So, have you implemented a Bring Your Own Device policy yet? If not (and your employees are using their personal devices for business purposes), your organization may be at risk.
The governor's aide at the heart of the New Jersey bridge debacle used her personal Yahoo! email account to send the infamous emails which led to the closure of three lanes of the George Washington Bridge in September. Those emails were not initially provided in response to an open records request from a New Jersey newspaper. Should they have been disclosed?
Whether you are in the public or private sector, there are lessons to be learned from New Jersey.
Is a personal e-mail account subject to Pennsylvania's Right to Know Law?
Pennsylvania's Right to Know Law was enacted in 2009 to provide citizens with prompt access to the public records of their state and local governments. According to Pennsylvania's Office of Open Records website, personal telephone numbers and email addresses are exempt from disclosure. However, if an employee is using a personal email account to send business emails, the content would likely fit squarely within the definition of Record under the Right to Know Law. Public Employers have an obligation to produce public records within five days, unless the record might fit into one of the enumerated exceptions. A carefully constructed BYOD Policy puts your employees on notice of what is permitted, what is prohibited and what their responsibilities are.
Is a personal email account subject to discovery in litigation?
Employers, both in the public and private sector, have an obligation to preserve all information (paper and electronic) relating to the subject of current or impending litigation for possible production. This requires litigants to suspend routine document destruction/retention policies in order to safeguard the data. Do you have any influence over how your employees treat data on their personal devices? Again, a well-constructed BYOD Policy will clearly set forth the responsibilities that come with the privilege.
Obviously, you cannot circumvent the Right to Know Law or the electronic discovery rules by permitting (or requiring) your employees to use their personal devices, accounts and numbers to conduct business; but how do you limit exposure?
The American Civil Liberties Union ACLU of New Jersey has called for New Jersey's Governor to require employees to use government-issued email accounts to conduct public business and to maintain any emails or texts sent from personal accounts as government records in the event an employee leaves their position.
Once you have decided to permit employees to use their personal devices for business purposes be sure to work with your IT Department to implement a BYOD Policy that puts employees on notice of:
the need to maintain security through passwords and, if necessary, encryption;
the employer's right to access, review and collect data from the device;
the obligation to preserve any data which might be relevant to current or pending litigation;
the employer's right to manage installation of applications/programs;
prohibited uses (harassment, bullying, sexting) and modifications (jailbreaking/rooting);
the consequences for misuse (revocation of privilege, discipline, termination);
the procedures to follow if the device is lost or stolen.
We also recommend that any BYOD policy be tailored to your organization's specific needs and that you obtain a signed acknowledgment of receipt and understanding from each employee who is afforded the privilege of using their personal device for business purposes.