IT consumerization and personal devices brought into work create some tricky legal issues companies must take into account when they develop a BYOD policy.
There are still a lot of questions that need to be answered — so far, courts and laws have yet to address how employees working with their own devices affects areas such as personal privacy and the company’s liability during a data breach.
Despite the confusion, there is one tool companies can use to prevent the new legal issues created by IT consumerization: a strong BYOD policy that regulates what both the employee and the company can do with a personal device used for work. Employees should sign off on the policy before their device is approved.
These are some of the biggest legal issues to consider when coming up with a BYOD policy and strategy:
1. Data breaches
Businesses are in charge of a lot of data, including sensitive personal information about employees, customers and other people. If that information is lost or stolen and then used to commit identity theft or do other damage, the company could be held liable. Unfortunately, holding that data on personal mobile devices can make it easier to fall into the wrong hands.
Organizations can protect themselves by taking reasonable security measures, such as requiring devices used for work to encrypt data, allow remote wipe, and be password-protected. A BYOD policy featuring those rules will help protect information and allow the company to defend itself against negligence claims if a breach does occur.
2. Employee privacy
As the lines between what’s personal and what’s company property become blurred, BYOD and IT consumerization can also open companies to accusations of violating employees’ privacy. Some key questions still surround BYOD and privacy — for example, is the company allowed to access personal emails and text messages on a personal smartphone used for work? What about web browsing history, installed software and other content?
The organization should try to minimize its access to non-work-related information, but that won’t always be possible. For example, if the phone is used to send both work-related and personal messages, there may not be a way to divide the two during an investigation. Companies should consider what types of monitoring and investigation they may need to perform on employees’ personal devices, and the BYOD policy should warn employees about what might be done.
3. Device control
In addition to questions about what content on a personal device a company can access, there are also legal questions regarding what companies can do to an employee’s personal equipment. When a company-owned smartphone is lost or stolen, it’s simple for IT to remotely wipe the device. But is the company allowed to erase a device owned and paid for by someone else?
Yes, say legal experts, companies can require personal devices to be wiped, locked or otherwise affected as part of a response to a security incident. Again, the key is spelling that out clearly in a BYOD policy and getting employees to sign off on it.
If a company is sued, e-discovery rules require organizations to save all relevant electronic information in case it needs to be turned in as evidence. That’s hard enough when the company only needs to focus on servers, PCs and other equipment it owns — but it could get even more complicated when data is also scattered about on employees’ personal smartphones and tablets.
That’s why businesses should keep track of which employees have devices that carry which data, and have a BYOD policy allowing them to collect those devices when necessary.
5. Exiting employees
Companies often require employees to sign confidentiality agreements to keep them from taking trade secrets, lists of sales leads and other proprietary data to other employers. That can get a lot trickier when people store proprietary information on their own personal smartphones or tablets. Companies may have policies prohibiting that data from being moved to a personal gadget — however, many platforms store local copies of email, so that data may still find its way to a device.
Therefore, the BYOD policy should require applicable employees to let IT inspect their device when they leave the company to ensure that all of that information has been deleted.
6. Damage to devices
In addition to having a device wiped or locked because of a security incident, employees take on other risks when they begin using a personal smartphone or tablet for work. That can include everything from a business-related application causing software problems, to a device being damaged during work-related travel.
Employees likely understand that the more they use a device, the greater the risk of damage, but it may help to spell out in the BYOD policy that the company isn’t responsible for any damage, data corruption, software issue or other problem associated with the work-related use of a personal device.
7. Illegal employee activity
During the course of an investigation or monitoring because of a work-related issue, IT departments may come across personal content. And that content could be evidence of an employee’s illegal activity — for example, child pornography, in an extreme case.
In those instances, a company could potentially be held liabile for witnessing an employees’ legal activity and failing to do anything about it. Therefore, in addition to the BYOD policy for employees, IT staff should be trained to report what they notice on personal devices, as they would with employee activity on company-owned machines.