Bring your own device or BYOD is becoming a standard operating method but with it comes a potential world of trouble as I wrote about here. Many companies are still going the route of providing devices to employees that need them. But just because you own the device doesn’t mean you have carte blanche in how you deal with the device and the employee.
Earlier this year an Ohio court ruled on a case that is not yet finished in the court system, but the initial ruling lays the ground rules for employer actions. The case involved an employee who sued her former boss and employer. She had resigned and had returned the company owned Blackberry, thinking she had erased any connection to her email account. As an employee she was allowed to access her personal Gmail account on the company device. Unfortunately she had not successfully erased the connection to her Gmail. When her boss discovered that fact he then proceeded to read 48,000 emails over the next 18 months. As you can imagine when she discovered this she was rather upset and sued for invasion of privacy, violation of the Stored Communications Act and also wiretapping.
The major result was that the supervisor was found to be guilty. But what he was guilty of was not what you might at first blush think. He was not guilty of invasion of privacy because the court did not rule on that subject. He was not guilty of wiretapping. The court said this did not apply in this case. He was guilty of the Stored Communication Act. But that decision was partitioned into two sections. He was not guilty of reading emails she had already read. He was guilty of reading emails that she had not yet read. These qualified as “stored.”
The HR lesson
The problem here is that the employee’s equipment was not properly accounted for nor properly handled. To me that phone should have been accounted for and “cleansed” long before 18 months had gone by. The supervisor should not have been allowed to not account for that company property.
The lesson that was provided by the court was that just because you own the device does not mean that you necessarily own what is on that device. That lesson is going to even be more strongly stated if the device is the employee’s device. You need to have a clear policy on how all devices are to be handled and accounted for and who owns what information is on that device.
If you would like to read more I refer you to these two articles
Personal Email Privacy in a BYOD Environment – A View from the Bench written by Joshua B. Konvisser
Liability Lessons From Lazette Case For Employers With BYOD Policies written by Sharon Klein and Jeffery Vagle