BYOD Policy: Employee Right to Social Media Privacy Is Paramount

If your company lets employees bring their own devices for work purposes, you’d better have a formal BYOD policy—one that understands employee privacy rights and employer access rights.

Such policies are often crafted by legal experts for good reason. Violations of certain rights can land companies in hot water. Management consulting firm Janco Associates has created a 14-page BYOD policy template covering everything from help and support to disaster recovery to access control.

In the privacy section, Janco outlines legal issues.

Janco cites one of the cornerstone legal considerations called the Stored Communications Act, or SCA. It deals with the disclosure of stored wire and electronic communication and transaction records retained by third-party Internet service providers, or ISPs.

Essentially, SCA prohibits ISPs from divulging a customer’s content. Companies attempting to access electronic communications stored at an ISP without authorization can be fined or imprisoned. The employee can also seek a civil remedy.

There is a legal precedent favoring employee rights: Pietrylo v. Hillstone Restaurant Group in 2009, whereby a couple of employees created a MySpace page to complain to registered members about the company. Managers allegedly pressured one member, another employee, to give up her log-in ID and password to access the MySpace page.

The two employees that created the MySpace page were outed and fired, yet the court upheld the jury’s verdict that Hillstone was liable for violations of the SCA.

One can only imagine similar scenarios playing out on a BYOD smartphone or tablet. These devices access an employee’s Facebook page and other password-protected social networks and personal data residing on servers. With the rise of BYOD, technology and legal experts are now predicting employee lawsuits concerning privacy violations, unpaid overtime and other issues.

Story: BYOD Lawsuits Loom as Work Gets Personal

The message is, do not try to gain unauthorized access to an employee’s private social networks, says Janco. You shouldn’t even ask an employee to provide log-ins and passwords to a private site, because you may have to show that you didn’t coerce or threaten the employee to comply.

“The Stored Communications Act is outdated as its authors never contemplated the prevalence of social media and BYOD (Bring Your Own Device) computing environment,” Janco writes in its policy template.

“Companies don’t have to stop monitoring because of the Stored Communications Act; they just have to be smart about it. If you ask the owner or administrator for access to a private site and they say no, walk away. Recognize the limitations imposed by employment and privacy laws on your ability to monitor employee sites.”

Tom Kaneshige covers Apple, BYOD and Consumerization of IT for CIO.com. Follow Tom on Twitter @kaneshige. Follow everything from CIO.com on Twitter @CIOonline, Facebook, Google + and LinkedIn. Email Tom at tkaneshige@cio.com