- Privacy Risk Report - https://privacyriskreport.com -

Take This Job And Shove It—Oh, But First Can I Get My Family Pictures and iTunes Off My Work Phone?

Technology in the workplace has developed to a point where we now have our personal data and our employer’s data commingled on the same devices.  We may now see employees using work phones to store personal numbers and family pictures while they store work information on our equipment at home.  This commingling of data and equipment is usually not a problem until an employee leaves their position and the employer must decipher what equipment and data the employee has a right to take with them. It is becoming increasingly clear that employee training, including discussions of acceptable uses of employer equipment and data, are the best way to avoid conflicts when an employee departs.

One case in particular demonstrates the confusion that may arise when an employee commingles work and personal data with work and personal equipment.  On April 12, 2017, the California Court of Appeals in Mendez v. Piper, (unpublished) 2017 WL 1350770, Monterey County Super. Ct. No. M113943 (2017), found an employer failed to prove that an employee violated California law when the employee copied his own personal data from a hard drive owned by the employer after the employee quit his job. This case was originally filed by the employee, John Mendez (“Mendez”) when his former employer, Piper Environmental Group (“PEG”) and Mendez’s former wife, Jane Piper (“Piper”) (also the CEO of Piper), told Mendez’s prospective employers that he was barred from divulging trade secrets and could not take employment without violating his marital settlement agreement with Piper.

Mendez sought a judicial declaration and an injunction against PEG while PEG filed a cross-complaint based on allegations that Mendez breached a fiduciary duty and that he violated a confidentiality agreement with PEG. Both the trial court and appellate court dedicated a substantial portion of its analysis to the question of whether Mendez’s alleged copying, using and altering of confidential information stored on PEG computer equipment violated the Uniform Trade Secrets Act, Penal Code section 502. [1]

Section 502 provides in relevant part:

CHAPTER 5. Larceny [484 – 502.9]

( Chapter 5 enacted 1872. )

(a) It is the intent of the Legislature in enacting this section to expand the degree of protection afforded to individuals, businesses, and governmental agencies from tampering, interference, damage, and unauthorized access to lawfully created computer data and computer systems. The Legislature finds and declares that the proliferation of computer technology has resulted in a concomitant proliferation of computer crime and other forms of unauthorized access to computers, computer systems, and computer data.

Mendez testified that during his employment he would have been considered PEG’s “computer system administrator.” PEG allowed employees, including Mendez, to store personal and business data on PEG’s computer system. As part of his duties, Mendez testified that he set up an external drive at his residence and backed up PEG data to a company laptop which he brought home and copied the data to the external drive at his residence. Mendez further testified that his backups included all files, including Mendez’s personal and business data.

At some point, PEG hired a chief financial officer and it quickly became clear that Mendez’s service was no longer needed at PEG. The chief financial officer testified at trial that he believed it was his responsibility to find out as much as possible about PEG’s computer system in order to prepare for Mendez’s departure from PEG. After applying “pressure” on Mendez, Mendez ultimately quit his position at PEG.

While at a hearing concerning Mendez’s unemployment benefits, PEG’s attorney asked Mendez to return the laptop that Mendez used in the backup process. Shortly after his discussion, Mendez purchased a new computer and transferred the files from the laptop to his new computer. Mendez “wiped” his personal information from the hard drive of the laptop and left only the operating system because he originally planned on donating the laptop. However, after PEG was able to prove that it paid for the laptop, Mendez returned the laptop to PEG after it Mendez had removed his information.

The trial court found that PEG failed to carry its burden to prove Mendez had violated section 502 by accessing, copying, using or altering PEG’s data without permission. The California Court of Appeals affirmed the trial court’s findings on the following basis:

o   PEG failed to show Mendez copied data belonging to PEG

The trial court found PEG failed to meet its burden when it provided no evidence that Mendez knowingly copied files belonging to PEG. Rather, Mendez testified that the only data he copied was data he owned. Further, the court rejected testimony proffered by PEG’s forensic computer expert to the extent this expert was “an expert in identifying which files were present on a computer and when files had been accessed, copied, or deleted, but he was not an expert on which files contained PEG’s data.” The Court of Appeals found evidence to support the trial court’s finding that “Mendez accessed the hard drive in order to retrieve his personal information (which was properly on the computer).”

o   PEG failed to show Mendez acted without permission in retrieving his data.

The court also rejected PEG’s assertion that Mendez needed its permission to retrieve personal data of the laptop after his employment was terminated. In support of its findings, the court held that “[f]or the purposes of storing documents and photos, a computer is akin to a filing cabinet or desk.” In support of its decision, the court further noted:

We believe that when an employer expressly or implicitly authorizes an employee to personalize his or her workspace with personal property, the employee has implicit authority to remove such personal property upon separation from employment (within any parameters reasonably needed to protect coworkers and the employer’s property). The employer does not acquire ownership of the employee’s personal property by some kind of adverse possession. We see no reason why the same principle should not apply to an employee’s personal information when it is stored on a work computer system. As the trial court implicitly concluded, Mendez had permission to retrieve his personal data from the external drive. In any event, it was PEG’s burden to prove Mendez acted without permission, not his burden to prove he had permission.

Based on this reasoning, the Court of Appeals affirmed the trial court’s decision that PEG failed to meet its burden of proof and that the data stored by the employee belonged to the employee.

This is not the first time we have seen disputes arise over data when an employee is terminated. For example, we have seen disputes involving account passwords [2]where, after being terminated, the sole person that has possession of important workplace passwords demands money to provide the passwords to his former employer.  These situations are avoidable if employees and employers take the time before the stress of employee’s departure to determine how personal and business data and equipment should be treated.  Further, these issues could be addressed during quarterly meetings employers should have with employees to address data and privacy issues in the workplace. Even though the Mendez court found a computer is similar to a filing cabinet or a desk, the proper use of an employer’s computer should receive more discussion than the use of a filing cabinet.

The Illinois Personal Information Protection Act requires “Data Collectors” to take “reasonable measures” to protect data.  Contact Todd M. Rowe [3] at Tressler LLP to discuss how employee meetings can be used to further ensure you are protecting data.