Increased use of technology in the workplace has generated reasonable concerns over the privacy rights of employees, both with company-issued and personally-provided electronic devices. Employers, on the other hand, have been wary to overstep their investigatory bounds in searching employee data while also trying to maintain a firm technological device policy to prevent security breaches and inappropriate conduct. New England Patriots quarterback Tom Brady recently learned, in the wake of famed “Deflategate” controversy, that one should examine organizational policy regarding privacy and electronic devices before disposing of a device in question.
The National Football League has not been without controversy in recent months. Between many arrests involving drug and partner abuse and the approaching storm of concussion-based accusations from players, many business lessons can be learned from these events. The public and other stakeholders are placing a higher emphasis on accountability and transparency, neither of which have been within the NFL’s recent game plan. But, the NFL has acknowledged its shortcomings in handling delicate situations, beginning with the “missing” cell phone of star quarterback and NFL golden child, Tom Brady.
Shortly after meeting with NFL investigators, who were examining the circumstances behind a reported 11 out of 12 footballs being deflated below game-ready regulations during the 2015 AFC Championship game, Tom Brady’s cell phone mysteriously disappeared. According to the NFL’s decision to suspend the New England Patriots’ quarterback, Brady knew that investigators were looking to access messages sent and received on the phone before and after the infamous 45-7 rout of the Indianapolis Colts. The phone’s apparently purposeful disposal hurt Brady’s credibility and was a key factor in NFL Commissioner Rodger Goodell’s decision to suspend the ten-time pro bowler. Brady claims that he was simply getting a new phone and asked his assistant to get rid of the old one, just four months after he began to use it.
Here, we can see several HR lessons to be learned from these events. In today’s increasingly connected and sometimes unsecured world, can a company obtain access to data or a device itself from an employee who uses their personal device for work?
Company Device Management
Who wants to carry around two phones? Whether it’s texting, mobile banking or posting on Facebook, it’s easier (and usually cheaper) to utilize a company-provided phone as a personal one. However, employees give up data control and depending on company policy, a lot of privacy. A smart employer policy gives notice to employees that company devices will be monitored and employees should not have a reasonable expectation of privacy.
Many employees do not closely examine company policy regarding cell phone usage, but employers often stipulate that the device can be wiped clean, often remotely. This is typically done if a phone is reported lost or stolen or the employee has been terminated.
In addition to wiping data, an employer also has the right to examine online searches, enable a site blocker, read company emails and examine all internet activity that’s done on the company’s network as long as it’s spelled out in company policy. The most advanced form of device monitoring is a keystroke logging program. Often expensive and typically unnecessary, this allows a company to see precisely what is typed on a device, even recording usernames and passwords to sensitive personal information. While this remains a grey area legally, if an employee signs a company IT policy allowing any of the above types of digital searches to take place, the company has a right to collect and examine that data.
The New Trend: BYOD
The most effective way an employer can craft an effective IT policy is to adopt a “bring your own device” system. The company should at least reserve the right to access an electronic device that an employee uses for work, even if personally owned by the employee. A tradeoff should also be created: if an employee is allowed to connect to the company-provided network, the employee should not have an expectation of privacy of the data stored on the devices or accessed via the company’s network.
How can a company prevent a Tom-Brady-esque scenario where the employee deletes data or destroys the device in question? One option is to issue a litigation hold, when you know a lawsuit or investigation is upcoming, that tells an employee to not destroy a device or delete data from said device or face organizational and legal repercussions. The key is to specify the data (read: file type) required to complete the investigation and to ensure that routine data purging or equipment exchanges do not take place, like Tom Brady throwing out his old phone for a conveniently purchased new one.
Device users retain and delete files depending on the type of data. Unless expressly backed up, photos and videos remain on the phone unless deleted by the user. Cell phone carriers keep sent text messages until they are delivered to the recipient, which is often only within seconds of pressing “send.” E-mails remain on devices for a longer period of time, especially if they’re based in a Web account like Google, Yahoo, or via the company’s servers.
The Bottom Line
The key to employee data collection is quick decision making and understanding what type of data is necessary for success in litigation and in concluding investigations. As with Tom Brady, an employee’s response to being asked to turn over data or a device can be as important as the data itself.