CIO - Let's say you need to pull some corporate data off an employee's personal iPad. Under the newly and hastily crafted bring-your-own-device policy, or BYOD, the employee is required to hand over the iPad to the IT computer forensics team.
A sampling of BYOD user policies
The team finds child pornography on the iPad in areas unrelated to the job.
Did the team have permission to conduct e-discovery on personal data? Is the team obligated to call law enforcement? Would the finding be admissible in court? Was the employee's privacy rights violated? Was the BYOD policy thorough enough to cover such scenarios?
Welcome to the foggy world of BYOD, where the blending of personal and work lives on a single device open up a host of problems. CIOs often fret about security and management, but BYOD can land a company in murky legal water, too.
"It's a slippery slope," says Ben Tomhave, principal consultant at tech consultancy LockPath. While he isn't a lawyer, Tomhave is co-vice chairman and incoming co-chairman of the American Bar Association's SciTech Information Security Committee and regularly blogs about risk management issues.
If CIOs think they can get off this slippery slope by blocking BYOD at the front door, think again.
Juniper Networks just released results of a survey of more than 4,000 mobile-device users and IT professionals. This IT-gets-burned stat stood out: Many employees circumvent their employers official mobile-device policies, with 41 percent of all respondents who use their personal devices for work doing so without permission from the company, the report states.
"The IT departments that I talk to on a regular basis don't think [the risk] is that high," says Dan Hoffman, chief mobile security evangelist at Juniper Networks. "They think they have a lot more control and insight than they really do."
Rogue BYOD behavior puts a company at even further legal risk because there aren't any formal policies to fall back on when things go south-which will happen.
Child porn on an iPad is an extreme case (at least, let's hope it is), but a more likely scenario is that IT conducts a search on a BYOD iPad and stumbles upon signs that an employee has been working on a project that potentially undermines or competes with the organization.
If the employee was doing this on his own time-that is, not company time-can the company fire the employee based solely on this potentially ill-gotten evidence?
Here's a follow-on scenario adding even more intrigue: Let's say the employee is terminated and the company remote wipes his iPad, which deletes personal data. Is the company culpable? "You've got to make sure policies and legal agreements clearly articulate the expectation," Tomhave says.
Slideshow: 10 Coolest Tech Devices to Bring to Work
This legal white-hot knife cuts both ways; employees need personal protections, too.
Companies (and IT departments) can be just as sneaky when it comes to BYOD. Abuses of access run rampant in the tech industry, headlined by Hewlett-Packard surreptitiously obtaining phone records of board members and press in order to ferret out leakers in 2006.
The Connected Enterprise
You are previewing premium content. 
