Thursday, September 01, 2011

Trigger Happy Employers Using “Remote Kill” to Erase Employee Devices Violate Federal Law.

A trigger happy employer pulling the “remote kill” trigger without first notifying the employee of the intended kill can cause the employee to lose precious and emotionally sensitive personal data, such as pictures, voice mail, contacts of friends and family, music, financial data and even numerous stored links and passwords. 

Smartphones, iPads and other Tablets are so popular with employees that employers are feeling the need to combine the employees’ use of the devices with access to work data and programs.  On the surface, this symbiosis is a “win-win.”  The employee doesn’t carry multiple devices and the employer doesn’t front the cost of a new laptop or cellular phone.  In this manner, iPhones and iPads have been pushing into the territory traditionally held by company laptops and Blackberries. 

The problem with this arrangement is corporate security.  The employee is co-mingling his personal and business data, especially in email accounts and texts.  What if the employee is terminated or quits [or the phone is lost or stolen] and the employer is concerned about confidential or proprietary data now being resident on that employee’s smartphone?  The solution for the employer increasingly is the “remote kill.”  The employer sends a wireless command that erases everything on the smartphone—personal and business.  Background Information:  Wall Street Journal.

Employers are violating the law.  Unless the employer has authorization and consent to do a “remote kill,” entering an employee’s private and personal device to obtain or delete data is a violation of the federal “Computer Fraud and Abuse Act.”  Significant civil and criminal penalties apply.  Frankly, many companies do not have an explicit “remote kill” policy, and have taken no precautions to notify employees of the conditions they attach to use of a personal device to retrieve and store company information. 

Employees can of course use common sense and routinely back up their personal data in anticipation of a “remote kill” or lost phone.  The employee may even appreciate the ability of an employer to do a “remote kill” when his personal mobile device or tablet is lost.  Yet, without being warned, employees often are lax or indifferent to the need to do backups. 

Clearly there is a “disconnect” among the I.T. department, the H.R. department, and the employee.   I.T. thinks only “kill,” H.R. isn’t thinking at all, and the employee likewise fails to see the consequences to his personal data if he is laid off or fired.  The solution is a plan, with full disclosure and documents evidencing disclosure and consent. 

Good Technology Inc. produces software that allows company data to be “walled off” in secure “containers” within an employee’s device so that the “remote kill” erases only the company data within the container.  An elegant, and I submit, a necessary solution.  Completing erasing of private personal information with the pull of a remote trigger, in my opinion, is the kind of outrageous conduct that justifies a suit for “Intentional Infliction of Emotional Distress” because it encompasses, potentially, the commission of a federal crime (“Computer Fraud and Abuse Act.”).  Punitive damages are likely if there is evidence of a high level management’s conscious disregard of employee rights.  The technology and the dangers are well known. 

Here is a fact:  large companies who should know better are daily using standard operating procedure to “remotely kill” employees’ privately owned mobile devices without their informed consent or authorization.  These companies should be held accountable, and a public message delivered that this kind of hubris will not be tolerated by society.  If this crime has occurred in your work life, please contact me or other attorney to discuss legal remedies.  

No comments: