[EDRM Editor’s Note: The opinions and positions are those of Marris Hoffee and Michael Berman.]
As remote and hybrid work models have become the norm, the line between personal and professional digital life has blurred almost beyond recognition. Employees routinely use company-issued laptops and cell phones for personal activities, while employers increasingly rely on those same devices to investigate misconduct, prosecute or defend litigation, and preserve electronically stored information. At the center of this tension lies a deceptively simple question: who controls the employee’s personal data on the employer-owned devices?
The importance of a clear resolution of the question of what may be private on a cell phone is difficult to overstate. For example:
Mobile application software on a cell phone, or “apps,” offer a range of tools for managing detailed information about all aspects of a person’s life. There are apps for Democratic Party news and Republican Party news; apps for alcohol, drug, and gambling addictions; apps for sharing prayer requests; apps for tracking pregnancy symptoms; apps for planning your budget; apps for every conceivable hobby or pastime; apps for improving your romantic life. There are popular apps for buying or selling just about anything, and the records of such transactions may be accessible on the phone indefinitely…. The average smart phone user has installed 33 apps, which together can form a revealing montage of the user’s life.
Riley v. California, 573 U.S. 373, 396, 134 S. Ct. 2473, 2490 (2014).
In the context of employer-owned devices, courts have frequently answered that question, not by reference to abstract privacy norms, but by examining the employer’s written information governance (“I.G.”) policies. Where employers allow incidental personal use but fail to clearly reserve ownership or inspection rights over personal data, courts are more likely to recognize an employee’s legally protected privacy interest. In effect, employers often create their own practical problems by the way in which their I.G. policies are drafted.
[E]mployers often create their own practical problems by the way in which their I.G. policies are drafted.
Marris Hoffee and Michael Berman.
The recent decision in Yu Yu Lim v. Expel, Inc., 2025 WL 3458981 (S.D. Cal. 2025), illustrates the growing judicial willingness to protect employee privacy by holding employers to their express policies. This case reflects a broader doctrinal trend: company policy has become the primary determinant of employee privacy rights on work-issued devices.
Modern Framework:
Courts often analyze employee privacy claims in workplace devices under a three-part test:
- Is there a legally protected privacy interest?
- Is there an objectively reasonable expectation of privacy?, and
- Is there a serious intrusion into that privacy where less intrusive means are available?
This issue arises most often in discovery disputes. The “reasonable expectation” prong, in particular, has evolved into a heavily policy-driven inquiry.
Historically, courts presumed little privacy in employer-owned property. That presumption has been softened as work devices have become multifunctional and inseparable from personal life. In response, courts often look for clear, advance notice, expressly written, to determine whether employees knowingly surrendered privacy rights.
In short, an employer’s silence protects privacy rights; clear policies can undermine privacy claims.
In short, an employer’s silence protects privacy rights; clear policies can undermine privacy claims.
Marris Hoffee and Michael Berman.
Case Study: Yu Yu Lim v. Expel, Inc.
In Lim, the court was confronted with what is now a common scenario: it involved an employer- provided device used for mixed personal and work purposes, that was later preserved and partially-inspected by the employer-owner to defend litigation initiated by the former employee.
Ms. Lim worked at Expel as a Senior Governance, Risk, Compliance, and Privacy Analyst for approximately eighteen months. During her employment, she accessed her personal Gmail account on a company-issued laptop. Unbeknownst to Ms. Lim, over 15-years of her personal emails, including sensitive and privileged communications, medical and financial records, and home security images depicting minors, were stored on the laptop’s hard drive. Ms. Lim incorrectly believed her personal email account was password-protected and segregated from Expel’s systems.
Upon termination in 2023, Expel immediately revoked her access to the laptop and represented that the device would be wiped and re-issued in accordance with company policy. Ms. Lim requested an opportunity to retrieve her personal files, which Expel denied, citing its standard procedures for device reset and reissuance.
Contrary to those representations, however, Expel did not reset or reissue the laptop. Instead, anticipating litigation and potential retaliation claims, Expel retained the device, thereby preserving Ms. Lim’s personal data without her knowledge.
Ms. Lim subsequently brought claims for race discrimination, retaliation, and wrongful termination. After the parties exchanged extensive discovery materials, Expel, without prior notice, sent the laptop to a forensic consultant, Control Risk, in March 2025. The forensic consultant located cached Gmail data and conducted limited review (dates, times, senders, and recipients), and the information was then transmitted to Expel’s counsel and produced in discovery.
