How BYOD Puts Everyone at Legal Risk

If your BYOD policy goes too far, you may be prosecuted for unfair labor practices. However, courts expect you to produce all relevant data in discovery proceedings. Meanwhile, your employees may fear retaliation if they don't sign draconian BYOD policies. CIO.com talks to attorneys to better understand the legal side of BYOD.

If your BYOD user policies are too strict, then you might be running afoul of the law.

BYOD Policies

The General Counsel of the National Labor Relations Board (NLRB), a group tasked with the investigation and prosecution of unfair labor practice cases, is taking aim at newfangled social and BYOD company policies that violate Section 7 of the National Labor Relations Act.

In a case last year, the NLRB made the unprecedented argument that an at-will employment policy could "chill an employee's ability to communicate with others about wages, hours and working conditions or to engage in otherwise protected activity."

Heather Egan Sussman, a lawyer at McDermott Will & Emery, says she has seen at least three reports issued by the General Counsel over the last few years concerning cases where prosecuted companies wrote overly broad policies or policies that went too far. While these reports were mostly directed toward social media, they can apply toward BYOD polices as well.

"Judges assume companies have the capability to preserve and collect all information created in connection with work that relates to litigation. They won't be happy to hear that such information exists but the company doesn't have access or authority to it, because there wasn't employee consent written into the BYOD policy."

The General Counsel's focus on confidentiality policies is causing companies to re-think their BYOD policies, says Sussman, "out of fear of prosecution."

BYOD Policies Get Down to Detail

It's an odd reversal of sorts. The first iterations of BYOD user policies erred on the side of simplicity and vagueness, merely suggesting user behavior instead of providing hard-and-fast rules. They consisted of generalizations about what companies and employees can and cannot do. These BYOD policies were practically useless when called upon for ediscovery or when employees raised privacy concerns.

Then the lawyers got involved. They helped companies draft lengthy documents covering all sorts of scenarios, including legal cases for ediscovery. BYOD policies ballooned to a dozen pages. These policies weighed heavily in favor of a company's right to monitor, access, review and disclose company or other data on BYOD mobile phones and tablets, and gave short shrift to an employee's expectation of privacy.

Now the pendulum is swinging back.

The General Counsel appears to be toughening up on corporate policies that attempt to control an employee's use of the Internet, BYOD or social media. There's concern that companies are exceeding the scope of the their authorization and potentially violating the National Labor Relations Act. While the General Counsel is not the deciding body, Sussman says, its reports can guide companies in drafting lawful BYOD policies that steer clear of prosecution.

[ Slideshow: 12 BYOD Disaster Scenarios ]

Nevertheless, Sussman says she believes the General Counsel is acting a bit heavy-handed in saying what is and isn't permissible. "I think companies should have more latitude to set reasonable and fair rules with their employees, rules designed to protect against the many risks from BYOD and social media," she says.

BYOD, a company's right to protect and disclose data, and an employee's expectation of privacy are all colliding and creating a very sticky problem. Emotions run high when a conflict between employee and employer arises and when a company needs to look into an employee-owned smartphone or tablet.

When employers and employees make claims against each other, Sussman says, it often comes out in discovery that the employer has obtained copies of personal emails and other information from a device used as part of a BYOD program.

"Where we see it play out is when the employer wants to introduce a piece of evidence, and the question is whether or not the employer had the right and authority to collect that information in the first place or exceeded their authority," she says.

Mobile Privacy

"There's an interesting line of cases at the state law level," Sussman says. "We see it in employee communications with lawyers prior to leaving the workplace. What is the extent to which the attorney-client privilege attaches to those emails? Did the employee waive that by using the company's network or systems? A lot of these [devices] connect through the network, and information is cached or stored in the network."

BYOD Adds Twist to Discovery

On one side of the argument, companies need to be able to get corporate data residing on BYOD smartphones and tablets -- in fact, judges expect it.

Geoffrey Vance, another attorney at McDermott Will & Emery who heads up the discovery group, says he has cases where a company is being sued by a customer claiming damages from the company's product. The company needs to collect work-related data on smartphones and tablets that relate to the litigation.

"A lot of employees feel they don't have a choice and will sign anything that's put in front of them and take their chances down the road."

"It used to be we'd just go to Outlook email servers and shared drive servers and collect most of this stuff internally within the organization," Vance says. "Now we have to go get BlackBerrys, iPhones and HTC tablets... the information resides almost entirely and exclusively on those devices."

Moreover, judges assume companies have the capability to preserve and collect all information created in connection with work that relates to litigation, Vance says. They won't be happy to hear that such information exists but the company doesn't have access or authority to it, because there wasn't employee consent written into the BYOD policy. "That's a real tension," he says.

[ Related: IT Learns to COPE With Mobile Devices ].

Containerization technology that separates business and personal apps and data on a single device, such as Samsung's Knox expected to be released later this year, can be a helpful starting point in not only ediscovery and meeting obligations in litigation but also asset control. The problem, of course, is that company information has a way of getting tossed over the virtual wall.

Many Employees Will Sign Anything

On the other side of the argument, BYOD puts employees in a tough spot. Many feel pressured to waive their expectations of privacy when presented with a draconian policy, in order to not make waves in a tough job market. They see the General Counsel's actions as a welcomed relief.

"The company wants them to use their own devices, and employees need to use them for their jobs. If the employee says no, they might not get hired or maybe even get fired," especially in situations where BYOD is mandatory, says attorney Paul Starkman, who heads the labor employment group at law firm Pedersen & Houpt in Chicago.

"Lawyers agree that employers shouldn't pull passwords off BYOD smartphones and tablets and start snooping inside personal email accounts and social networks."

"A lot of employees feel they don't have a choice and will sign anything that's put in front of them and take their chances down the road."

The big hurdle in the discovery phase is, did the employee have a reasonable expectation of privacy in the communication or action? Or is the action of the employer justified? Starkman and Sussman agree that employers shouldn't pull passwords off BYOD smartphones and tablets and start snooping inside personal email accounts and social networks.

Employees can further protect themselves even on corporate email by writing in the subject line of an email something to the effect of "privileged and confidential" or "not business related." This shows that the employee is seeking to protect the personal nature of the communication, Sussman says, "and may very well be respected by the court."

However, Sussman says that companies can make clear on a BYOD policy that it has access to personal information on the network and can leverage this to the extent that it's relevant to the case and potentially contradicts the statement made by a witness. "It's important and helpful to getting to the truth," Sussman says.

"We often see state courts coming out on both sides," Sussman says.

BYOD and Polices Still Evolving

It's too early to tell how BYOD policies and the law will play out; BYOD is simply too new of a technology trend. As BYOD matures and companies become more sophisticated about acceptable terms in a policy, Sussman predicts BYOD policies will shrink.

Already, Sussman's clients are looking for ways to streamline the BYOD policy. They want to know how to communicate key points: improving the security of the organization and minimizing the risk of loss or theft, while establishing the rules of the road for employees -- that is, what's expected of them in a BYOD world.

"I think there's also the potential to have new clauses entered in, such as arbitration waivers of class claims," Sussman says. "It's an opportunity for an employer to have an agreement between the company and the employee that establishes, if this relationship breaks down, how are we going to resolve disputes?"

Tom Kaneshige covers Apple, BYOD and Consumerization of IT for CIO.com. Follow Tom on Twitter @kaneshige. Follow everything from CIO.com on Twitter @CIOonline, Facebook, Google + and LinkedIn. Email Tom at tkaneshige@cio.com

Join the discussion
Be the first to comment on this article. Our Commenting Policies