Security Experts:

Three Privacy Myths in the Workplace

As a privacy attorney and General Counsel of security companies, I have had the privilege of listening to the humorous ways in which colleagues convince themselves they have more privacy in the workplace than they actually do.

I’m not saying I’m impervious to myths. I believed poinsettia leaves were poisonous to pets, that if you shave your head your hair will grow back thicker (thought about it but didn’t try), and reading in dim light hurts your eyesight. You and I now know better about these and after reading this article, you will see through the following three privacy myths in the workplace.

#1 As long as I use Gmail or the like at work, my company can’t read my personal email

Workplace Privacy RulesI love this one. You are likely to be accessing Gmail on your company issued laptop or smartphone over the company supplied Internet. The thinking goes that the data is stored in the cloud and not on company servers so everything is cool. You’re reaching out to your private data outside of the company so the company has nothing to say about it.

Let’s look at your typical company information security policy that the company had you sign when you came on board. It says you have no expectation of privacy and all communication systems including all computer hardware, software, voice mail, the network, all stored data and all real-time data are the property of the company. Your typical policy will also say that you don’t have a privacy right in the contents of your computer system, including without limitation messages sent, received or stored on the e-mail or voice mail systems or in their use of the Internet.

This is pretty broad stuff—and the courts are buying it. That Gmail message you sent had to get out of the company through company machines if you’re on the company network. If you used a company laptop or smartphone, you’re tagged a second time for using company hardware and software.

You only have an expectation of privacy for communications at work when you are in compliance with company policies and not in breach for any other company obligation. That means communicating 1) on your own owned device, 2) over a personal network, 3) in compliance with policies and obligation.

So, 1) use a laptop or smartphone that you own rather than one supplied by the company. 2) Buy your own air card for that laptop or only use a smartphone data plan that you and not the company have paid for. 3) Don’t send any company owned or confidential information and don’t engage in any conflict of interest, or restricted or competitive activities in violation of your employment agreement.

#2 When leaving your job, you should erase your hard drive before returning your company laptop

This one pains me because people really believe it with a righteous indignation that crumbles when presented with the facts and a civil complaint for breach of contract. The company owns what you do at work on work related subjects. It owns all those emails you sent to do your work as well as all those spreadsheets and PowerPoint presentations.  This is the stuff they pay you for. It comes from your employment agreement that says that all work you do is a “work for hire” that you assign to the company.  

When you leave, someone is going to have to pick up where you left off. Erasing your hard drive makes that much harder. It’s like building someone a house and burning it down after they pay you, just without the arson charge.

I’ve had three former employees do this to companies where I worked. Two of them got sued. Companies suspect the worst when someone turns in a wiped hard drive. As it turns out, the courts do as well. So if you go work for a competitor, or simply portray even the appearance of impropriety, the employment attorney chasing you to your new gig will be limited only by her imagination as she describes all the lurid and treacherous content contained on that laptop before you gave the disk a triple swipe.

What you should do instead is turn your computer in unharmed with all content intact. “What about my pictures and personal email?” you ask.  I ask back, what’s it doing on there? We live in the land of the cloud and cheap USB hard drives. Use them and keep your work computer pristine. If someone came in and lifted your company laptop off your desk at any moment, you should be ready to bid it farewell without fear of losing personal data.

#3 It’s OK to keep a copy of my files when I leave my job

Hard Drive FilesI bet you’re starting to see a pattern. Folks feel they have a privacy right in their company info. We’ve already gone over the reasons the company owns the information you created on the job.  But when it comes to returning company property, whether it is a laptop, access card or data, we look at your employment agreement, separation agreement or company policies. One of the three is sure to have something that says that if you leave the company for any reason, you will deliver to the company all files, letters, notes, memoranda, reports, records, data, sketches, drawings, notebooks, layouts, charts, quotations and proposals, specification sheets, program listings, blueprints, models and prototypes, as well as written, photographic or other tangible material containing confidential information and will not take or keep any of the foregoing, or any copies.

I had a new VP of sales come up to me beaming as he showed me the two inch thick customer list he brought over from his previous employer. I thumbed through it and dumped it in the locked shredder box next to me. When his howls subsided, I explained he’d violated his employer’s rights, and nearly infected his new company with information it could have been sued for using. Folks that walk out with company information are putting themselves, as well as their new employers, at risk.

A myth is a story with or without a determinable basis of fact or a natural explanation.  I hope these three privacy workplace myths are now put in their place, and that you don’t freak out if you see the cat eating your poinsettia.

Gant Redmon, Esq., is General Counsel & Vice President of Business Development at Co3 Systems. Gant has practiced law for nineteen years; fifteen of those years as in-house counsel for security software companies. Prior to Co3, Gant was General Counsel of Arbor Networks. In 1997, he was appointed membership on the President Clinton’s Export Counsel Subcommittee on Encryption. He holds a Juris Doctorate degree from Wake Forest University School of Law and a BA from the University of Virginia, and is admitted to practice law in Virginia and Massachusetts. Gant also holds the CIPP/US certification.