What Happens When You Use A Company Device for Personal Email?

Email Access from a Device

Earlier this year, I wrote about emails sent and received from an employee’s work email account while using an employee’s personal device. Personal is defined as one purchased by an employee without employer reimbursement – and is also known as the Bring Your Own Device (BYOD) to work phenomenon. One of the biggest concerns when this happens is that, as part of any legal investigation concerning an employer, a device (whether smartphone or tablet) can be confiscated. Since business-related documents may be stored on a person’s phone, that phone lives in a constant state of “may be seized” limbo – until the documents are removed from the device. In addition, the device can be subject to a remote data wipe, which may transform a device into an empty shell.

With new iPhones and the once-dominant Blackberry in the news, let’s take a look at the other side of this situation. Let’s take ourselves out of the employer’s side of the equation and put on an employee’s hat. The reason is important: if you, as an employer, want productive and long-term employees, you need to provide them with the tools to do their jobs, and in today’s workplace, that corresponds to some form of mobile technology.

What happens if you, as an employee, have personal email stored on a business-owned device, more often than not, a Blackberry – or iPhone, Samsung, etc. – and the device is taken from you when you leave the company or are terminated? You may not have time to remove personal data that you stored on the device: saved emails, address and phone list of contacts, saved texts, etc. There may be personal emails that you had never intended for anyone to see – let alone an employee from the IT Department or a member of the senior management team.

On June 5, 2013, the United States District Court for the Northern District of Ohio denied an employer’s motion to dismiss and held that the Stored Communications Act (“SCA”) applies when an employer reads a former employee’s personal emails on a company-issued mobile device that was returned when the employment relationship terminated. However, the employee’s negligent failure to delete her personal email account from a company-issued mobile device did not constitute CONSENT to the employer to read her emails. (1)

In this case, Verizon told the plaintiff that she could use the company-issued mobile device for personal email when she was issued the device. When the plaintiff returned the mobile device at the end of the employment relationship, she stated that she had attempted to (and believed she had) deleted her personal Gmail account from the device. Almost two years later, the plaintiff filed suit against Verizon and her former manager and alleged that the manager accessed approximately 50,000 emails in the plaintiff’s personal email account during the 18 months after she returned the device.

For some unknown reason, this manager believed he had a right to continue to access and continue to read the former employee’s personal email AFTER she left the company and AFTER she returned the device. Granted, this is an extreme case and may never happen to your company, but why take the chance?

You, as an employee, may encounter a situation where your phone is seized during an investigation. At this point, your email messages are open to scrutiny. Suddenly, your personal life becomes part of a legal investigation for which you have no control. Lawyers for your company will read your emails, and lawyers for the opposing side will read your emails.

The solution is simple but inconvenient – everyone needs two phones. Employees should buy their own phones for personal use. And if a company wants you to send emails, make phone calls, participate in document sharing, etc., then the company needs to provide a device so that employees can do their jobs more productively.

This solution may seem redundant and expensive, but it enables the formation of a clear wall separating personal data from corporate data and removes a very attractive attack vector (in other words, how a virus enters your network). And in an era when it seems as if a new data breach is revealed almost daily, the time has come to make it a little harder for the bad guys and level the playing field. It’s a win-win for both employers and employees.

___________

Sources for This Post:

(1) Hunton & Williams Privacy and Information Security Law Blog:

http://www.huntonprivacyblog.com/2013/07/articles/stored-communications-act-can-apply-to-reading-personal-emails-on-a-former-employees-company-issued-device/

Image Credit: nokhoog_buchachon via FreeDigitalPhotos.net.

IBM

This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don’t necessarily represent IBM’s positions, strategies or opinions.

wordpress blog stats
Advertisements

About Allan Pratt

Technology and cybersecurity professional with focus on tech news, cybersecurity, networking, infrastructure, data protection, consumer electronics, and social media.
This entry was posted in Business Process, BYOD, Data Security, Management and Technology, Mobile Computing, Network Security, Tech Equipment. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s