Surprising legal facts about BYOD - seizures, searches, and more
If your company is involved in litigation, then your personal smartphone used for work-even merely for receiving corporate email-can be seized and searched for evidence during the discovery phase, according to an NBC News report. This is just one of many unforeseen consequences of "Bring Your Own Device," or BYOD, a technology trend sweeping corporate America today.
Even worse, most companies have the right to search your BYOD smartphone anyway. That's because you likely signed your privacy rights away in a multipage user policy chock full of legalese. Did you read the fine print? Probably not.
"I can't tell you the number of times we get an issue where a company needs to reach in and wipe a device or look at a device, and the employee is shocked to learn that this is permitted under the company policies," says Matt Karlyn, partner in the technology transactions practice group at Boston law firm Cooley LLP.
Karlyn believes BYOD boils down to a well-drafted and comprehensive policy that spells out the rights for both companies and employees. Such a policy covers a company's right to monitor, access, review and disclose company or other data on a mobile device, and the employee's expectations of privacy with respect to that device.
CIO.com sat down with Karlyn to discuss the keys to a good BYOD policy-- one that can provide companies and employees with some measure of security as BYOD barrels ahead.
Can a personal smartphone be seized and searched if a company is involved in litigation?
Personal devices may be subject to search and review in the event of litigation that involves an employer or other similar legitimate reason, which can include any business information on the phone. It's just like any other evidence or document or computer that could be confiscated and looked at for evidence. That's litigation procedure.
Yet I can even tell by your question that most people find this surprising. Where's the policy that makes it clear that the company has these rights with respect to these devices?
Today's mobile device management software allows for searching and wiping only business data. Could a search include personal data, too?
I was reading recently about a company that put into practice where they would only access business content on a personal device that's used for business purposes. They defined business content as email and business-related documents. They specifically excluded photographs, the assumption being that photographs would be only personal in nature.
They came to find out that there were a lot of photographs of white boards. People had taken pictures of white boards that contained all kinds of business information. It dawned on the [company] in the article that you can't make assumptions about what's business and what's personal.
It's fascinating, because people are using all of these components on smart devices for both business and personal purposes, such as photography and who knows what else. Suddenly, you can't wipe only the obvious business-related things like email.
The lines have become more blurred, as these devices become more sophisticated. This has given rise to the need for companies that implement BYOD programs to have a lot of flexibility, in order to ensure that they can access information that belongs to the company.
Do BYOD policies give companies this flexibility?
From a corporate perspective, if you're going to implement a BYOD program, it's simply imperative that you have a well-drafted and precise policy to govern both the company's rights and employee's rights. The message to employees is, read every policy carefully and make sure you understand it.
Before BYOD, you were issued a bunch of devices owned by the business. The company would have an IT policy that says you have no expectation of privacy with respect to these devices. Not only are you not supposed to use them for personal use, it's prohibited. You can suffer consequences, including termination. I used to do IT polices where even the phone wasn't for personal use.
Fast forward several years, and we're flipping the whole thing on its head. Now you can go buy your own device and use it for whatever you want-it's your family iPad-and for work. Companies are getting themselves into a little bit of hot water when putting these programs in place.
It becomes a challenge in cases such as litigation or when a device is lost or stolen and needs to be wiped. If a policy doesn't spell out the process and procedures when these events happen, and we know they're going to happen frequently, then it's a huge disservice both to the company and employee.
People complain that BYOD policies heavily favor the company and give employee rights short shrift. What do you think?
This week, a National Transportation Safety Board judge dismissed a $10,000 fine that the U.S. Federal Aviation Administration had lodged against a photographer who had used a drone to take aerial photos for the University of Virginia. The judge found that the FAA hadn't actually issued any enforceable rules regarding the use of commercial drones.
If you've got a Windows XP machine -- either at home or in the office -- consider yourself lucky. In the past, you'd upgrade to a more recent Windows operating system without a thought. Today, you have many options.
It's designed for the 3.5 billion people who have feature phones today. It solves technical problems Google is not interested in and is a better fit for the pre-paid phones popular in developing countries. The only trick is getting developers on board.
The cloud has overcome a lot of its technical challenges, especially when it comes to security. But the biggest problems in cloud computing now are cultural.