1

Julian Tippets


1

Introduction & Overview of BYOD
Bring your own device (BYOD) is a pervasive reference to IT policy that permits
or encourages employees to use their personal electronic devices for their employers
purposes. In other words, BYOD is an allusion to an employees ability to access
enterprise data or systems via their phones, tablets, laptops, desktops, and other
telecommunications tools (smart-device).
1

A noted market researcher has proclaimed BYOD as, the single most radical shift
in the economics of client computing for business since PCs invaded the workplace.
2

Their research anticipates that approximately four in ten organizations will depend
exclusively on BYOD by 2016 and that 85% of businesses will have BYOD programs in
place by 2020.
3

Businesses have compelling reasons to pursue BYOD programs. Chiefly, where
employees can use their technology of choice to perform a task, theyre able to utilize it
with greater efficiency, thereby increasing overall productivity.
4
Additionally, businesses
are able to curb capital expenditures on devices, software, training, licensing, and
maintenance because theyre effectively outsourcing it to their employees via BYOD

1
"BYOD: Bring your own device." IBM BYOD.
https://www.ibm.com/mobilefirst/us/en/bring-your-own-device/byod.html (accessed
April 1, 2014).
2
"BYOD skyrockets in popularity for 2013 - Here are the stats to prove it - Virtual
Bridges." Virtual Bridges RSS2. http://vbridges.com/2013/12/20/byod-skyrockets-
popularity-2013-stats-prove/ (accessed April 1, 2014).
3
"BYOD/BYOA: A Growing, Applicable Trend." Inc.com.
http://www.inc.com/comcast/byod-byoa-a-growing-applicable-trend.html (accessed
March 29, 2014).
4
City of Ontario, Cal. v. Quon, 560 U.S. 746, 759, 130 S. Ct. 2619, 2629, 177 L. Ed. 2d
216 (2010)

2
Julian Tippets


2
policies or programs.
5

While BYOD may be a fiscally effective business practice, it merits serious reflection
on its sundry legal and privacy implications. Employers and employees alike should be
versed on the potential risks associated with BYOD; such as those animated by the
following hypothetical situation:
Let's say IT conducts a search on a BYOD iPhone or iPad and stumbles upon signs
that an employee has been working on a project that potentially undermines or
competes with the organization.

If the employee was doing this on his own timethat is, not company timecan the
company fire the employee based solely on this potentially ill-gotten evidence? If the
employee is terminated and the company remote wipes his iPad, deleting personal
data, is the company culpable?
6


Debatable questions like those above highlight the preeminent conflict posed by
existing BYOD practices-- the competing interests of an employees privacy versus the
legitimate business endeavors of their employer.
This note suggests that rule makers and employers recognize employees smart-
devices as a logical outgrowth of the home on a more consistent basis. It recommends
select steps that both employers and employees can take to prevent or resolve BYOD
generated conflictsby judicial or policy-based means.

5
Id.
6
Kaneshige, Tom. "BYOD Gets Messy with AT&T Class Action Lawsuit." CIO.
http://www.cio.com/article/731589/BYOD_Gets_Messy_with_AT_T_Class_Action_Law
suit (accessed March 29, 2014).
3
Julian Tippets


3

Privacy in the Workplace
The Fourth Amendment of the U.S. Constitution functions as a foundation for
individuals privacy rights, liberties, and protections. It sets forth:
The right of the people to be secure in their persons, houses, papers, and effects,
against unreasonable searches and seizures, shall not be violated, and no Warrants
shall issue, but upon probable cause, supported by Oath or affirmation, and
particularly describing the place to be searched, and the persons or things to be
seized.
7

While this Amendment serves to safeguard individuals from questionable searches
performed by state actors, it also informs common law relevant to this discussion.
Ones Fourth Amendment-derived privacy rights are conditioned upon a
reasonable expectation of privacy test articulated by the U.S. Supreme Court in Katz v.
U.S.
8
Katz established criteria by which a reasonable expectation of privacy could be
deduced. They did so by scrutinizing ones demonstrable, subjective expectation of
privacy and the reasonableness or objectivity of that expectation, according to societal
norms.
Commentators cite two reasons why a plaintiffs expectation of privacy must be
both objectively reasonable and subjectively reasonable. First, a reasonableness standard
is intended to ensure that only matters warranting judicial intervention reach the courts. It
is meant to preclude redress of intrusions so trivial or minor that reasonableness demands

7
USCA CONST Amend. IV-Search and Seizure
8
Katz v. United States, 389 U.S. 347, 362, 88 S. Ct. 507, 517, 19 L. Ed. 2d 576 (1967)

