Workplace Privacy Counsel : San Francisco Employment Privacy Law Lawyer & Attorney : Littler Mendelson Law Firm : Employment Related Privacy Issues

3. Get a Release Before Sending a Kill Command: Kill commands typically will wipe not only sensitive corporate information but also the employee’s personal collection of music, videos, photographs, books, and more. That collection often is backed up. If it is not, however, the employer could be facing a significant bill to replace the employee’s electronic library. To avoid such claims, employers should obtain a release from employees for any damage to personal files deleted by a kill command.

4. Prepare Ahead of Time for a Potential Security Incident: A lost or stolen personal device containing personal information, such as employees’ or customers’ Social Security numbers or credit card numbers, could trigger security breach notification obligations. Sending a kill command will not necessarily permit employers to avoid statutory notification obligations because a sophisticated thief might be able to access personal information on the device before the kill command is activated. Requiring that employees activate encryption on a personal device, when available, should eliminate the need for security breach notification because of the “encryption safe harbor” in all security breach notification laws. If encrypting the employee’s personal device is not feasible, the employer should at least require immediate reporting to its security incident response team of any loss or theft of a personal device used for work. In addition, all employees using a personal device for work should be provided with the contact information needed to immediately notify appropriate personnel of the loss or theft.

5. Get Consent to Access the Personal Device for Legitimate Business Purposes: Employers who permit widespread use of personal devices for work almost inevitably will need to access employees’ personal devices during the course of employment. Access may be necessary for a workplace investigation or to implement a litigation hold. Unlike company-issued devices, the employer has no right to access an employee’s personal device, even for a legitimate business purpose. Employers should notify employees up front that their refusal to comply with a reasonable and legitimate request for access to information stored on a personal device could result in discipline up to and including termination of employment.

6. Amend Your Organization’s Electronic Resources Policy to Address Monitoring of Personal Devices: Corporate electronic resources policies commonly speak only in terms of the corporate computer network and company-issued equipment. As a result, a court likely would find that warnings in an electronic resources policy that employees should have no expectation of privacy have no impact on employees’ privacy expectations with respect to information stored on their personal devices. Yet, when an employee connects a personal device to the corporate network, that device likely will be subject to the same invasive monitoring practices as company-owned devices, exposing the employer to privacy-based claims. To reduce this risk, it is suggested that the corporate electronic resources policy be modified to warn employees that the policy applies with equal force to personal devices that are connected to the corporate network.

7. Think About How Your Organization Will Retrieve Business Information When Employment Ends: Having a cache of confidential business information on a personal device provides one of the easiest vehicles for misappropriating trade secrets. Upon termination of employment, the employee can misappropriate simply by keeping his or her personal device. To reduce this risk, employer should consider incorporating the review of information stored on an employee’s personal device used for work into the standard exit interview process. For hostile partings, sending a kill command may be the only feasible way to prevent misappropriation of trade secrets. However, without the consent and release noted above, those actions could strengthen the hand of a hostile former employee in pending or threatened litigation with the employer.

Photo credit: damircudic

Dynadot, a small company not interested in a protracted legal battle, stipulated to a permanent injunction that required it to shut down the website instead of fighting the Bank. Judge Jeffrey White of the federal district court in San Francisco signed the stipulated permanent injunction. The Bank dismissed its lawsuit against Dynadot with prejudice, and Dynadot shut down the website. The Bank appeared to have silenced its disgruntled vice-president, quickly, quietly and at minimal cost.

But the next day, Wikileaks was up and running through multiple mirror sites. Mirror sites use a similar domain name that is registered through a different domain name registrar. Wikileaks, for example, also used the domain name Wikileaks.cx through a domain registrar in the Christmas Islands. Wikileaks posted the Bank’s confidential documents on these mirror sites. 

Within the week, the New York Times, while neglecting to mention the agreement between the Bank and Dynadot, reported that Judge White’s approval of the stipulated permanent injunction “present[ed] a major test of First Amendment rights.” Also failing to mention the agreement between the parties, blogs buzzed about apparent constitutional violations. 

Not long after publication of the Times article, heavy hitters such as the ACLU, Project on Government Oversight, and the Electronic Frontier Foundation, came out with statements against the Bank. In response to their court papers, Judge White abnegated the agreement the Bank had negotiated with Dynadot, dissolved the permanent injunction, denied the Bank's request for a restraining order, noted the injunction may involve impermissible prior restraints, pondered whether an injunction would serve any purpose and questioned whether the Court had subject matter jurisdiction to hear the dispute. In the meantime, the Wikileaks site, complete with the Bank's stolen documents, is still up and running. On March 5, 2008, the Bank voluntarily dismissed its lawsuit, apparently concluding that litigation was no longer worth the cost.

Employers should view the Bank’s experience as a cautionary tale. What started as a quick agreement and apparent resolution literally, as the saying goes, ended up on the front page of the New York Times. The case also shows how quickly journalists will publicize a story that can be portrayed as “an attack on the First Amendment.” Sometimes filing suit is not the best way for an employer to protect its interest.

Internet and email communications are not the only high altitude privacy hazards.  A colleague of mine recalls sitting on the tarmac during a flight delay and listening as a nearby passenger discussed very sensitive business information over a cell phone.  Although the passenger did not identify his high-profile company by name, the content of the call made the identity easy to guess.  This passenger might as well have been broadcasting his company’s non-public, business tactics over the airplane’s intercom. At the end of the flight, my colleague turned to the blabbermouth and said, “If I were your boss, I’d fire you, and if I were a shareholder in your company, I’d sell your stock.”

Before business executives start using on-board Internet access to conduct business, employers should examine the risks that this latest wave of technological conveniences creates.  Bear in mind that the risks will include not just the possible inadvertent disclosure of confidential business information but also, for example, the possible continued storage of that information on the airline’s e-mail servers and the possible increased risk of interception during transmission.  Once the service and the attendant risks are better understood, employers can modify existing electronic resources policies, or prepare new policies, to address the most recent risk to privacy in the wired business world.