(First in an occasional series about technology and the law.)
For a long time, it seemed that, like death and taxes, BYOD was inescapable. The issue wasn’t that employees wanted to use their personal smartphones on your network, it’s that they were definitely going to do so whether you like it or not.
But there are consequences to the convenience and lack of up-front costs associated with BYOD, due largely to the fact that security gets substantially more complicated – both for private employee data and for sensitive corporate information.
Consequently, companies are getting a lot more cautious about BYOD – one recent study found a spike in businesses imposing outright bans on personal device use, as the risk of data breaches and lawsuits becomes more evident. (Read more about the study here.)
Alfred Yen, associate dean of faculty at Boston College Law School, said that the major worry is security.
“Foreign devices could easily be used (wittingly or unwittingly) to bring in viruses or malware that causes a network security breach, allowing company information to be stolen,” he told Network World.
But those security concerns work both ways, Yen added.
“As a BYOD user (and I think most people are in one way or another), I worry about employer intrusion on my machines,” he said. “The employer can monitor what is on my device, potentially compromising my privacy, or maybe ask for access to it in circumstances I'm not comfortable with.”
Clear, digestible policies are a business’ first line of defense against legal trouble stemming from employee-owned devices, the professor argued. (Also read: The three extremes of corporate BYOD policies.)
“I can easily imagine lawsuits breaking out if employers don't properly put into place polices about network usage for the workplace, including employee owned devices,” Yen said. “And of course, if proprietary information is taken or exposed, suits could develop there as well.”
Dalia Topelson Ritvo, assistant director of the cyberlaw clinic at Harvard’s Berkman Center for Internet and Society, concurred, saying that it’s important to make sure both parties in the relationship are on the same page.
“My best advice for a company is to have clear policies regarding when it is appropriate for an employee to use their own devices, and create technological protocols to ensure the company retains control over the information,” she said.
For employees, Topelson Ritvo noted, the key concern is to keep work and personal data as separate as possible.
+ ALSO ON NETWORK WORLD: A sampling of BYOD policies +
“I recommend, even if you are planning to use your own device for work, to maintain completely separate email accounts, and to take advantage of any remote, cloud-based access to company systems,” she said.
Using cloud systems obviates the need to download company documents onto a personal device, limiting the degree of access an employer might need for security. That’s important, Topelson Ritvo said, given the difficulties that BYOD poses for compliance with document retention and management laws.
“Once information ends up on devices not controlled by me or my company, it is harder for me to audit and ensure that my employees are following the necessary protocols,” she stated, reiterating that clear security and management policies are key to minimizing these potential headaches.
Broadly speaking, outside of industry-specific regulations like HIPAA for the healthcare sector and various laws governing banks and financial institutions, the U.S. doesn’t have any real nationwide standards for data protection in general, let alone specific regulatory standards for employee-owned devices. Some agencies, including the Federal Trade Commission, tackle privacy issues, but most of its recent actions have targeted the consumer sector, rather than enterprise mobile device users.
However, that lack of a unified standard means that, instead, businesses are subject to a patchwork of state laws that can vary widely. That can make life difficult for companies that operate in several states, and requires a detailed look at specific laws. And one has only to examine the fallout from the recent hack of the federal Office of Personnel Management to recognize that the threat to employee privacy is very real.
Fortunately, there are resources out there for concerned businesses – the National Conference of State Legislatures publishes a state-by-state breakdown of data breach notification laws, for example. That could be a good place to start, in terms of examining liability in a worst-case scenario. And, as mentioned above, heavily regulated industries like healthcare, insurance, and finance have far more specific guidelines to follow.
According to Chris Gallagher, national director of e-discovery vendor eQ, the rules governing those specialized industries can sometimes come into play in unexpected areas.
“Companies are at risk of legal action if they act on information obtained through snooping practices, ranging from privacy laws such as the Computer Fraud and Abuse Act and Stored Communications Act to even more esoteric areas,” he told Network World. “For example, if an employee has a diabetes management app, a company’s access to that data can implicate HIPAA, the Genetic Information Nondiscrimination Act (GINA), and many other areas.”
Gallagher, as well, echoed the importance of clear policy-setting to successfully navigating the legal dangers of BYOD.
“Companies should continually remind employees that their data can be seen and reviewed, so that employee consent is real and ongoing,” he stated. “Courts look carefully at whether employees actually know company privacy policies, not just whether companies did the bare minimum to give notice.”