What Hillary Clinton's Use of Bring Your Own Device at Department of State Means for Protecting Your Trade Secrets
March 27, 2015
With all the to-do about former Secretary of State Hillary Rodham Clinton's work-related use of her personal email account and server, little has been said about what such use means for private employers. Politics aside, the controversy underscores a challenge that employers face when they allow employees to use personal devices for work purposes because they must allow those employees access to the employer's systems and internal information. Therein lies the challenge.
Prudent employers develop a written Bring Your Own Device (BYOD) policy that lays out the permissible and impermissible uses of devices such as laptops and mobile phones. A comprehensive BYOD policy can set a reasonable expectation of privacy limitations while protecting against potential liabilities and losses that can come from allowing greater access to an employer's internal systems and information.
The Clinton story highlights one thorny area especially worthy of the attention of private employers: BYOD policies and practices must anticipate the risks that use of certain personal devices may pose to the employer's trade secrets.
The mutual benefits of BYOD policies are becoming well known. They spare employees from having to juggle multiple devices, allow them to use a device of their choosing, and sometimes reimburse certain costs associated with a personal device. Employers may enjoy an increase in employee responsiveness with a decrease in spending on technology.
But those benefits come with a different kind of cost: reduced protection of employer information. A prudent employer must consider how any current or contemplated BYOD policy affects its ability to protect trade secrets and other proprietary information.
The Uniform Trade Secrets Act (UTSA), which 40 states and the District of Columbia have enacted in one form or another, generally defines a trade secret as:
- information (such as a formula, pattern, compilation, program, device, method, technique, or process);
- that derives independent economic value from not being generally known to or readily ascertainable through appropriate means by other persons; and
- is the subject of reasonable efforts to maintain its secrecy.
Is "information" that is available to employees through a BYOD policy "not…readily ascertainable"? Is such information "the subject of reasonable efforts to maintain its secrecy"?
Protecting trade secrets and proprietary information accessed by employees on company (i.e. not personal) equipment is hard enough. In addition to normal IT protections integrated into its devices, employers derive some protection by requiring employees to sign non-disclosure agreements. As a practical matter, employers with BYOD policies cede some degree of control over the devices storing company data. Employee personal devices are more likely to be lost, stolen, hacked, or otherwise compromised. When this happens, trade secrets are more likely to be misappropriated.
Intentional employee misconduct further complicates an employer's difficulty in securing trade secrets and other proprietary information under a BYOD policy. Such employees may be tempted to store sensitive company information because the employee has less fear of routine monitoring by the company. Such an employee who fears s/he is about to be caught can more easily destroy or scrub a personal device than a piece of company equipment.
Employers who adopt BYOD policies must draft them knowing they will have to answer the following question in litigation: Does this policy reflect "reasonable efforts" to maintain the secrecy of the trade secrets and proprietary information that employees are accessing on their personal devices? What constitutes "reasonable efforts" likely will vary by company, industry, work setting, and the nature of the information sought to be protected. Appropriate protections might include prohibiting apps on a smartphone that might jeopardize the security of data on the phone; limiting the information an employee can access on a personal device; allowing the company to remotely wipe the device upon termination of employment or other situation of concern; and electronically monitoring the personal devices.
The difficulty of protecting electronically stored trade secrets did not begin with BYOD, and it is not eliminated by forbidding the use of personal devices. Whether BYOD makes sense for your organization is a case-by-case determination. If it does make sense, there is no one-size-fits-all BYOD policy. In the end, with or without BYOD, employers must remain aware of the challenges of protecting trade secrets and proprietary information – politics aside.