BYOD Policies and Criminal Investigations: What Happens to Company Information and Employees When Law Enforcement Seeks Access to Personal Devices (Part II)
We're taking it back a few decades to the 1980s to kick off the second in this series of posts. (In the interest of full disclosure, only one of us (guess who) was around during the 80s, and he was many moons away from practicing law.) Computers were around but weren't ubiquitous in offices until late in the decade. Chances are, if a federal agent popped into a company's office in 1988 with a warrant to search its files, she'd be tasked with collecting and combing through hundreds of thousands of pages of documents, both typed and handwritten, shoved into boxes and desks and filing cabinets. Imagine, then, that the agent enters the office of a corporate bigwig and finds a locked safe. Once the safe is opened, she finds two folders inside: one marked "Work" and one marked "Personal." Assuming that the search warrant is appropriately circumscribed to only company information and is supported by probable cause, the agents likely have the authority to search the "Work" folder but not necessarily the "Personal" one.
The twist, though, is that before our agent can even get to the folders, she has to open the safe—and that's not an easy thing to do. Can the government require the company to open the safe so the agent can search the folder containing work papers? Even if opening the safe would implicate the employee who opens it in a crime? After the Supreme Court's decision in Braswell v. United States, 487 U.S. 99 (1988), the answer is yes—sort of. Braswell tells us that corporations have no Fifth Amendment privilege against self-incrimination, and the corporation can be required to designate a custodian to produce those records on the corporation's behalf.
Fast forward to today, where 80s music—thankfully—is still alive and well. Like our 1980s example, if a company finds itself ensnared in an investigation, federal agents may well show up one day with a warrant to search for company files in an employee's smartphone. And just like they could with the company safe, if those devices are password protected, you can imagine that, invoking Braswell, the government could seek to compel the company's custodian to unlock the phone so the agents can do the searching, without running afoul of the Fifth Amendment.
But what if the only person who can unlock the device is the employee himself? For many employees who use their personal cell phones for work under a BYOD policy, that may very well be the case. Does the employee have a Fifth Amendment right to refuse to unlock the device, even in response to a subpoena for the corporation's records? It turns out that the answer isn't all that clear, and may depend on which state or jurisdiction you're in. Although corporate employees have no Fifth Amendment right to refuse to produce corporate records in their possession, they can invoke their Fifth Amendment right to testify against themselves. If the act of providing a personal passcode to unlock his phone is testimonial in nature, then the employee may well be able to assert his Fifth Amendment right to refuse. See, e.g., SEC v. Huang, No. 15-269, 205 WL5611644 (E.D. Pa. Sept. 23, 2015) (holding that because personal passcodes to a smartphone were not corporate records and were testimonial in nature, the SEC could not compel disclosure of those passwords). But if unlocking his phone is not testimonial in nature, then the employee could be compelled to enter his password. As we discussed in our previous blog post in this series, the courts are currently divided about whether individuals have a Fifth Amendment right to refuse to unlock their phones at the government's behest. If the Indiana Supreme Court's view prevails, the Fifth Amendment can prevent the government from compelling the employee to unlock his smartphone—but if the Massachusetts Supreme Court's view prevails, it does not.
An employee's decision to "take Five" in these circumstances can have significant ramifications for his employer. Among other things, good faith cooperation with a government investigation often goes a long way in mitigating a corporation's liability for any potential wrongdoing. By refusing to unlock his phone, an employee can undercut the company's effort to cooperate. And in some circumstances, it can lead to an adverse inference of wrongdoing against the corporation in civil proceedings. See, e.g., Libutti v. United States, 107 F.3d 110 (2d Cir. 1997). For these reasons, employers may decide to implement workplace policies requiring employees to cooperate with corporate investigations by unlocking their cellphones when asked, at the risk of putting employees in a tough situation: cooperate and possibly incriminate yourself, or invoke your Fifth Amendment rights and possibly lose your job. If an employer chooses to go this route, it should keep in mind that it may have statutory obligations (under the California Consumer Privacy Act, for example, see 11 CCR § 999.305(f)) to notify employees that the company may disclose their personal information to law enforcement—i.e., by compelling employees to unlock their phones when asked. This could soften the blow of the employer's policy, but it might not assuage an employee's fear of having to choose between his job and his Fifth Amendment rights.
In addition to its implications for corporate investigations, employers may have another reason to care about the split between the courts regarding compelled decryption. In jurisdictions where law enforcement officers currently can compel individuals to unlock their mobile devices, employers might be wondering whether and how any confidential business information present on the device might be protected from disclosure during an investigation into the employee's individual wrongdoing. As anyone with a smartphone (i.e., almost everyone) is well aware, separating personal from work files on the device is often not as easy as labeling folders in a safe "Work" and "Personal." Downloaded files are commingled into a single "downloads" folder, personal and work calls all appear in the same log, and your email is likely a single application on your phone containing both your personal and work mailboxes.
This is where the Fourth Amendment and company policies come in. Like the Fifth Amendment considerations underlying compelled decryption, Fourth Amendment law is rapidly developing as to what folders, applications, and files government agents can search on electronic devices under any given search warrant. In our next blog post, we'll talk about these developments and provide our thoughts on what policies employers might put into place to protect their confidential business data while we await clear guidance from the courts on whether law enforcement officers can compel individuals to unlock their smartphones, and about which files, folders, and applications they can search once they gain access to a device.
© Arnold & Porter Kaye Scholer LLP 2020 All Rights Reserved. This blog post is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.