Lawsuit Raises Questions About Company Access to Data on Employee Devices

A former managing director of Brevet Capital Management, Paul Iacovacci, filed a lawsuit this month alleging that the company violated the Computer Fraud and Abuse Act, the Federal Wiretap Act, the Stored Communications Act, and New York State common laws of conversion and trespass to chattels by accessing data stored on his personal hard drives attached to a computer purchased by Brevet.

The suit alleges that on October 14, 2016—the same night Paul Iacovacci filed a wrongful termination lawsuit—Brevet accessed Mr. Iacovacci’s personal data via remote access software, “LogMeIn.” Brevet allegedly retrieved data related to Mr. Iacovacci’s personal emails, as well as data stored on personal hard drives. Mr. Iacovacci further alleges that Brevet guessed his password—a combination of his children’s names and birthdays—and used this information to hack into his personal hard drives nearly two dozen times in 2016.

Brevet has acknowledged that it accessed Mr. Iacovacci’s computer. However, Brevet contends that accessing Mr. Iacovacci’s computer was legal because, among other things, it suspected Mr. Iacovacci of stealing company trade secrets, it paid for the computer, and its employee handbook reserves the company’s right to read, access, or monitor all electronic data stored on processed on a company computer. Brevet further contends that no hacking occurred because Mr. Iacovacci had previously supplied his “LogMeIn” password to the company for IT support and therefore authorized company access to his device. The case is currently pending in the Southern District of New York.

TIP: A company needs to be mindful of nuanced privacy, employment, and hacking laws, as well as the scope of the company’s policies, before initiating a review of employee devices or data without employee consent.