Mark Eting is one of Duncey’s Caps top outside sales agents. Because the company is based in Texas, but Mark lives in Cleveland and sells for the company in the northeast, Mark purchased a personal computer and a laptop to use for work purposes, but did not get reimbursed by the company. He did, however, provide the computer to Duncey’s IT department to install the company’s sales tracking program. Unbeknownst to Mark, the IT department also installed software that allowed the company to determine when Mark accessed the sales tracking program and what information he accessed. Duncey’s employee handbook – which Mark acknowledged – stated the company could monitor his use and access of company data on personal devices. For the laptop, Mark purchased software called “LogMeIn” which allowed him to remotely access the home personal computer while he was on the road. Thus, Mark could use his laptop while traveling, access the home computer, and enter the sales data. At a team sales retreat, Mark casually mentioned to his boss, Tom Prior, how he logged his sales data on the road by using LogMeIn.
When Mark quit, Duncey’s IT department investigated his use of the sales program, and found he had been logged in more than usual. Suspicious of this activity, Tom went into LogMeIn and successfully guessed his username and password. While perusing Mark’s personal computer, Tom found Mark had set up a Google Mail account and was emailing Duncey’s customer information to one of its competitors. Duncey filed suit against Mark for various claims. When Mark read the lawsuit’s allegations, he realized the only way Duncey’s learned that information would have been by accessing his personal computer or laptop. Mark fired off a counterclaim for computer hacking. Does Mark’s claim stand a chance?
Cybersecurity Risks with BYOD Policies
Companies are increasingly allowing employees to bring their own devices to work – typically in the form of smartphones that allow the employee to access work emails. But in some instances, especially with small companies or those that allow their employees to work remotely, employees also use their personal laptops or computers for work purposes.
While the ability to bring your own device provides employees with more flexibility – and also makes them more productive – there are several risks. There are potential cybersecurity threats to the company’s data when the employee’s home network or wifi fails to have sufficient security, or when the employee’s device is lost or stolen. Companies also risk that unscrupulous employees who are fired, or who suddenly resign, will attempt unauthorized access to the company’s proprietary information.
BYOD Policies Typically Give Employers Unfettered Access
Most company BYOD policies give employers the right to monitor what information an employee is accessing on their personal devices. This may even include an employee’s use of personal email accounts on devices that are also being used for work purposes. But some employers are going farther. A new lawsuit between an investment firm and one of its former managers is testing the limits to which employers can legally “hack” an employee’s device that is used for work purposes. Although the company provided the employee with the computer to use at home for work purposes, the employee was also using it for personal reasons. When the employee left over compensation issues, the company guessed his LogMeIn account password and accessed his personal email account, as well as information he had stored on personal hard drives. The employee sued for violations of federal anti-hacking laws. In response to the lawsuit, the company claimed that its employee handbook authorized the company to access and monitor all electronic documents stored or processed on its computers, including those “which don’t directly relate to [the company’s] business.”
Tilting the Scales in Your Favor
While BYOD policies typically provide companies with very broad rights, it’s hard to imagine that the investment firm’s BYOD policy would allow the company to “hack” into the employee’s computer remotely by guessing his password. The better course of action would have been for the investment firm to demand the employee return the computer immediately. If he failed to do so there likely would have been good grounds for a temporary restraining order and temporary injunction.