Information security has become an increasingly important concern for modern businesses. As businesses move their information storage to the “cloud,” rather than keeping it in computers on site, the need for appropriate security controls becomes more pronounced. Companies (and their IT vendors) often devote substantial resources to ensuring that their employee work product and competitively sensitive information remains private. But that is no small task: It can be very difficult to control the spread of electronically stored information, which may be transmitted around the world a dozen times before the security team has finished their morning coffee.
Such concerns are only heightened upon the departure of employees who have had legitimate access to confidential information. A few years ago, a company might have felt that its data was secure if it simply escorted departing employees out of the building and took their company laptops and keycards. But the modern workplace is more complex: Employees work from a variety of locations on company data stored remotely using a wide range of access systems. It is now common for employers to devote significant resources to searching through an employee’s electronic communications, including work emails, texts, and access logs to ensure no company confidential information has been removed or improperly accessed prior to the employee’s departure.
Perhaps the most complex issues arise when employees work from home. Increasingly, employees are able to access company systems from home—using home computers or work-issued laptops—and thereby access their work files. In such instances, employers face yet a further challenge: how do they ensure the employee does not have any competitively sensitive information on their personal devices? While some companies will seek authorization to search an employee’s personal devices as part of a separation agreement, many take the view that company-supplied hardware belongs to the company and can be reviewed without authorization. In a recent case, one financial services company allegedly took that approach a step too far by placing software on a computer it had supplied for an employee’s home and using it to access and inspect his personal files, without his permission, upon his departure from the company.
Unlawful access to electronically stored information can give rise to both state and federal claims for “hacking,” and the employee in this case asserted those claims in both state and federal court. The initiation of separate proceedings in state and federal court can raise concerns about duplicated efforts and the potential for inconsistent results. The doctrine of abstention provides federal courts a framework for exercising their discretion to abstain from adjudicating a matter, leaving it instead to the state court. However, in this case, the U.S. District Court for the Southern District of New York declined to do so. Its opinion in Iacovacci v. Brevet Holdings, 2019 WL 2085989 (S.D.N.Y. May 13, 2019), explains the bounds of that doctrine in this area, where the protections of state and federal law overlap.
This article first appeared in the New York Law Journal on May 20, 2019. Jack Millson, an associate at
the firm, assisted with the preparation of this article.