Law360 is providing free access to its coronavirus coverage to make sure all members of the legal community have accurate information in this time of uncertainty and change. Use the form below to sign up for any of our weekly newsletters. Signing up for any of our section newsletters will opt you in to the weekly Coronavirus briefing.
Sign up for our Banking newsletter
You must correct or enter the following before you can sign up:
Thank You!
Law360 (August 31, 2020, 12:44 PM EDT) --
 |
| Daniel Garrie |
 |
| Yoav Griver |
As just one example, consider the federal Electronic Communications Privacy Act, or ECPA, which permits employers to (1) monitor employees' oral and electronic communications to the extent that they relate to a legitimate business purpose; (2) monitor any communications for which the employee has provided consent; and (3) access emails that are stored by the employer.[1]
All of these exceptions decrease an individual's privacy rights and reasonable expectation of privacy in work-related matters. However, is "exceptions" the correct word? Exceptions to what? Does this reference a specific privacy law or privacy rights in general?
Indeed, businesses operating in the financial services industry, such as investment advisers and broker-dealers, have affirmative legal obligations to monitor, and even report, employee activities. These obligations arise from the fiduciary nature of such businesses and related regulatory expectations.
The U.S. Securities and Exchange Commission, for example, expects registered investment advisers to monitor their employees compliance with stated compliance and ethics policies as part of their enforcement of same, and may be liable if they do not.[2] Therefore, persons, especially control persons, working for stewards of outside capital and/or fiduciaries should be particularly aware of their employer's regulatory obligation to vigorously monitor employee activity.
During times when businesses are operating normally, monitoring and tracking employee activity is fairly straightforward because employees are, for the most part, in a tightly controlled technological environment — i.e., working within the offices, on firm computers, phones and devices, with both the front-end and back-end data communication lines and servers owned and controlled by the employer.
In such an environment, employees properly would expect that both work applications, such as corporate email, and nonwork applications that are in-office would be subject to monitoring. Employees downloading movies and playing solitaire in the office, routinely accessing personal emails from their office computer, or engaging in insider trading, should not be surprised by a visit from compliance.
In the midst of a global pandemic like COVID-19, however, most companies are faced with a large portion, if not all, of their workforce working remotely. Remote working creates new obstacles for companies as they attempt to remain compliant with legal obligations.
This is especially true for investment firms when primary risk takers, such as traders and portfolio managers, are not in the offices, as the nature of their roles necessitates a higher level of oversight. These primary risk takers, by definition, may require a greater degree of latitude in the systems and processes they have access to than, for example, a back-office employee. However, this additional latitude demands increasingly proportional oversight capabilities.
In the 2019 case of Iacovacci v. Brevet Holdings LLC,[3] for example, Brevet, an investment management and advisory services firm, was sued by a former employee for unlawful access to the employee's firm-owned computer and hard drives. Though this incident took place well before the onset of COVID-19, it sets forth the type of challenges that many employers may be faced with during this pandemic.
First, the computer in question had been purchased by Brevet, for the employee. Second, as Brevet intended, the employee used that computer to remotely conduct Brevet-related work. Third, while the hard drives in question were purchased separately by the employee, they were connected to, and contained files that were backed up from, the Brevet-owned computer.
These are all situations employers currently face and can expect to increase. As a remote workforce becomes more common, employers can expect their employees to increasingly use their company-provided devices for personal matters. What's more, these employees may feel their employer is wrongly prying into their personal lives when that employer seeks to monitor all of the data — business and personal — on or connected to company devices.
In the Brevet case, a judge in the U.S. District Court for the Southern District of New York ruled that the employee's allegations can move forward, giving the employee an opportunity to prove those allegations. Without a doubt, this is an alarming decision.
Given that company oversight, monitoring and reporting obligations advanced by the various regulatory bodies do not change based on where, or through which, device employees are completing their work, this decision creates additional challenges for employers who are trying to remain compliant with their legal obligations.
An employer should be entitled to track all activity on the computer used for work matters to ensure that the device is not compromised and that the user is not performing any actions that would be deemed illegal or inappropriate or expose the company to liability — e.g., engaging in insider trading or fraud, harassing another employee, or accessing illegal websites.
Irrespective of the location of the company device at issue, an employee's expectation of privacy when using such a device for work should be minimal, especially when working in an industry as highly regulated as the financial services industry.
