By Allen Smith
The conflict between the federal government and Apple over a locked iPhone that belonged to one of the shooters in the San Bernardino, Calif., terrorist attack is reminiscent of a more everyday situation that organizations may face, with employers and employees at loggerheads over encrypted mobile devices. The stakes may not be as high, but employees may adamantly oppose giving their employers access to their electronic devices.
A note first about what’s at stake in the Apple case:
“If Apple were to provide a code crack to give law enforcement access to data that’s supposed to be secure, the public will lose confidence in [the company] and it could be detrimental for Apple, as well as to any company in the wireless or computer industries,” said Gordon Berger, an attorney with FordHarrison in Atlanta. “In addition, releasing code of this sort could lead it to falling into the wrong hands, which could lead to massive data breaches, cyberterrorism and the like.”
The government’s interests in using the code—and possibly, information in the iPhone—to find out more details about the terrorist suspects’ plans regarding the shooting in December are apparent.
In a more general sense, here’s how employers can avoid confrontation with employees over access to company data on an employee’s personal device: Prevent the problem before it happens by creating backdoor provisions before allowing employees to access company information.
Employees’ stance about their right to privacy on their own devices can be just as entrenched as an employer’s defense regarding the right to access company information that may be stored on a personal device. The standoff usually takes place when employees are allowed to take advantage of bring-your-own-device (BYOD) policies.
“If employers permit employees to use a personal iPhone or any other personal device with strong encryption for work without planning for future access by the employer to information on the phone, the employer likely will have substantial difficulty getting access to information for investigations, to protect its confidential information and to implement a litigation hold when relations with the employee sour,” said Philip L. Gordon, co-chair of Littler’s Privacy and Background Checks Practice Group in Denver.
“Employers should permit employees to use an encrypted personal device for work only as part of a deliberate BYOD program that permits employers to protect their interests while balancing employees’ privacy interests in their phone,” Gordon said. “In addition, employers should prohibit employees from installing any encryption on any company-owned device unless the employer manages the encryption; otherwise, the employee can effectively turn the company-owned device into a ‘brick.’ ”
As BYOD becomes increasingly prevalent, “neither employers nor law enforcement will be able to get access to corporate data without the employee’s cooperation or a court order,” Gordon predicted.
He said that with BYOD, the employee can simply refuse to provide the device or the password. “Encryption and other security controls will only complicate the issue. However, in that scenario, I believe the employer or law enforcement could get a court order requiring the employee to disclose the password.”
Employers may choose to encrypt their own mobile devices, such as laptops, smartphones and tablets, because encryption is effectively required by a particular regulatory regime, such as the Health Insurance Portability and Accountability Act or Massachusetts’ information security regulations.
“Even when there is no regulatory obligation to encrypt, encryption reduces the risk of a security breach that requires notification because all breach notification laws have a safe harbor for encrypted data,” Gordon explained. “Employers also may encrypt to protect trade secrets.”
Much of the information on a portable device that is owned by the employer usually is accessible on the corporate e-mail or network server or, if employees back up local hard drives, on back-ups, he noted. “Consequently, the encryption often will not pose a barrier to access information.” If the device is owned by the employer, though, and the information can’t be accessed easily elsewhere, the employer can demand the employee’s password to the device since the employer owns it, as well as the information on the device. Note that this is different from the situation regarding social media sites, since employers are prohibited in many states from asking for their employees’ passwords to these sites.
“The one situation where an employer might have a problem is where the information is not available anywhere besides the encrypted portable device, and the employee refuses to provide the password,” Gordon said. “If the employer did not set up an alternate decryption key option, i.e., a backdoor, or otherwise manage encryption carefully, then the mobile device would be a ‘brick.’ ”
Allen Smith, J.D., is the manager of workplace law content for SHRM. Follow him @SHRMlegaleditor.