BYOD Stirs Up Legal Problems
Does BYOD put your company in murky legal water? You bet. Employees need protections, too.
Wed, May 09, 2012
CIO — Let's say you need to pull some corporate data off an employee's personal iPad. Under the newly and hastily crafted bring-your-own-device policy, or BYOD, the employee is required to hand over the iPad to the IT computer forensics team.
The team finds child pornography on the iPad in areas unrelated to the job.
Did the team have permission to conduct e-discovery on personal data? Is the team obligated to call law enforcement? Would the finding be admissible in court? Was the employee's privacy rights violated? Was the BYOD policy thorough enough to cover such scenarios?
Welcome to the foggy world of BYOD, where the blending of personal and work lives on a single device open up a host of problems. CIOs often fret about security and management, but BYOD can land a company in murky legal water, too.
"It's a slippery slope," says Ben Tomhave, principal consultant at governance, risk and compliance vendor LockPath. While he isn't a lawyer, Tomhave is co-vice chairman and incoming co-chairman of the American Bar Association's SciTech Information Security Committee and regularly blogs about risk management issues.
If CIOs think they can get off this slippery slope by blocking BYOD at the front door, think again.
Juniper Networks just released results of a survey of more than 4,000 mobile-device users and IT professionals. This IT-gets-burned stat stood out: Many employees circumvent their employers official mobile-device policies, with 41 percent of all respondents who use their personal devices for work doing so without permission from the company, the report states.
"The IT departments that I talk to on a regular basis don't think [the risk] is that high," says Dan Hoffman, chief mobile security evangelist at Juniper Networks. "They think they have a lot more control and insight than they really do."
Rogue BYOD behavior puts a company at even further legal risk because there aren't any formal policies to fall back on when things go south—which will happen.
Child porn on an iPad is an extreme case (at least, let's hope it is), but a more likely scenario is that IT conducts a search on a BYOD iPad and stumbles upon signs that an employee has been working on a project that potentially undermines or competes with the organization.
If the employee was doing this on his own time—that is, not company time—can the company fire the employee based solely on this potentially ill-gotten evidence?
Here's a follow-on scenario adding even more intrigue: Let's say the employee is terminated and the company remote wipes his iPad, which deletes personal data. Is the company culpable? "You've got to make sure policies and legal agreements clearly articulate the expectation," Tomhave says.