Saman Rajaee was a salesman for Design Tech Homes. He used his personal iPhone to connect to his employer’s Microsoft Exchange Server, which allowed him to access his work-related email, contacts and calendar from his phone. Design Tech did not have a BYOD policy. When Rajaee’s employment terminated, Design Tech remotely wiped his phone, which deleted all of his data, including personal emails, texts, photos, personal contacts, etc.
Rajaee sued under the federal Stored Communications (SCA) and Computer Fraud and Abuse Acts (CFAA) as well as raising various state law claims. Design Tech moved for summary judgment on the federal claims. On the SCA claim, the court held, based on Fifth Circuit precedent, that information an individual stores to his hard drive or cell phone is not in electronic storage within the meaning of the statute.
Design Tech was successful on the CFAA claim as well, but was forced to take a much riskier path than would have been necessary had it simply implemented a BYOD policy. Generally speaking, the CFAA prohibits accessing a protected computer without authority or in excess of authority, but requires a showing that the computer owner sustained at least $5,000 in losses specifically because of either the cost of investigating and responding to an offense or the costs incurred because of a “service interruption.” In Rajaee, the court held that the value of the data wiped from Rajaee’s phone was not the type of loss or cost contemplated as being recoverable under the CFAA. In addition, the court held that the deletion of Rajaee’s data did not constitute a “service interruption.” As a result, his claim under the CFAA failed.
This case underscores how important it is for employers who use a BYOD environment to put a BYOD policy in place. If Design Tech had such a policy, it could have – and indeed, should have – told its employees, including Rajaee, that upon separation of employment (or, for instance, if the device is lost or stolen), any device used to access the employer’s network would be wiped. This would enable the employees to preserve any important personal data on their devices. In addition, using containerization software would permit the employer to segregate business data from personal data on the phone, which also would permit the employer to wipe only the business data upon separation from employment.