Courts have routinely held through the Federal Electronic Communications Privacy Act that when an employee uses a company-owned device, they have no reasonable expectation of privacy. If you use a company-owned device, it is the property of the employer, as is the information stored on it. Employers are free to monitor those devices once consent is given. California recently updated their Consumer Privacy Act to better protect consumers and it excludes employees from this definition from consumers. The law states that the title does not apply to a natural person’s personal information collected and used by the business solely within the context of the natural person’s role or former role as a job applicant, an employee of or a contractor of that business.
The advantage of mobile devices is the convenience of access to your records and information in real-time, allowing your employees to be competitive and stay on top of your business needs. It is beneficial for an employee to remain in contact with coworkers and customers, and mobility allows for faster communication, such as drafting an email during the train or bus ride home. Mobile devices have increasingly greater file storage capacity and ease of sharing those files. Mobile apps can be used to schedule, design and collaborate, and can be tailored to your business specifics. A mobile work-station reduces the cost of having dedicated office space for employees.
The disadvantages are that devices are portable and valuable records and information can be lost through damage or loss of the device. Devices can be stolen, allowing unauthorized access to sensitive data if they have not been properly secured with passcodes, biometric authentication, and encryption. Mobile devices can be easily hacked through phishing scams, social engineering, malicious apps freely downloaded, or unsecured Wi-Fi. Accessible information on a device could include: passwords, credit card numbers and banking information, text messages, phone calls, recently visited sites, GPS location, contacts, recent files and deleted files. Information cached on a mobile device may still be discoverable even if the original copy was deleted based on the company’s retention schedule.
Many states have laws with specific requirements for the use of devices. South Carolina Code § 38-99-20, requires insurance companies to implement security measures to protect by encryption nonpublic information transmitted over external networks and stored on laptop computers, portable computing or storage devices or media, regularly test to detect attempted attacks, include audit trails to detect and respond to cybersecurity events and protect against destruction, loss, or damage of nonpublic information due to environmental hazards.
Warren Bean, Sr. Sales Engineer for Zasio, recommends a few security measures to encourage compliance for company-owned mobile devices:
- Use randomly-generated passwords so that you can’t fall victim to social engineering tricks (such as getting your pet’s name or favorite color from your social media account);
- Don’t use the same password on multiple apps or sites;
- Never click on links or attachments from unknown sources;
- Don’t leave your mobile device unattended;
- Keep up to date on operating system updates and browser patches (the bad guys scour the internet looking for unpatched systems);
- Use the strongest authentication methods available for your device, such as fingerprints and facial recognition, two-factor authentication, and automatic lock-outs for too many failed login attempts;
- If you frequently utilize public wi-if networks consider investing in a VPN service that routes your data through an encrypted private network, especially when traveling in foreign countries;
- Company-owned devices should also be centrally managed via mobile device management software that allows for remote updating and wiping of devices.
Ultimately, employers need a clear policy for company-owned devices regarding consent, record retention and how they will monitor, access, view and preserve employee texts, emails and other mobile device information. Employers need to verify the legitimacy of the applications, understand where any data is being stored, how it’s being transmitted, and whether privacy agreements exist between the organization and the data processor. If you have any questions on your company’s policies or how company-owned devices should be accounted for in your records management strategy, contact Zasio.
Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.
Author: Heather Houle, CRA
Senior Research Analyst / Certified Paralegal