September 29, 2014

Ferry Lopez Addreses the “Kill Switch” Law in the Daily Journal

Ferry Lopez Addresses the “Kill Switch” law in the Daily Journal.
See the entire article below.

Will California’s “Kill Switch” Law Kill An Employer’s Ability To Protect Sensitive Company Information?

Ferry Eden Lopez

In this digital age, smartphone technology has become essential and ubiquitous to business operations. But the surging popularity of smartphones is blurring the divide between business and personal worlds, which can lead to complicated and costly problems for employers, especially in light of California’s new “kill switch” law.

In an effort to protect consumers and discourage smartphone theft, the state Legislature is requiring every smartphone sold in California, beginning in July 2015, to come equipped with an antitheft measure or “kill switch.” The kill switch enables smartphone users to remotely disable their phones when lost or stolen. Unlike current antitheft security features, such as Find My iPhone and Android Device Manager, the California kill switch must be enabled by default during the initial setup of the device, and must be reversible.

Although smartphones undeniably offer convenience and greater efficiency in the business world, the loss or theft of an employee’s smartphone can raise serious data security and intellectual property issues, and expose the employer to potential liability under state and federal privacy law.

To prevent these security concerns, many employers already have the capability to remotely wipe corporate data from employee electronic devices, such as laptops, tablets and smartphones. Once it is wiped, employers can rest assured that the data is gone for good.

The kill switch law transfers that ability to the employee, and also enables the employee to reverse it. It is not yet certain whether employers will be able to wipe confidential data from an employee’s device after it has been disabled through the kill switch. This change in dynamics can lead to uncertainties and risks in data security unless the employer has access to the kill switch.

But can an employer demand access to an employee’s kill switch? Because this implicates employee privacy concerns, the answer depends on whether the smartphone is company-issued or employee-owned coupled with the strength of the company’s technology policies.

Company-Issued Smartphones

The state Supreme Court’s opinion in City of Ontario, California v. Quon, is instructive on privacy issues arising from an employee’s use of company equipment. Quon was a police officer, who used his city-issued pager to send sexually explicit text messages to his wife and mistress. The city’s technology policy stated that it had the “right to monitor and log all network activity including email and Internet use, with or without notice,” and that employees had “no expectations of privacy or confidentiality” in the electronic devices. Because officers were consistently exceeding the monthly text message quota, the police department investigated the amount of text messages attributed to personal use, and discovered Quon’s personal messages. Quon sued the city of Ontario alleging that the city had violated his Fourth Amendment right against unreasonable search and seizure.

The Supreme Court held that Quon’s Fourth Amendment right had not been violated. First, the court found that the city’s technology policy clearly limited the expectation of privacy in city-issued electronic devices. Second, the court found that the city had “a legitimate work-related” reason to review the officers’ messages for personal use.

While Quon is arguably limited to public employees, California courts have applied the same reasoning to private-sector employers conducting searches of employee communications.

In Holmes v. Petrovich Development Company LLC, a state Court of Appeal ruled that an employee’s communications with her attorney from a company computer were not protected by the attorney-client privilege. Petrovich implemented a clear policy prohibiting personal use of company computers, which Holmes signed and acknowledged during her employment. During the course of litigation, Petrovich discovered emails that Homles’ sent to her attorney through her company computer, and used them as exhibits at trial. The appellate court found that Holmes’ acknowledgment of Petrovich’s technology policy dispelled any argument that she had an expectation of privacy in her communications through a company-issued computer. Because her emails from the company computer were not private, they were not privileged.

Under Quon and Holmes, so long as employers have well-crafted policies on employer-provided technology, employees have very little (to no) expectations of privacy in their company-issued electronic devices. Thus, an employer should be able to access an employee’s kill switch to protect sensitive data when a company-issued smartphone is lost or stolen.

BYOD

However, as smartphones become more accessible, employers are progressively doing away with company-issued devices, and instead, allowing employees to use their own personal smartphones for work under “Bring Your Own Device,” or BYOD, policies. Although this approach strikes a better balance between employee convenience and employer cost-savings, it limits the employer’s ability to control access to sensitive data when the device is lost or stolen.

Unlike company-issued smartphones, employees’ expectations of privacy in their personal smartphones are less clear. While employees may have a reasonable expectation of privacy in their own information on their own smartphone, employers still retain ownership of its information. Courts have yet to opine on the proper balance between employee privacy and legitimate business concerns under a BYOD system. Thus, under these circumstances, it is even more important for a company to implement a well-crafted BYOD policy that clearly defines employee privacy expectations and to obtain signed consent for access to the employee’s kill switch. In the event that an employee refuses to comply with these directives, employers should consider requiring the employee to carry a company-issued device.

Key Considerations

Implementing policies that define an employee’s expectation of privacy and control of company information do not in and of itself provide a blanket license for access to an employee’s kill switch. The presence or absence of such policies is just one factor a court will take into account in analyzing whether an employee has a right to privacy. Because employees have very little expectations of privacy in company-issued electronic devices and the need to secure confidential, proprietary, data is great, the balance strikes in favor of providing employers with access to the kill switch of an employee’s company-issues smartphone. The analysis is thornier when employees utilize their own personal smartphones, and the strength of the employer’s policies becomes more important to the equation.

Ferry Eden Lopez is an associate in Hirschfeld Kraemer LLP’s Santa Monica office. She can be reached at FLopez@hkemploymentlaw.com, or via the firm’s website – https://www.hkemploymentlaw.com

Originally published in the Los Angeles Daily Journal, September, 29, 2014. Copyright 2014 Daily Journal Corporation, reprinted with permission.