The New York Times recently reported that Hillary Rodham Clinton used a personal email address for work and personal matters while she served as Secretary of State. Many employees could probably appreciate why Ms. Clinton chose to use a private email address for work purposes. She enjoyed the convenience of carrying one mobile device instead of two. That’s the same reason the Bring Your Own Device movement has been rapidly gaining momentum.

The convenience of commingling professional and personal online accounts comes at a price. One danger is unauthorized disclosure of confidential information.   Work-related information stored in an employee’s personal online account is not subject to security measures like firewalls, anti-virus software, and metadata scrubbing programs. Private online accounts may be vulnerable to cyberattacks, putting the confidentiality of their contents at risk. While such records might not concern national security matters as in the Clinton controversy, they could contain personnel information, medical history, or trade secrets, the disclosure of which could violate data privacy laws like HIPAA and the Sarbanes-Oxley Act, not to mention hurting a company’s competitive edge or creating a public relations debacle.

Another risk is noncompliance with recordkeeping policies. Work rules dictating how long work files are kept before they’re disposed help organizations manage the task of responding to information inquiries like discovery requests in litigation. In some jurisdictions, an organization’s failure to produce a document in discovery because it was destroyed in compliance with the organization’s document retention policy generally is not considered unlawful destruction of evidence. (Note: Hawaii’s court rules were amended this year to recognize such a defense). But spotty enforcement of a document retention policy could destroy that defense. Popular ways of transferring work files include forwarding them to a personal email address or uploading them to a personal cloud storage account. Such practices could result in work files being kept beyond their authorized retention period, thus casting doubt on whether an organization actually follows its document retention policy.

Managing these risks begins with adopting a formal policy on use of personal accounts for work purposes and training employees to follow the policy. Without a policy in place, employees might have few qualms about using their personal accounts for work.  Consult with a lawyer with data privacy experience to ensure that your policy manages legal risks.

If your company decides to prohibit the transfer of work data to external locations, enforce that policy diligently. Work with your IT department or outside vendors to implement physical and software safeguards against unauthorized transfers. Conduct audits to ensure compliance with the policy.

Another strategy is to offer solutions that allow employees to work outside of the office conveniently without having to use their personal accounts. Consider hosting a private cloud storage site where employees can share files in a secured environment under your control. Also popular is virtual desktop software that allows employees to access their workstation remotely in a controlled environment.

Don’t wait until your employees’ data handling practices make the headlines before taking action to protect the confidentiality of your work files.

Proof of actual damages is not necessary to recover the minimum $1,000 in statutory damages under the Stored Communications ActShefts v. Petrakis, 2013 WL 1087695 (C.D. Ill. Mar. 14, 2013)

A person who brings a successful Stored Communications Act (SCA) claim can recover at least $1,000 without having to prove actual damages.  In Shefts v. Petrakis, the plaintiff (Shefts) sued his former employer for violating the SCA by illegally accessing his various messaging accounts, including a Yahoo! email account.  (See my post on an earlier decision in this case regarding after-the-fact authorization of access to emails.)  Shefts did not seek actual damages, but instead, statutory damages under the SCA.  The SCA states that “[t]he court may assess as damages . . . the actual damages suffered by the plaintiff and any profits made by the violator as a result of the violation, but in no case shall a person entitled to recover receive less than the sum of $1,000.”  18 U.S.C. § 2707(c).  The defendants argued that Shefts could not recover statutory damages without proving actual damages.  Shefts countered that he may recover statutory damages as an alternative to actual damages.

The trial court agreed with Shefts.  Finding no Supreme Court precedent on point, the court looked at the plain language of the damages statute, legislative history, and other district court decisions.  The court found that the plain language of the statute entitled a successful plaintiff to obtain minimum recovery of $1,000 in statutory damages.  The legislative history also evidenced the intent of Congress to allow recovery of at least $1,000.  Also persuasive to the court were other district court decisions finding that the SCA does not require actual damages as a condition to recovery.  The court’s ruling meant that, assuming Shefts could establish liability under the SCA, his failure to seek actual damages would not preclude him from recovering statutory damages.