Problem solve Get help with specific problems with your technologies, process and projects.

How enterprises can avoid violating the Stored Communications Act

The Stored Communications Act can come back to bite companies that fail to wipe personal data from corporate devices. Expert Mike Chapple discusses.

I saw that there was a recent case in Ohio, Lazette v. Kulmatycki, where a company was found in violation of the Stored Communications Act, or SCA, because it didn't adequately tell employees how it monitors communications on BYOD devices. What sort of BYOD monitoring details should we include (or not include) in our policy?

Ask the Expert!

Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)

The case is quite interesting for IT administrators because it actually does not involve a BYOD device. Rather, it covers personal use of a company-owned device.

In this case, Sandi Lazette sued her previous employer, Verizon Wireless, after discovering that her former supervisor used the cached credentials on her company-owned BlackBerry to access her Gmail account after the end of her employment with the firm. Lazette believed that she had removed her personal email account from the device before turning it in, but she had not actually done so. She alleged that her supervisor used the device to access her account over the next 18 months, reading her email and sharing it with others.

In June, the court overruled a motion by Verizon to dismiss the case outright, clearing the way for it to proceed to trial. This does not yet mean that Verizon has been found guilty of violating the Stored Communications Act, but it certainly does serve as a warning to IT administrators in firms that allow the personal use of mobile devices.

It is clear that, any legal claims notwithstanding, having knowledge of someone's username and password does not provide the right to use that information to access an account. Firms worried about the potential for similar litigation by their employees should consider adopting a standard process used to clear account information from mobile devices before reassigning them to other employees. The most straightforward way to achieve this would be to systematically wipe all of devices' contents before transferring their ownership.

This was last published in September 2013

Dig Deeper on Information security laws, investigations and ethics

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.