Not many years ago there were basic expectations of personal privacy in the United States. Of course we had the 4th Amendment to the Constitution since 1787, which prohibits unreasonable search and seizure by the government relating to suspected criminal activities. And in 1965 the Supreme Court ruled that the Constitution implied a basic right to privacy from governmental intrusion in Griswold v. Conn., 381 U.S. 479. However, these protections applied only to governmental intrusion, and did not address the issue of privacy protections from corporations, individuals or other entities, with several categories of exceptions, notably health and financial records (e.g. HIPAA, Gramm Leach Bliley legislation).
Before the invention of the internet and mobile devices, there was a general sense that your personal information (e.g. papers and photographs), communications and daily activities (especially in the privacy of your own home) were generally immune from third- party intrusion, save for the small likelihood of civil litigation discovery. Neither the government (without a warrant) nor parties to litigation could simply invade your home or office and view your files and personal data.
Then we began to create information in electronic formats, such as word documents, and a bit later, email. This data was stored either on computer hard drives or in the case of email, at third party storage facilities. Personal and employment related electronic data were generally separate; created on different devices, and maintained in different storage locations.
So, what has caused the separation of personal and company information to erode over the past decade? In a nutshell, the rapid evolution of mobile devices and all of the accompanying technology has changed the manner in which data is both created and stored. Today, information – often both personal and work related – can reside on a single device (either employer provided or employee owned) that is in effect a repository of enormous amounts of information about the user and others.
In this new environment attorneys face significant new challenges when utilizing mobile devices for creating, storing and transferring confidential client information. How should they counsel their corporate clients regarding policies and procedures governing the use of mobile devices that may contain vast amounts of both company and personal information?
The ABA Model Rules of Professional Conduct (Model Rule 1.1) require attorneys to maintain the requisite skill and knowledge to competently represent a client, which includes the benefits and risks associated with relevant technology. The requisite level of knowledge should extend to protecting the confidentiality of client information (Model Rule 1.6); counseling clients on Mobile Device policies; and the myriad issues relating to the identification, preservation, search and production of information during the discovery process.
The protection of the confidentiality of client information is of paramount importance. Attorneys must be proactive in establishing physical and administrative controls to prevent the inadvertent unauthorized access or loss of this data. A key first step is to make certain that client data is physically segregated and access restricted, with strong administrative controls implemented within the firm. These controls should include policies, procedures, training and ongoing monitoring. Technical measures such as firewalls, virus protection, encryption and incident response protocols for mobile devices also need to be addressed.
Attorneys also must be capable of properly advising their clients on issues of data privacy and security as it relates to corporations and employees. With the proliferation of mobile devices (both employer supplied and BYOD) in recent years, the overlapping of personal and work related data has the potential to intrude on the individual’s privacy while also potentially causing security issues for the employer.
While in general under state law employers have a right to monitor employee email, it is advisable for the employer to have a corporate policy in place to give clear notice to the employee that information created or disseminated on devices utilized in the work environment do not enjoy an expectation of privacy. While a few court decisions have upheld the right of privacy in specific situations (e.g. email to individual’s attorney on personal matter), the basic premise of minimal privacy rights in this context have been upheld. Nonetheless, the employer should also receive employee consent regarding mobile device tracking, incident protocol (i.e. remote wiping, geo-location), and actions to be taken upon termination of employment.
The employee’s expectations of privacy must be established by the employer in a clear, concise policy. The policy should denote permitted uses of both employer provided devices and employee owned (BYOD). The policy should describe employee training, usage, and tracking procedures. It should also clearly state protocols that will be implemented if there is a risk of data breach, such as a lost or hacked device. In the event of anticipated litigation in which a preservation order must be followed, it should inform the employee of the procedures that will be utilized to preserve the data. Employee consent to the policy should be in writing, and should waive any action against the employer for loss of personal data in the event that the device needs to have the data wiped. Finally, procedures and control of the data upon employee termination should be acknowledged in the policy.
These policies and procedures should be regularly evaluated and updated, as new technologies and monitoring software are continuously enhanced.
The growing inclusion of mobile device data in the litigation discovery process is an additional source of potentially relevant information that must be addressed by lawyers.
Pursuant to FRCP 34 (a) 1, items under “possession, custody or control” of the responding party (e.g. corporation) are discoverable. See: E.E.O.C. v. Original Honeybaked Ham Co. of Georgia, Inc., 2012 WL 5430974 (D. Colo. Nov. 7, 2012), where the court allowed discovery of class members’ social media, text messages and email.
Recent cases addressing the issue of preservation of potentially responsive data on mobile devices have levied sanctions on attorneys who failed to identify and preserve client data (see: Small v. University Med. Ctr. 2014 U.S. Dist. LEXIS 114406 (D. Nev. Aug. 18, 2014; In Re Pradaxa (Dabigatran Etexilate) Products Liability Lit., 2013 BL 347278 (S.D. Ill. Dec. 9, 2013).
Clearly, we are in the midst of a vast expansion of the potential sources of data subject to the discovery process, with new methods of data creation seemingly materializing by the week.
The proliferation of the use of mobile devices in the workplace has radically altered the boundaries between personal and company information. Both employer and employee need to be aware of how this dynamic could affect the relationship in unintended ways. This is a rapidly evolving intersection of the law, technology and human interpersonal interactions. They are all moving at different speeds, and are constantly being realigned.
Sensitivity to these issues would be a wise decision.