laptop (Photo: Shutterstock.com)

With almost everyone working from home during the novel coronavirus pandemic, it has expedited an already growing personal privacy versus business need-to-know issue—just how much can your company use its devices such as a second laptop used almost exclusively at home or the office-purchased cellphone to retrieve employee personal data?

Among the big issues that in-house counsel must monitor include:

Where does an employee's claim to privacy begin and a company's claim to "control" over its devices end?

How does E&O—the errors and omissions professional liability issues that protect companies and their professionals from negligent work—factor into a radically different workplace where work gets entangled with the personal?

Is existing law adequate? Or does it need to be overhauled at the federal and state levels? And will California's tough and controversial new privacy law end up setting national standards on privacy and technology?

These are thorny issues. Organizations and their general counsels need to stay on top of them, embracing policies that protect themselves, their subsidiaries and supply chains, and their employees. GCs also need to recognize that their companies' interests are not necessarily their employees' interests—and that the dynamic could get increasingly strained.

Jules Polonetsky, the CEO of the Future of Privacy Forum, argues that, "People have always communicated in the workplace; now email and computers have made it possible for employers to track those conversations."

"Employers should understand that their right to exert control over their devices needs to be balanced with an individual's right to privacy," Polonetsky says. "When employees use company-owned devices at home, it's reasonable for employers to take certain precautions when those devices hold sensitive information, such as patient records, financial records, or other types of sensitive data."

Company Risks

But what equates to "certain precautions"? Many legal analysts believe that when a company allows its devices to leave the office, it takes on the following risks:

Employees' wi-fi, which enables them to access unsecured networks, triggering security breaches.

If an employee resigns, the company may lose access to that device for some length of time—or forever.

The device could be stolen or lost.

Now that work and personal information are mixed onto single devices, new dangers have emerged.

At many businesses these days, work extends into the evening or weekend hours. Companies can't be expected to "turn off" normal monitoring and privacy protocol just because the employee is using the device out of the office and beyond work hours. Many devices are equipped with a GPS tracking software, which effectively gives the employer a method of tracking its employee, especially if the device is tied to a cell phone. Since the company owns the device, it has the right—up to a point—to do what it wishes. Too often these days, that point is being violated.

Observes Brian Kropp, a group vice president with business consultancy Gartner, "This is the modern workplace now. If you work at a medium- to large-sized company, the odds are the different behaviors you engage in will be tracked by your employer, generated and collected by somebody in the organization."

Some 80% of businesses will be monitoring employees, deploying all manner of tools and data sources, which is more than double the trend that existed in 2015, Kropp estimates.

If you're using a company-issued device and in doing so access the firm's network, "they can get access" to your data, Kropp says.

Global Legal Play

It's not just the U.S. that is fixated on these issues.

A Canadian Supreme Court decision constituted a crucial pronouncement on privacy by holding that an employee had a reasonable expectation of privacy, even on a work-issued laptop.

A precedent delivered by the European Court of Human Rights is also creating a stir. In the case of Bărbulescu v Romania, the employee (Bărbulescu) found himself fired and told that he had breached the company's strict prohibition of email use for personal reasons. The court eventually ruled that his private life had been violated, which could also find its way into U.S. courts.

Current litigation in New York State also portends a significant precedent. In an ongoing lawsuit, Paul Iacovacci v. Brevet Capital Management LLC, Iacovacci accuses the investment firm of accessing his home computer to read his personal emails and stealing data stored on personal hard drives, including sensitive religious information, alleging that the activity violates federal anti-hacking laws. (In full disclosure, my firm has a relationship with a law firm for a litigation funder in this matter.)

Voice-enabled assistant devices are also attracting concern. A study released in early 2020 documents how often smart devices record audio clips without the speaker's permission. Even more sophisticated smart speakers can "accidentally" record audio nearly 20 times per day.

Here's another quandary. If an employee takes a device home, is that now tantamount to a tacit agreement to allow that device to capture personal recordings?

What about the technology that's embedded in employer-owned cars? Laws that prevent the use of mobile tracking devices to monitor the whereabouts of individuals apparently do not apply to GPS in employer-owned vehicles.

Lewis Maltby, the president of the National Workrights Institute, describes the situation as being "very vague," essentially dependent on "whatever shocks the judge."

Companies looking to avoid invasion-of-privacy claims should limit the information they gather to the bare minimum needed for "legitimate business reasons." They should also disable tracking capabilities whenever they're not essential.

Nearly two-thirds of states (plus the District of Columbia) have some kind of law on the books that prevent companies from dismissing employees for off-duty conduct. Since companies increasingly find themselves crosswise with these state statutes, a good rule is: "Don't collect what you can't protect."

Anthem paid $115 million in fines for 2014 and 2015 violations in neglecting to safeguard proprietary employee data.

In 2018, Cox Communications in San Diego was sued over the manner in which it dumped hazardous materials. The suit maintained that the company disposed of customer records without shredding or erasing sensitive information.

Given this track record, a good corollary rule for companies is: "Don't collect what you can't dispose of."

Businesses may get in trouble for deceptively collecting personal data—especially when it becomes increasingly confusing and "deception" becomes increasingly vague. Remember: both could "shock" the judge.

Priorities for Moving Forward

Here's a quick primer for companies and their general counsels.

First, designate someone in the GC's office to become its work/home devices expert and keep everyone apprised of the latest developments. Second, establish a company task force with representatives from the GC's office, IT, and Human Resources, and task it with developing internal policies designed to protect the company's interests while recognizing employee rights, too.

Summarize those policies in a simple guidelines statement, handed out to every employee. And make your company's procedures the focal point of give-and-take seminars jointly run by IT and HR.

Employer vs. employee privacy and technology legal issues are convoluted and getting more convoluted by the day. Stay on top of them.

Letter to the Editor: Read more for a response concerning Paul Iacovacci case.

Richard Levick, Esq., @richardlevick, is Chairman and CEO of LEVICK. He is a frequent television, radio, online, and print commentator.