4
Julian Tippets


4
they be tolerated in civilized society.
9
Secondly, a reasonableness standard draws on
societal norms and conventions from which legal duties fairly can be articulated by the
courts.
10

The Katz test has percolated into common law as lower courts have balanced
individuals privacy expectations in cases concerning non-state actors.
11
This balancing
test is especially crucial in matters concerning workplace surveillance.
Employer surveillance of employees has become relatively commonplace as
monitoring technology has become more accessible. As of 2007, the AMA 2007
Electronic Monitoring & Surveillance Survey found that, 66% of employers monitor
their employees' Internet connections, 65% of companies use software to block
connections to inappropriate Web sites, 43% of companies monitor e-mail, 45% monitor
time spent on the telephone and numbers called, 16% record phone conversations, and
almost half (48%) of the companies surveyed use video monitoring to counter theft,
violence, and sabotage.
1213
Employers may take measures to see what is on the screen
or stored in the employees' computer terminals and hard disks.
14


9
42 Causes of Action 2d 255 (Originally published in 2009) citing: Minden v. Salvation
Army, 2008 WL 276514 (D. Or. 2008) (applying Oregon law)
10
Id. (citing: White v. White, 344 N.J. Super. 211, 781 A.2d 85 (Ch. Div. 2001))
11
Thygeson v. U.S. Bancorp, No. CV-03-467-ST, 2004 WL 2066746 (D. Or. Sept. 15,
2004); McLaren v. Microsoft Corp., No. 05-97-00824-CV, 1999 WL 339015 (Tex. App.
May 28, 1999); K-Mart Corp. Store No. 7411 v. Trotti, 677 S.W.2d 632 (Tex. App.
1984).
12
42 Causes of Action 2d 255 (Originally published in 2009);
13
American Management Association. "2007 Electronic Monitoring & Surveillance
Survey." AMA Press Room. http://press.amanet.org/press-releases/177/2007-electronic-
monitoring-surveillance-survey/ (accessed April 4, 2014).
14
Privacy Rights Clearinghouse. "Fact Sheet 7: Workplace Privacy and Employee
Monitoring." Workplace Privacy and Employee Monitoring.
https://www.privacyrights.org/workplace-privacy-and-employee-monitoring (accessed
April 3, 2014).
5
Julian Tippets


5
Some employees may be subject to keystroke monitoring. Such systems tells the
manager how many keystrokes per hour each employee is performing. It also may inform
employees if they are above or below the standard number of keystrokes expected.
15

Where employment disputes over surveillance arise in the private sector,
complainants utilize common law privacy tort claims to seek redress in instances where
they perceive their privacy to have been compromised. Common law rights to privacy fall
within four categories: 1) intrusion upon seclusion; 2) public disclosure of embarrassing
private facts; 3) publicity which places a person in a false light in public view; 4)
commercial appropriation of a persons name or likeness.
One particularly relevant claim that plaintiffs utilize in legal disputes over
workplace monitoring or surveillance is intrusion upon seclusion. As elaborated by the
Restatement (Second) of Torts, One who intentionally intrudes, physically or otherwise,
upon the solitude or seclusion of another or his private affairs or concerns, is subject to
liability to the other for invasion of his privacy, if the intrusion would be highly offensive
to a reasonable person.
16
In simple, the elements necessary to prove invasion of privacy
via intrusion upon seclusion are: 1) an intentional intrusion; 2) upon the seclusion,
solitude or private affairs of another; 3) which would be highly offensive to a reasonable
person.
The plaintiffs burden of proof is considerable, especially since courts have
frequently found that employees have no reasonable expectation of privacy in their

15
Id.
16
Restatement (Second) of Torts 652B (1977)

6
Julian Tippets


6
workplace computers when the employer notifies them of such.
17
Plaintiffs need to show,
intrusion into spheres from which an ordinary man in a plaintiff's position could
reasonably expect that the particular defendant should be excluded.
18
There is not a
requirement that the information gained from the intrusion be publicized, because the
crux of the claim is the intrusion into the private domain of another.
19
The key to
prevailing in an action for invasion of privacy is establishing that the matter intruded
upon by the plaintiff's employer was one hidden from public view and with regard to
which the employer had no business interest in uncovering.
20

When courts consider claims stemming from the workplace, they have generally
found for the plaintiffs only if the challenged intrusions involved information or activities
of a highly intimate nature.
21
However, where the intrusions have merely involved
unwanted access to data or activities related to the workplace, claims of intrusion have
failed.
BYOD is complex precisely because it blurs the line between public and private
domains, and poses overarching questions about societys expectation of privacy in
matters concerning personally owned smart-devices.

