace is unavoidable and imminent.”).
[15] Id. at 445.
[16] Q4 2016: BYOD Trends & Practices, Trustlook Insights, https://newblogtrustlook.files.wordpress.com/2016/10/trustlook_insights_q4_2016_byod.pdf (last visited Mar. 11, 2021).
[17] Id. Such risks arise in large part because employers lose control when employees use their own devices and networks to store and transmit company data. Bring Your Own Device (BYOD) . . . At Your Own Risk, Priv. Rts. Clearinghouse, https://privacyrights.org/consumer-guides/bring-your-own-device-byod-your-own-risk (Oct. 1, 2014).
[18] Fredric D. Bellamy & Arturo Gonzalez, Crafting Bring Your Own Device (“BYOD”) Policies to Protect Your Company Data and Ensure Compliance With the Law, Nat’l L. Rev. (Oct. 11, 2018), https://www.natlawreview.com/article/crafting-bring-your-own-device-byod-policies-to-protect-your-company-data-and-ensure.
[19] Pedro Pavón, Risky Business: “Bring-Your-Own-Device” and Your Company, Am. Bar Ass’n (Sept. 30, 2013), https://www.americanbar.org/groups/business_law/publications/blt/2013/09/01_pavon/.
[20] Bellamy & Gonzalez, supra note 18. In contrast, employers retain significantly greater control and access to company-owned devices that are merely provided to employees. Richter, supra note 3, at 458. However, the scope of employee rights surrounding employer-provided devices is outside the purview of this post and will not be discussed further.
[21] 18 U.S.C. § 1030.
[22] Id. § 1030(a)(2)(C).
[23] Brenda R. Sharton et al., Key Issues in Computer Fraud and Abuse Act (CFAA) Civil Litigation, Thomson Reuters Prac. L. 1 (2018), https://www.goodwinlaw.com/-/media/files/publications/10_01-aa-key-issues-in-computer-fraud-and-abuse.pdf.
[24] See United States v. Nosal, 844 F.3d 1024, 1050–51 n. 2 (9th Cir. 2016) (recognizing protection of cell phones under the CFAA); see also United States v. Mitra, 405 F.3d 492, 495 (7th Cir. 2005) (same).
[25] See United States v. Nosal, 676 F.3d 854, 861 (9th Cir. 2012).
[26] 18 U.S.C. §§ 2510–2523.
[27] No. H-13-2517, 2014 WL 5878477 (S.D. Tex. Nov. 11, 2014).
[28] Id. at *1.
[29] Id.
[30] Id. at *2 (citing Garcia v. City of Laredo, Tex., 702 F.3d 788, 791 (5th Cir. 2012)).
[31] CFAA claims are only cognizable if the plaintiff can show that the unauthorized access to his or her computer resulted in a loss of at least $5,000 in a one-year period. See 18 U.S.C. § 1030(c)(4)(A). This is often a high hurdle for plaintiff-employees to meet. See, e.g., Rajaee, 2014 WL 5878477, at *3–4 (determining that plaintiff’s loss of personal photos, cell phone contacts, text messages, notes, and emails did not satisfy the CFAA’s “loss” requirement).
[32] See Richter, supra note 3, at 458 (“It is a common principle that ‘law follows technology.’”) (quoting Fabio E. Marino & Teri H.P. Nguyen, Perils of the “Bring Your Own Device” Workplace, Nat’l L. J. (Nov. 18, 2013, 12:00 AM), https://www.law.com/nationallawjournal/almID/1202627830912/Perils+of+the+Bring+Your+Own+Device-+Workplace%3Fmcode=0&curindex=0&curpage=1/).
[33] See McLellan et al., supra note 10, at 6.
[34] See Mendez v. Piper, No. H041122, 2017 WL 1350770, at *14 (Cal. Ct. App. Apr. 12, 2017) (recognizing that the law surrounding an employee’s “rights of ownership and privacy in personal information” stored on a personal device is actively evolving).
[35] Bellamy & Gonzalez, supra note 18.
[36] Blair, supra note 4, at 162–63. Private employees do not enjoy the right to privacy under the Fourth Amendment; this is reserved for public employees. Id.
[37] See, e.g., Mintz v. Mark Bartelstein & Assocs., Inc., 906 F. Supp. 2d 1017, 1033 (C.D. Cal. 2012) (concluding that the plaintiff had an expectation of privacy in his personal email account despite the fact that he used the account for work-related matters).
[38] See, e.g., Sitton v. Print Direction, Inc., 718 S.E.2d 532, 537 (Ga. Ct. App. 2011) (deciding that the use of an employee’s laptop to review that employee’s emails did not invade the employee’s privacy).
[39] See, e.g., Mintz, 906 F. Supp. 2d at 1033 (explaining the appropriateness of the plaintiff’s use of a password on his email account).
[40] See, e.g., In re Asia Global Crossing, Ltd., 322 B.R. 247 (Bankr. S.D.N.Y. 2005) (applying this four-prong test to determine whether employee privacy was breached).
[41] Blair, supra note 4, at 162–63.
[42] Id.
[43] Pavón, supra note 19.
[44] See H.J. Heinz Co. v. Starr Surplus Lines Ins. Co., No. 2:15-CV-00631-AJS, 2015 WL 12791338, at *4 (W.D. Pa. July 28, 2015) (describing a similar BYOD policy that gave Heinz Co. custody and control of any company data present on employees’ personal mobile devices), report and recommendation adopted, No. 2:15-CV-00631-AJS, 2015 WL 12792025 (W.D. Pa. July 31, 2015).
[45] See, e.g., Muick v. Glenayre Elec., 280 F.3d 741, 743 (7th Cir. 2002) (no reasonable expectation of privacy in workplace computer files where employer had announced that he could inspect the computer); Thygeson v. U.S. Bancorp, No. CV-03-467-ST, 2004 WL 2066746, at *20 (D. Or. Sept. 15, 2004) (no reasonable expectation of privacy in computer files and email where employee handbook explicitly warned of employer’s right to monitor files and email).
[46] Pavón, supra note 19.
[47] What Is the Difference Between BYOD and MDM?, Centre Technologies (Mar. 17, 2015), https://blog.centretechnologies.com/what-is-the-difference-between-byod-and-mdm.
[48] Priv. Rts. Clearinghouse, supra note 17.
Post Image by Ryan Adams on Flickr.