October 11, 2018

The dangers of keeping personal information on work computers

Posted in Cybersecurity, Employment Law by Gene Killian |

Who’s getting tired of reading about (and dealing with) cyber issues? (Me! Me! Me!)

But they aren't going away any time soon (or ever).  A new lawsuit (filed last week as I write this) is pretty interesting, because it highlights a common and prominent problem:  The intermingling of personal and business data on a work computer.  Just how much can an employer “snoop” into an employee’s private data without getting into trouble, even if the company employment manual warns that there’s no expectation of privacy in company computers?

Facts: Paul Iacovacci was a Managing Director at Brevet Capital Management LLC, a small investment management and financial services firm. He worked for Brevet for about 10 years. Brevet bought him a Dell laptop, which he used to telecommute from his home in Connecticut.  Iacovacci used the laptop not only for business, but also as a family computer.   He installed LogMeIn software, which allowed him to remotely access the computer while away from home, and he attached two hard drives to the computer, which contained personal information, like his kids’ homework, his tax information, medical information…and, apparently, communications with his attorneys regarding a dispute with Brevet.

Things began to go sideways in January 2016, when Iacovacci told the company that he intended to retire because of health issues.  After months of negotiations about an appropriate severance package, Brevet fired Iacovacci.  This being America, Iacovacci immediately filed suit for wrongful termination in state court in New York, claiming he was owed tens of millions of dollars in compensation.  (That case is still pending.)  Brevet, meanwhile, claimed that Iacovacci had stolen proprietary information from the company.

Recently, Iacovacci upped the ante by filing another suit, this one in federal court, alleging that Brevet had violated the Computer Fraud and Abuse Act, the Federal Wiretap Act, the Stored Communications Act, and state law by accessing data stored on his personal hard drives, which were attached to the Brevet-supplied laptop.  Specifically, Iacovacci says that on the day Iacovacci filed his wrongful termination suit (October 14, 2016), Brevet used LogMeIn to break into the laptop and get access to personal e-mails, as well as to data on his personal hard drives.  Iacovacci says that Brevet guessed his password—a combination of his children’s names and birthdays (always a mistake, folks, but better than using “password,” I guess)—and tapped into his personal hard drives nearly two dozen times in 2016.  Iacovacci contends that Brevet illegally accessed his Yahoo e-mail account, including attorney-client privileged information relating to the state court suit. Finally, Iacovacci says that the company installed software on his computer (FileZilla) that allowed large amounts of information to be transferred.

For its part, Brevet says (essentially), “Damn right we broke into the computer. We suspected he was setting up a competing business and stealing our trade secrets.  Not only that, we bought the computer, so it belonged to us, and we didn’t ‘guess’ his LogMeIn password.  He gave our IT department the password  so they could do maintenance. And our employment handbook warns everyone who works here that we can monitor everything on a company computer, even your private stuff.”  Brevet also says that Iacovacci filed the federal case as a ruse to avoid complying with an order in the state court case to turn over the computer for examination.

This (expensive) little spat raises almost too many legal issues to count.  But here are a few things to consider:

First, the extent to which employers can access personal information on employees’ work computers is still a gray and developing area. Employers typically aren’t allowed to hack into an employee’s personal email account on a work device, for example; but there are ways for employers to see that data without engaging in hacking.  Employees often don’t realize the extent of the digital trail that’s left behind on work computers when they read their personal emails at work, and management generally can legally access data like personal text messages if employees plug their personal phones into work computers and back them up through a program like iTunes. If you use your personal Gmail account on a work computer, for example,  there’s likely going to be personal information that management can easily see.  So, employees should probably keep in mind the “New York Times rule.”  If you wouldn’t be comfortable with a piece of personal information appearing on the front page of the New York Times…you should probably keep it off your work computer.  (The problem is of course compounded by “bring your own device” policies.) 

Second, in New Jersey anyway, the Supreme Court has specifically held that employers cannot access communications between an employee and the employee’s attorney, made using a private e-mail account through a work computer.  But the Court also warned:   “Our conclusion that [the employee] had an expectation of privacy in e-mails with her lawyer does not mean that employers cannot monitor or regulate the use of workplace computers. Companies can adopt lawful policies relating to computer use to protect the assets, reputation, and productivity of a business and to ensure compliance with legitimate corporate policies. And employers can enforce such policies. They may discipline employees and, when appropriate, terminate them, for violating proper workplace rules that are not inconsistent with a clear mandate of public policy.”

Lastly, I will engage in some unfair Monday-morning quarterbacking. I wasn’t there, so I didn’t see the problems between Iacovacci and Brevet develop, but I’ve seen many arguments between companies and departed employees happen over the past 30 years of law practice. Battle lines get drawn, egos get involved, people don’t talk to one another, and each side in a “conversation” thinks that the other side is engaging in nefarious conduct and trying to screw them.

I wonder how many problems like this could be avoided through effective leadership and effective communication. When people trust each other in an organization, and problems arise, they sit down, get their egos out of the situation, and try to be accommodating to each other. The alternative – expensive, time-consuming, and frustrating litigation – is almost never a good option.