BYOD Disputes
BYOD disputes often arise from instances where an employer searches an

17
U.S. v. Simons, 206 F.3d 392 (4th Cir. 2000)
18
Dietemann v. Time, Inc., 449 F.2d 245, 249 (9th Cir. 1971)
19
14C Mass. Prac., Summary Of Basic Law 17.31 (4th ed.)
20
42 Causes of Action 2d 255 (Originally published in 2009)
21
Med. Lab. Mgmt. Consultants v. Am. Broad. Companies, Inc., 30 F. Supp. 2d 1182,
1188 (D. Ariz. 1998) aff'd, 306 F.3d 806 (9th Cir. 2002)

7
Julian Tippets


7
employees personal device. Employers justifications for conducting these types of
searches vary. Generally, employers have a duty to protect the workplace and associative
systems that their business relies upon. Some searches are conducted to address
workplace harassment or other personnel matters. Employer searches of personal devices
may serve as means to those ends. However, BYOD policies articulated by an employer
and consented to by an employee determine the scope and permissibility of a search.
Organizations can effectively reduce their employees expectation of privacy
through several methods. For instance, employers need only notify their employees thru
memos or posted signage that they are being monitored to effectuate a reduction in their
privacy expectations. Employers also rely upon employment contracts or agreements to
spell out reduced privacy expectations. That being said, the level of detail and
specificity of such notices must increase when the intrusiveness of the surveillance
program increases.
22

Sitton v. Print Direction, Inc.
The Court of Appeals of Georgia gave considerable deference to an employers
BYOD policy in Sitton v. Print Direction, Inc. (PDI). In Sitton, PDI provided Sitton
with a laptop computer for use in connection with his work for PDI. However, Sitton
chose to use his own computer, which he brought to his office at PDI, connected to PDI's
system network, and used for PDI work.
23
When Sittons supervisor caught wind that
Sitton was competing with PDI, he entered Sitton's office, moved the computer's mouse,

22
Lothar Determann & Robert Sprague, Intrusive Monitoring: Employee Privacy
Expectations Are Reasonable in Europe, Destroyed in the United States, 26 Berkeley
Tech. L.J. 979, 992 (2011)
23
Sitton v. Print Direction, Inc., 312 Ga. App. 365, 367, 718 S.E.2d 532, 535 (2011)

8
Julian Tippets


8
clicked on the e-mail listing which appeared on the screen, and printed certain e-mails
from Sitton
24
Sittons employment was terminated as a consequence of PDIs search
and subsequent findings.
The Court commented explicitly on the legal efficacy of PDIs BYOD policy,
stating that, PDI's computer usage policy was not limited to PDI-owned equipment.
The policy adverted to the necessity for the company to be able to respond to proper
requests resulting from legal proceedings that call for electronically-stored evidence and
provided that for this reason, its employees should not regard electronic mail left on or
transmitted over these systems as private or confidential.
25

In summary, the Court conceded to the appropriateness of PDIs search, despite
the fact that Sitton owned the laptop that they searched. Strengthening PDIs case was the
fact that they searched the laptop within the workplace and for work-related purposes.
This case displays the liberties an employer can take in conducting searches of personal
devices and highlights privacy expectations in the workplace.

Stengart v. Loving Care Agency
While not a BYOD case per se, Stengart v. Loving Care Agency, Inc., is notable
because it contrasts Sitton in that the Court limited the scope of an employers search
despite the strength of their BYOD policy.
In Stengart, Marina Stengart used her company-issued laptop to correspond with
her attorney. She used her personal, password-protected e-mail account while
corresponding. A company manual governed the laptop's use. The manual permitted

24
Id.
25
Id. at 365
9
Julian Tippets


9
personal use of e-mail, to be kept to a minimum, but warned that computer resources
were the property of the Company and that e-mails were not confidential and could
be read during routine checks.
26
In preparation for litigation, Loving Care Agency, Inc.
(Loving Care) hired a forensic expert to recover files from her laptop, including her
personal e-mails. The expert was able to unearth and view her e-mails.
When Stengarts attorney learned that opposing counsel had access to his
conversations with Marina, he argued to the trial court that their correspondence was
subject to attorney-client privilege. The lower court ruled that Stengart waived this
privilege when she used employer-issued equipment to communicate with counsel. New
Jerseys Supreme Court ultimately denied the companys application to allow disclosure
of these emails. They cited National Economic Research Associates v. Evans, reasoning
that:
Based on the warnings furnished in the Manual, Evans [(the employee)]
could not reasonably expect to communicate in confidence with his private
attorney if Evans e-mailed his attorney using his NERA [ (company) ] e-mail
address through the NERA Intranet, because the Manual plainly warned Evans
that e-mails on the network could be read by NERA network administrators. The
Manual, however, did not expressly declare that it would monitor the content of
Internet communications.... Most importantly, the Manual did not expressly
declare, or even implicitly suggest, that NERA would monitor the content of
e-mail communications made from an employee's personal e-mail account via
the Internet whenever those communications were viewed on a NERA-issued

