Organizations may issue smartphone, tablets and other devices to employees for job-related use. While the device is owned by the issuing organization, who “owns” the passcode that the employee uses to access that device? A recent federal case out of Pennsylvania raises an interesting perspective on password protocol.
In Securities Exchange Commission (SEC) vs. Huang, the SEC is pursuing alleged trading violations against former employees of Capital One. In connection with the case, the SEC obtained the employees’ bank-issued smartphones from Capital One. The bank did not have the passcodes because it requests that its employees not keep records of or share their passcodes for security reasons.
The SEC filed a motion compelling the employees to divulge their passcodes. The court denied the motion, finding that the passcodes were “personal in nature” to the employees. The employees were allowed to invoke the Fifth Amendment to avoid producing the passcodes to the SEC.
While this is a quasi-criminal case that may have been decided differently if it were strictly civil, it raises concerns over the control of passcodes, even for company-issued devices. While an organization may have business reasons to not keep track of employee passcodes, this should be balanced against the implications of potentially not gaining access to information stored on the device.