Indeed, where such employees are working remotely, increased scrutiny and monitoring should be expected to protect against hackers and noncompliant employees — as supported by a recent SEC guidance note.[4] The fact that some storage devices, like the hard drives in Brevet, are purchased by the employee has to be weighed against the obligations of the employer to monitor both company-owned devices and any storage devices connected to them.
This is spelled out specifically in the SEC Office of Compliance Inspections and Examinations' 2020 Cybersecurity and Resiliency Observations.[5] Given the popularity of USB storage drive scams and cybersecurity incursions, this monitoring responsibility seems both necessary and reasonable.
So, what best practices should companies adopt as they attempt to safely navigate between the Scylla of regulators and the Charybdis of irate (and potentially litigious) employees? The answer is transparency and repetition.
Let's consider mobile phones. Many companies offer employees the option to bring their own device rather than accepting a company-provided phone, meaning that mobile phones provide a prime example of mixed-use — work and personal — devices.
Employers should be notifying their employees that choosing to bring their own device brings that device fully within the company's scope for oversight, and that the company can and will regularly access the device and monitor all the emails, texts, photos and applications on it — irrespective of whether the employee considers something work or personal — to ensure compliance with company policies and regulatory requirements.
This notice should be in writing and signed or acknowledged by each employee using their own device, and the notice should comport with a written and readily accessible company policy. The notice must then be periodically reinforced so the various stakeholders continue to understand the scope of the company's oversight extends to personal devices.
Computers and external hard drives are no different from standard personal devices in this sense, and the company should ensure that the prophylactic measures, already used for personal devices is extended to all devices. The company needs to ensure the overall security of the work environment, and, to do so, it must monitor the activity on all work-related devices, and perhaps even consider implementing additional security measures as necessary.
In the end, the reality of the matter is that the company must cogently explain, early and often, that it has a legal obligation to ensure that employee actions are compliant with the laws and regulations put forth for the business, and doing this requires intrusive monitoring of all devices employees choose to use when working remotely.
Accordingly, employees should be warned against using personal devices, or face the reality that those personal devices will undergo comprehensive monitoring by their employer.
While it is certainly not ideal, a company's obligation to protect its information and ensure a safe working environment likely requires it to access and monitor all company-owned devices, devices such as external hard drives so long as they are attached to the company's computer, and personal devices that become mixed-use devices as a consequence of working remotely.
Ultimately then, the best practice for employees is to keep work and personal devices and communications entirely separate even in COVID-19 times.
Daniel Garrie is the founder of Law & Forensics LLC.
Yoav Griver is a partner at Zeichner Ellman & Krause LLP and general counsel at Law & Forensics.
The authors would like to thank Shradhha Patel, a summer associate with Law and Forensics and a student at Rutgers Law School, for her contributions to this article.
The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.
[1] See "Managing Workplace Monitoring and Surveillance" SHRM.org, https://www.shrm.org/resourcesandtools/tools-and-samples/toolkits/pages/workplaceprivacy.aspx (last accessed 8/23/2020); see also, Smith, Kevin J., and Rachel J. Tischler. "Electronic Monitoring in the Workplace." Employment Relations Today 42.1 (2015): 73-79.
[2] "Investment Adviser Use of Social Media," National Examination Risk Alert by the Office of Compliance Inspections and Examinations of the SEC, Volume II, Issue 1, January 4, 2012, and is available online at https://www.sec.gov/about/offices/ocie/riskalert-socialmedia.pdf (last accessed, 8/23/2020); see also, 17 CFR § 275.204A-1, "Investment adviser codes of ethics", and is available online at https://www.law.cornell.edu/cfr/text/17/275.204A-1.
[3] See generally, IACOVACCI v. BREVET HOLDINGS, LLC
, No. 18cv8048 (S.D.N.Y. July 9, 2019).[4] See generally, Select COVID-19 Compliance Risks and Considerations for Broker-Dealers and Investment Advisers is available at : https://www.sec.gov/files/Risk%20Alert%20-%20COVID-19%20Compliance.pdf.
[5] The OCIE Report, released January 27, 2020, is available online at https://www.sec.gov/files/OCIE%20Cybersecurity%20and%20Resiliency%20Observations.pdf.
For a reprint of this article, please contact reprints@law360.com.