Ms. Lim moved for a protective order to prohibit further review of her personal data. Expel argued that she waived any privacy rights by storing personal information on the company device, and that it was entitled to review the emails in full to search for relevant evidence.
First, the court found that Ms. Lim had a legally protected privacy interest based on Expel’s written policies, which expressly permitted incidental personal use of company devices:
“Company property refers to anything owned by Expel: physical, electronic, intellectual, or otherwise. Employees may use Company property only for business purposes. You may use Company property for incidental personal reasons only if this use doesn’t: interfere with others’ ability to work, place undue burden on Expel, or violate confidentiality… [A]t all times, equipment assigned to you remains the property of Expel, and is subject to reassignment or use by Expel without your prior notice or approval. This includes without limitation computer equipment and data stored thereon, voicemail records, and employee files.”
The court emphasized that the policy allowed personal use, but omitted delineation of any limitations or the extent that personal data could be monitored, accessed, or maintained.
The court also noted a “Proprietary Information and Inventions Agreement,” signed by Ms. Lim, which stated that all company-issued devices are “subject to inspection by Company personnel at any time with or without notice.” However, because this provision did not specifically address personal data, the court construed it as applying only to company information, not personal data.
Based on these ambiguities in Expel’s information governance policies, the court held that Ms. Lim had an objectively reasonable expectation of privacy in cached personal email data stored on the employer’s laptop.
Finally, the court determined that Expel’s requested review would constitute a serious intrusion. The court relied heavily on Expel’s failure to follow its own destruction policies, the breadth of personal material at issue, and the availability of less-intrusive means of discovery given the volume of discovery already exchanged.
Although Ms. Lim’s conduct informed the court’s analysis, the outcome turned almost entirely on the terms of Expel’s policies. In other words, the employer drafted language that created the employee’s legally protected privacy expectation and prevented intrusive discovery.
Compare: When Policy Eliminates Privacy
In Scott v. Beth Israel Med. Ctr., Inc., 2007 NY Slip Op 27429, 17 Misc. 3d 934, 847 N.Y.S.2d 436 (Sup. Ct.), the hospital’s policy explicitly prohibited personal use of company devices and expressly authorized monitoring by the employer and its agents.
The Scott court found that these provisions, “clearly precluded” any objectively reasonable expectation of privacy and denied the employee’s request for a protective order. Together, Lim and Scott demonstrate a critical point for both employers and litigators: the outcome is written before litigation begins; it is when the policy is drafted.
Together, Lim and Scott demonstrate a critical point for both employers and litigators: the outcome is written before litigation begins; it is when the policy is drafted.
Marris Hoffee and Michael Berman.
Drafting Policies that Withstand Litigation
Allowing incidental personal use of company devices is practical and common; total prohibition is unrealistic in a world of remote work, mobile apps, and blended professional and personal lives.
A more effective device-use policy should explicitly address (and perhaps limit the types of) personal data, reserve the right to inspect and monitor, define the scope and notice requirements (if any) of any inspection, and avoid internal contradictions or vague terms.
For example, a more defensible provision might state:
“Employees may use Company-issued devices for incidental personal uses, which does not include sending, receiving, or storing any confidential, personal business, medical, or legal communications or information storage (collectively referred to as “Incidental Personal Data”). Employees have no privacy rights to any Incidental Personal Data stored on Company-issued or Company-owned devices and this Information Governance Policy creates none. The Company and its agents may inspect, monitor, collect, review, and preserve any and all Incidental Personal Data on Company-issued or Company-owned devices at any time, and without prior or subsequent notice to any Employee, and if litigation related to Company information stored on that device become reasonably anticipated, the Company may have a legal duty to preserve, collect, and review such Incidental Personal Data. By use of the Company-issued or owned device, each employee irrevocably consents to the Company’s rights to do so. Consent continues after any termination of employment.”
While this exemplar language is only one example, similar language could reduce ambiguity and align employee expectations with employer practices, needs, rights, and duties.
There is a converse issue that should also be addressed by information governance policies. What happens when an employee uses a “BYOD” or “bring your own device” to perform employer’s work or to store employer’s ESI? Does the employer have possession, custody or control of employer ESI on a BYOD device? For related discussion, see Bad Things Can Happen When Company Officers Use Their Private Email Accounts for Work.
Assisted by GAI and LLM Technologies per EDRM GAI and LLM Policy.