26
Stengart v. Loving Care Agency, Inc., 201 N.J. 300, 318, 990 A.2d 650, 661 (2010)
10
Julian Tippets


10
computer. Nor did NERA warn its employees that the content of such Internet e-
mail communications is stored on the hard disk of a NERA-issued computer and
therefore capable of being read by NERA.
27
[emphasis added]

The Court ultimately found that Stengarts expectation of privacy in e-mails with
her attorney was reasonable. However, the court did not address whether the employee
would have had a reasonable expectation of privacy with respect to personal email
communications with a non-lawyer.
28
This exception made by the court naturally begs
questions about what other forms of digital information are entitled to equivalent
expectations of privacy.

Your Smart Device: a Secluded Place?
In applying intrusion upon seclusion claims in instances where the home or
another personal sphere is involved, the plaintiff's expectation of privacy has, in
most instances, been deemed to be objectively reasonable.
29
I would argue that
employee-owned smart-devices fall squarely within a personal sphere category, akin to
the home.

27
Id. at 300. (citing Nat'l Econ. Research Associates, Inc. v. Evans, CIV.A. 04-2618-
BLS2, 2006 WL 2440008 (Mass. Super. Aug. 3, 2006))
28
Privacy Rights Clearinghouse. "Fact Sheet 7: Workplace Privacy and Employee
Monitoring." Workplace Privacy and Employee Monitoring.
https://www.privacyrights.org/workplace-privacy-and-employee-monitoring (accessed
April 3, 2014).
29
Med. Lab. Mgmt. Consultants v. Am. Broad. Companies, Inc., 30 F. Supp. 2d 1182,
1188 (D. Ariz. 1998) aff'd, 306 F.3d 806 (9th Cir. 2002) (citing Dietemann v. Time, Inc.,
449 F.2d 245, 249 (9th Cir.1971))
11
Julian Tippets


11
Is it attenuated to regard smart-devices as a quasi-extension of ones homethe
legal holy grail of secluded places? Perhaps it is; but consider for a moment, Margaret
Radins perspective on privacy as it relates to the home:
There is more to the rationale based on sanctity of the home; it contains a strand
of property for personhood. It is not just that liberty needs some sanctuary and the
home is a logical one to choose because of social consensus. There is also the
feeling that it would be an insult for the state to invade one's home because it is
the scene of one's history and future, one's life and growth. In other words, one
embodies or constitutes oneself there. The home is affirmatively part of oneself--
property for personhood--and not just the agreed-on locale for protection from
outside interference.
30

In behaving as a journal, filing cabinet, photo album, and personal planner, among other
things, it is not preposterous to entertain the notion that a smart-device functions
somewhat similarly to a home, as a de facto, scene of ones history and future, ones life
and growth. In a lighthearted sense, smart-devices are mobile homes.
In extrapolating upon personal spheres within the law, the U.S. Supreme Court
designated items traditionally found in the home, such as photographs, letters and diaries
as being highly personal.
31
Does a smart-device not often contain highly personal
items? Indeed, they contain private conversations between family members and spouses,
sensitive banking or medical information, a lifetime of journal entries, and intimate

30
Margaret Jane Radin, Property and Personhood, 34 Stan. L. Rev. 957, 992 (1982)
31
Doe ex rel Doe v. Little Rock Sch. Dist., 380 F.3d 349, 353 (8th Cir. 2004) (citing New
Jersey v. T.L.O., 469 U.S. 325, 339 (1985)).
12
Julian Tippets


12
pictures of cherished momentssuch as ones child happily playing in the bathtub.
Clearly, these are personal spheres.
32

The property right to exclude complements the above discussion of personal
privacy and emphasizes the larger role of secluded space(s) within society. Despite
discussing governmental intrusions, Justice Brandeis dissent in Olmstead v. U.S. spoke
profoundly to the American value placed on ones ability to be left alone when he said:
The makers of our Constitution undertook to secure conditions
favorable to the pursuit of happiness. They sought to protect Americans in
their beliefs, their thoughts, their emotions and their sensations. They conferred,
as against the government, the right to be let alonethe most comprehensive of
rights and the right most valued by civilized man.
33


