- A South Carolina company may have violated the Stored Communications Act (SCA) when it accessed a former worker’s private email account after inadvertently discovering the messages following her termination, the 4th U.S. Circuit Court of Appeals held Feb. 9 (Carson v. EmergencyMD LLC, No. 22-1139 (4th Cir. Feb. 9, 2023)).
- With the company’s approval, the worker used her personal Gmail account for her job, according to court documents. After she was terminated, she joined an alleged competitor, and the company and her new employer filed claims against each other in state court for unfair competition and misappropriation of trade secrets, court documents said. During the litigation, the company discovered, reviewed and allegedly printed out emails from the worker’s Gmail account, which had been left open on the web browser of a company computer. The emails discussed joining the new employer and bringing company employees and information with her. The company published the emails in state court, and the worker sued it for violating the SCA.
- A federal district court granted summary judgment to the company, but the 4th Circuit reversed and sent the case back for trial. The SCA prohibits intentional and unauthorized access of stored electronic communications, the appeals panel explained. Here, there was no evidence the company’s initial discovery of the emails was intentional, but its subsequent conduct raised jury questions over whether it intentionally accessed the emails without the worker’s authorization, the panel held. The SCA doesn’t define “authorization,” but “the term is commonly understood to involve knowing, intentional action,” the Fourth Circuit said.
The events of this case took place before COVID-19, but the lesson is timely: In this new normal of remote/hybrid work, employers need to be careful about employees using their personal messaging accounts for job-related business.
“The best way to protect your trade secrets is not to have company data on personal phones,” Darcey Groden, a Fisher Phillips attorney and member of the firm’s Data Security and Workplace Privacy Group, told HR Dive. Instead, employers should issue work phones and computers, Groden said.
If employers don’t want to spring for a company-paid device for the entire workforce, there are things they can do to mitigate the risk of disclosure, she explained. For example, for personal computers, employers should consider virtual private networks (VPNs) that workers log into, rather than having company information saved to the computer, Groden said. For personal phones, employers should use mobile management systems that allow employers to remotely wipe phones.
“In no case should employees be permitted to save work documents or information to their personal devices, and they should not use personal email,” Groden emphasized. Companies should include these rules in a “Bring Your Own Device” policy or other workplace policies, she noted.
The BYOD policy should clarify that company content on personal devices still belongs to the company, require employees to use reasonable security measures on their devices, and address privacy expectations on devices where work contents can be mingled with personal contents, Groden explained. Also, employees should be required to sign the policy before using their own device for company work.
Besides a BYOD policy, companies should also have computer-use policies for company-owned devices and networks, Groden recommended. These policies should make clear that employers don’t have a right to, or expectation of, privacy in communications on data on company-owned networks and equipment.
Relevant here, even if emails on a personal account are discovered inadvertently, businesses should be wary about going through them, Groden said. “If you realize you are logged into a personal account, reign in the urge to snoop, close it out, and seek legal advice to determine whether you have the right to review any information or not,” she added.
If a company suspects someone is stealing information, it should conduct a forensic investigation legally, “which may only be feasible if you require documents to be saved on your servers or employees need to use company-issued devices,” Groden explained. Forensic investigators can see where documents have been saved on computers and whether the documents have been transferred to other devices, she pointed out. By requiring work to be done on employer-owned computers, an organization retains the ability to audit where its information is being disseminated, Groden said.
There are steps employers can take to enforce their BYOD and computer-use policies, protect their trade secrets and set themselves up for success if they need to litigate, Groden added. For example, employers should make clear to employees what is considered confidential or trade secret information. Employers can also have nondisclosure agreements spelling out the trade secrets and non-use requirements. If permitted in their jurisdiction, employers can use a noncompetition agreement. But both types of agreements should be vetted by counsel to ensure they can be enforced as written, Groden cautioned.
Also, to make sure they are well-positioned in a trade secrets case, employers need to demonstrate they have made efforts to keep the trade secret a secret, Groden explained. “And that brings us back full circle: Company-issued devices are the gold standard, although understandably, not always practical. But even if employees use personal devices, you can take advantage of VPNs and mobile management systems to protect your trade secrets,” she said.