Companies have good reasons to limit business-related communications to devices and applications (“apps”) controlled by the company, and to avoid having sensitive company information on the personal devices and apps of employees:
- Security: The company does not control the cybersecurity and privacy on employees’ personal apps on personal devices, and therefore there is an increased risk of company data being leaked or otherwise compromised.
- Discovery: When employees communicate on their personal devices, using non-company apps, their communications are not being captured by the company’s servers. So, when the company is conducting an internal investigation, or responding to a document request in a litigation or regulatory investigation, the documents on employees’ personal apps are not identified through the normal document search process.
- Monitoring: To the extent that the company monitors business communications for compliance, regulatory or cybersecurity purposes, communications on personal apps are not being monitored.
That being said, because of client demands, technological limitations, mixed personal and business communications, and general convenience, employee use of personal apps for business communications is not uncommon. In order to reduce the risks associated with such communications, companies should consider adopting policies that achieve three goals: (1) discouraging employees from using personal apps for substantive business communications, (2) requiring employees who have made business communications on personal apps to transfer them to company-approved apps, and (3) under certain circumstances, allowing the company to access the personal apps in order to search for company communications. This last goal can be particularly complicated. If the company has reason to believe that important communications exist on personal apps on an employee’s personal phone, the company may ask the employee for the communications or access to the phone. But what if the employee refuses? Employees often have a reasonable expectation of privacy over their personal devices, even if they use them partly for work.
In City of Ontario, Cal. v. Quon, 130 S. Ct. 2619 (2010), the Supreme Court decided that the search of a city employee’s text messages on city-provided pagers was reasonable. But the Court cautioned against using that case to “establish far-reaching premises that define the existence, and extent, of privacy expectations of employees using employer-provided communication devices,” and further noted more generally that because of the rapidly evolving nature of communications technology and societal norms, “it is uncertain how workplace norms, and the law’s treatment of them, will evolve.” Id. at 2623.
The issue is even more complicated if the government is requesting the information from the company, and the company is then making the request to the employee. In that situation, the employee may also have Fourth Amendment rights against unreasonable search and Fifth Amendment rights against self-incrimination.
Having a clear policy that addresses these issues can provide companies with a strong basis for making requests of employees for information, and for disciplining employees who refuse to cooperate. Such a policy may include one or more of the following elements:
- Restrict Business Records to Company-Approved Apps: Business Records (which would exclude merely administrative or non-substantive communications) should only be created on company-approved apps that ensure they are captured by the company’s computer systems (and should not be created on personal apps like WhatsApp and iMessage).
- Employees Must Safeguard Business Records on Personal Apps: If a Business Record is created on a personal app, the employee should (1) take reasonable steps to secure the Business Record, (2) ensure that it is saved to a company-approved app as soon as possible, and (3) in consultation with the legal department, if appropriate, delete it from the personal app.
- Consent to Reasonable Search: If an employee creates Business Records on personal apps, the employee consents to allowing the company to conduct a reasonable search for those Business Records on devices controlled by the employee.
Requests to search an employee’s phone for company-related communications is a complicated issue that implicates a variety of legal, HR, business and reputational considerations. Having a clear policy in place can help companies and their employees better understand expectations and avoid conflict.