Updating Expectations to Privacy in BYOD Cases
Objective and subjective expectations of privacy and related social norms change
with time. Society stands at a crossroads in informing where expectations to privacy fall
in the context of employer searches of employees smart-devices. On one hand,
lawmakers and fact finders could regard smart-devices as semi-public in nature, with
minimal privacy expectations. Conversely, smart-devices could be granted personal
sphere-esque privacy expectations. Unfortunately, the U.S. Supreme Court has taken,

32
The volume of personal items contained on smart-devices is also worth mentioning. A
smart-phone has the capacity to aggregate and harbor a lifetimes worth of information.
33
Olmstead v. United States, 277 U.S. 438, 478, 48 S.Ct. 564, 572, 72 L.Ed. 944 (1928)
13
Julian Tippets


13
great effort to avoid setting precedent relating to the reasonability of searches, indicating
that technological changes and social norms are evolving too rapidly to keep pace.
34

If courts more readily acknowledge a heightened expectation to privacy relative to
personally owned smart-devices, and view them as existing within highly personal
spheres as postulated above, the question of whether such a device is secluded (as applied
to intrusion upon seclusion claims) would be virtually settled. It follows that an
intentional intrusion into that secluded, virtual space would likely be offensive to the
reasonable person.
As a matter of public policy, this heightened expectation to privacy would further
deter employers from searching employee-owned devices beyond the scope of their
BYOD policies. The threat of an employee prevailing on this hypothetically expanded
intrusion upon seclusion claim might encourage employers to more clearly articulate their
BYOD policies and create innovative ways to avoid mingling employees private and
professional lives.
To be clear, I am not advocating a prohibition on employers BYOD-related
searches. I am placing emphasis on the apparent need to clarify legal boundaries in the
digital frontier being developed by multi-functional smart-devices.

Shielding Liability

34
Demeglio, Monica. "Moritz College of Law | All Rise - Our Alumni Magazine | Courts
redefining expectation of privacy in workplace." Moritz College of Law | All Rise - Our
Alumni Magazine | Courts redefining expectation of privacy in workplace.
http://moritzlaw.osu.edu/news/allrise/2013/02/courts-redefining-expectation-of-privacy-
in-workplace/ (accessed April 2, 2014).
14
Julian Tippets


14
Employers can shield themselves from intrusion upon seclusion claims and other
privacy intrusion pitfalls. As illustrated by Sitton, courts grant great deference to
employers BYOD policies when evaluating the reasonableness of privacy expectations
at issue. Articulating detailed and understandable BYOD policy is the first of many
mitigating steps and arguably the most important. One legal commentator suggests that:
employees must be made aware of all passive or background security
measures in effect on their devices. If your client is going to track user activity on
its employees devices, they must be told exactly what is being tracked and how
that information is being used and stored by your client. If the client is tracking
the location of the device via MDM software or other means, the BYOD policy
must also describe how location data is used and who has access to it and why.
The best and most transparent way to increase monitoring of activity on privately-
owned devices is to provide notice and ask for permission.
35


Obtaining an employees consent to have their device monitored is equally as
vital as articulating policy. Where employees provide consent to employer generated
BYOD policies, they may waive certain expectations to privacy or surrender them
entirely. Subsequently, when a court balances the reasonableness of a privacy
expectation, theyll rely upon employees forfeiture of privacy expectations via consent
or contract.

35
Pavn, Pedro . "Risky Business: Bring-Your-Own-Device and Your Company."
Risky Business: "Bring-Your-Own-Device" and Your Company.
http://www.americanbar.org/publications/blt/2013/09/01_pavon.html (accessed April 2,
2014).

15
Julian Tippets


15
Conclusion
The coming decades workplaces will be furnished by employee owned and
managed smart-devices. By allowing employees to utilize their personally owned e-tools,
employers benefit immensely. In so doing, they also expose themselves to risks that
necessitate intrusive workplace surveillance.
Employees traditionally experience a reduced expectation to privacy in the
workplace by waiving their privacy rights or protections. However, where employees
offer their personal smart-devices for use in a work setting, the boundaries between
private and professional spheres find themselves in conflict with each other. This conflict
arises because smart-devices often contain highly intimate content that may be subject to
personal sphere level privacy accommodations. If societal expectations to privacy are
elevated in this manner, employee tort claims of seclusion upon intrusion may become
increasingly viable.
Employers should articulate their BYOD policies to such an extent that
employees clearly understand how their smart-devices fit into a reasonable expectation to
privacy framework. However, employers should also maintain and enforce BYOD
policies that safeguard all personal, private, or otherwise intimate content of ones smart-
device.