BYOD Policies and Criminal Investigations: What Happens to Company Information and Employees When Law Enforcement Seeks Access to Personal Devices (Part I)

Many companies (including Arnold & Porter) stopped issuing Blackberry phones to their employees a few years back, and instead adopted a Bring-Your-Own-Device (BYOD) policy, which lets employees use their personal cell phones for work. One of us (guess who) really loved the old Blackberry (and grumbled loudly when the change was announced), but now grudgingly has to admit that a BYOD policy does make life easier in many ways. But a BYOD policy also makes it possible—in fact, it's almost certain for many of us—that at any given time an employee will be carrying on her smartphone confidential, proprietary, or sensitive company or client information along with all of the personal, intimate details of her life. This mixing of personal and business stuff on the same phone probably doesn't matter most of the time. But it can raise some fairly tricky issues for both the company and our employee if she one day finds herself the focus of a criminal investigation, and law enforcement decides it wants to search her phone.

In this series of three posts, we'll explore some of those issues: What happens when law enforcement wants to compel an employee to unlock her personal device? And how could that impact the employer? In our next two posts, we'll dive into the second issue, focusing on how an employer may be impacted when law enforcement wants to search an employee's phone. But for now, we'll set the stage with the threshold issue of whether, and under what circumstances, the government can get a court order that compels someone to enter her password so law enforcement agents can search her phone.

Suppose, for example, that one of your company's employees gets accused of stalking a former spouse. A good detective probably would love to take a look at the suspect's cell phone to see the text messages sent or a list of phone calls made to the alleged victim. Our diligent detective of course can go to court and get a warrant to search the phone. But even with a warrant, he still needs to open the phone, and to do that he'll need the password. So here's the question: Can the detective also get a court to order the suspect to enter the password, or is she allowed to simply refuse to open the phone, resting on the Fifth Amendment privilege not to incriminate oneself?

It turns out that courts are divided about whether the Fifth Amendment prohibits the government from compelling individuals to enter passwords to their phone in these circumstances. For example, in a recent case that reached the Indiana Supreme Court, law enforcement officers sought to compel the defendant to enter the password to her cell phone in connection with a stalking investigation. The court rejected that attempt, holding that compelled decryption can violate the Fifth Amendment. But a recent Massachusetts Supreme Court case went the other way. The court rested its holding on the "foregone conclusion" exception to the privilege against self-incrimination. Essentially, this exception says that, when the government doesn't need your testimony because it's a "foregone conclusion," it can compel it without violating your Fifth Amendment rights.

In Massachusetts's view, the only "testimony" implied when entering your password is that you know the password, and that testimony is a foregone conclusion because the government already knows that you know your own password. Thus, the court reasoned, the Fifth Amendment's privilege against self-incrimination doesn't apply. The Indiana Supreme Court, on the other hand, viewed the act of unlocking a phone as implying more than just that the defendant knew the password, but also that she knew and controlled the contents of the phone. Accordingly, the government needs to know more (at least in Indiana) than just that a defendant knows her own password in order to compel her to unlock the device.

As a quick aside: Even if Massachusetts's foregone conclusion approach ends up prevailing, it still remains to be seen whether the government can introduce at trial the fact that the defendant herself unlocked the device for investigators. As one commentator has noted, courts have not resolved whether the defendant's act of opening the phone (the "act of production") is admissible at trial after the government compels that act by relying on the foregone conclusion doctrine. But there's good reason to think that courts ultimately will settle on excluding the "act" evidence from trial. Using the foregone conclusion exception to access a device during an investigation depends on the government showing, through evidence, that it already knows the testimony it seeks to compel—that the individual knows the password. It just wouldn't be cricket in our view if the government on the one hand is able to compel someone to enter a password because it was able to convince a judge that it's a foregone conclusion that she knew the password, and then was also able to use that implied testimony—the "act of production"—as evidence against her. At least one lower court has agreed. See United States v. Spencer, No. 17-cr-00259-CRB-1, 2018 WL 1964588, at *3 (N.D. Cal. Apr. 26, 2018) ("Once Spencer decrypts the devices, however, the government may not make direct use of the evidence that he has done so.")

These are fun legal puzzles, of course, but the evolving law in this area also is important for an employer to know, particularly if the company has a BYOD policy. Go back to our stalking example, where an individual employee is under investigation—but her employer isn't. If law enforcement compels the employee to unlock her personal device to read the text messages or get a list of the phone calls she made to her former spouse, her employer's data might also be exposed.

We'll tackle some of the impacts compelled decryption can have on employers in our next two posts. We'll first explain how the current split over compelled decryption may come into play during an investigation into a corporation, and then we'll turn to how employers might protect their sensitive, confidential, or proprietary business information when an employee comes under investigation for a crime she may have committed while off the clock. Stay tuned!

© Arnold & Porter Kaye Scholer LLP 2020 All Rights Reserved. This blog post is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.