BYOD Policies and Criminal Investigations: What Happens to Company Information and Employees When Law Enforcement Seeks Access to Personal Devices (Part III)
In our first two posts in this series (you can find them here and here), we explored whether the government can compel someone to unlock his cell phone with a warrant or a subpoena. For today's final post, we're assuming the government manages to get our guy (let's call him Bob—why not?) to do something you might not even do for your best friend—hand over your unlocked phone—in order to explore what happens next. Will the agents have free reign to explore all of the junk you keep on your phone? And if Bob carries work data on his personal device because his employer has a Bring-Your-Own-Device (BYOD) policy, will the company's information be exposed? To answer these questions, we need to shift focus from the Fifth Amendment, which we talked about in our first two posts, to the Fourth Amendment.
The Fourth Amendment protects against unreasonable searches and seizures by generally requiring that law enforcement obtain a warrant to search a person, or her "house, paper or effects." A person's "effects" might include various "containers"—a box inside someone's home, a purse in the passenger seat of her car, or a cigarette case in her pocket (do people still carry those?)—and the Fourth Amendment generally requires the government to get a warrant to search them. There are some exceptions to the warrant requirement, however, including the plain view doctrine. Under that doctrine, law enforcement can seize evidence in "plain view" without a warrant, as long as the agents see the evidence from a "lawful vantage point" and the incriminating nature of the evidence is "immediately apparent" to them. Coolidge v. New Hampshire, 403 U.S. 443, 465 (1971).
These legal concepts may sound a bit loosey-goosey, but in fact are not too tough to apply in most typical cases. For example, if, in the course of investigating a possible Ponzi schemer, federal agents get a warrant to search a guy's house, those agents might see on the living room coffee table a white powdery substance in a clear bag helpfully labeled "MY DRUGZ." The plain view doctrine likely would let the agents seize that evidence: they are lawfully in the house, and the incriminating nature of the bag is immediately apparent and in plain view. But plain view doctrine gets a little trickier when the thing being searched is a cell phone or other electronic device. The Supreme Court acknowledged in Riley v. California, 573 U.S. 373, 386 (2014), that smartphones are so different from other effects people routinely carry around that courts cannot reflexively "extend" traditional warrant exceptions to them. A cell phone search can expose every aspect of a person's life, and if Bob works for a company that employs a BYOD policy, a search of his phone can also expose sensitive, confidential, or proprietary business information. Indeed, as anyone with a smartphone is well aware, separating personal from work files on the device is actually pretty tricky: Downloaded files are commingled into a single "downloads" folder, personal and work calls all appear in the same log, and your email is likely a single application on your phone containing both your personal and work mailboxes.
Mixing it up a bit, let's say our federal agents are now investigating Bob for allegedly stalking his former spouse, and they want to search his cell phone. Like most of us, Bob uses his personal cell phone for work purposes, too, because his employer has a BYOD policy. Once the agents successfully compel Bob to unlock his phone, what can they search? Keeping with the theme of this series, it turns out that the answer isn't all that clear. Most of the caselaw in this area deals with searches of computers, not smartphones, and predates the Supreme Court's decision in Riley. The Fifth and Seventh Circuits held that if the agents have the authority to search a computer, they have authority to search everything on that computer, because the computer constitutes a single "container." Under this theory, once the agents gain access to Bob's cell phone, they can search anything on that cell phone, including his work files. On the other hand, the Sixth and Tenth Circuits held that each folder on a computer is an individual container. Under this theory, even after the agents lawfully gain access to Bob's cell phone, they still need to have the authority to search each of the individual folders on the phone. This is where the plain view doctrine comes into play. If there's a file or folder that seems to fall outside the scope of the agents' search warrant, and if the "incriminating nature" of that file or folder is not "immediately apparent," the agents cannot search it, even if they lawfully accessed the cell phone in the first place.
Thus, under the current legal regime, there is some risk that if an employer utilizes a BYOD policy, company data will be exposed if an employee comes under investigation for her conduct off the clock. Until we get clear guidance on whether law enforcement officers can compel individuals to unlock their smartphones—and about which files, folders, and applications they can search once they gain access to the device—there are a few steps that employers can consider to help minimize the risk that company data is exposed during a criminal investigation into one of their employees.
BYOD policies are convenient for employees and low cost for employers, but companies may want to weigh those benefits against the costs the company may face if its data is accessed during a criminal investigation into an employee's alleged wrongdoing. It may be that those costs are too high; if they are, companies can provide work devices to those employees who have access to the most sensitive business information, and instruct those employees that those devices are to be used for business purposes only. (Many companies already take such an approach when employees travel to certain countries.) If a company decides to stick with a BYOD policy, it can consider bolstering that policy with additional guidance for employees. For example, the policy might state that employees should not download any work document to their personal device, or take care to move that download into a folder marked "Work" as soon as its downloaded. Or the policy might provide that certain types of company business should never be conducted or company information accessed on personal devices. Companies also could require employees to disclose when they are arrested or when their phones are searched, to the extent that law enforcement permits such a disclosure.
As this three-part series has shown, compelled decryption of smart phones during criminal investigations poses unique practical and legal questions, and individuals, companies, law enforcement, and the courts are still grappling with them. While both companies and employees may like the convenience that comes with using a single device for both work and pleasure, the best practice to secure company information may be to keep your employees' personal and work lives separate.
© Arnold & Porter Kaye Scholer LLP 2020 All Rights Reserved. This blog post is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.