It is increasingly common for employees to use their personal laptops, smartphones, USB drives, and other technology devices for both personal and work purposes. In a recent survey, 95% of workers responded they have used technology they purchased themselves for work. While many companies have policies that allow them to monitor employee use of company-owned devices, they do not always address the situation where employees use their own devices. A recent case decided by the Georgia Court of Appeals shows the importance of having a broad policy that allows your company to monitor technology devices regardless of who owns them.
In Sitton v. Print Direction, Inc., the plaintiff worked for a printing company, but his wife also owned a printing business. On the side, the plaintiff brokered printing jobs and sent them to his wife’s company instead of his employer. The plaintiff did not use his company-issued laptop, but instead brought his personal laptop to work, connected it to the company’s network, and used it to conduct business for his wife’s company. Once the company “caught wind” that the plaintiff was competing, his supervisor entered the plaintiff’s office when he wasn’t there and saw that the screen on his computer showed a non-work related email account, with messages concerning the brokering of print jobs to his wife’s company. The supervisor printed the email messages and later used them as a basis for the plaintiff’s termination.
The plaintiff sued, claiming, among other things, invasion of privacy and violation of the Georgia Computer Systems Protection Act. After losing at trial, the plaintiff appealed his case to the Georgia Court of Appeals, arguing that the company did not have authority to access the emails on his personal computer. The Court of Appeals disagreed with the plaintiff, holding the company had the authority to access the emails because its computer usage policy was not limited to company-owned equipment. Instead, the policy stated that employees should not regard “electronic mail left on or transmitted over these systems” as “private or confidential,” and provided the company with a right to access any computers that transmitted data through its systems. The court also held that the supervisor’s activity was “reasonable in light of the situation” because: (1) the company had reason to believe the plaintiff was competing; (2) the company’s interests were at stake; and (3) the supervisor acted as part of an ongoing investigation about the plaintiff’s conduct.
This case should prompt employers to review their current technology policies. Existing policies are often inadequate because the authorization to monitor activity or inspect devices is limited to equipment owned by the company. To address the growing consumerization of IT, workplace policies should grant broad authority to access employee-owned devices that are used for work, as well as an employee’s activity on the device, including an employee’s web-based personal e-mail or social network account. The policy should state that the employee is being given access the company’s network using his personal device on the express condition that he agrees the company has authority to monitor the device and his activity. As always, the best evidence of the employee’s consent is signed acknowledgement or consent to the policy that is kept in the employee’s personnel file.