How to Craft the Best BYOD Policy
What is a good BYOD policy? Step one is to clarify the rights of both company and employee and state upfront what's business and what's personal. But there's a lot more to it. In this interview with a technology transactions lawyer, CIO.com explores the do's and don'ts of BYOD policies.
Wed, May 01, 2013
CIO — If your company is involved in litigation, then your personal smartphone used for work—even merely for receiving corporate email—can be seized and searched for evidence during the discovery phase, according to an NBC News report. This is just one of many unforeseen consequences of "Bring Your Own Device," or BYOD, a technology trend sweeping corporate America today.
Even worse, most companies have the right to search your BYOD smartphone anyway. That's because you likely signed your privacy rights away in a multipage user policy chock full of legalese. Did you read the fine print? Probably not.
"I can't tell you the number of times we get an issue where a company needs to reach in and wipe a device or look at a device, and the employee is shocked to learn that this is permitted under the company policies," says Matt Karlyn, partner in the technology transactions practice group at Boston law firm Cooley LLP.
Karlyn believes BYOD boils down to a well-drafted and comprehensive policy that spells out the rights for both companies and employees. Such a policy covers a company's right to monitor, access, review and disclose company or other data on a mobile device, and the employee's expectations of privacy with respect to that device.
CIO.com sat down with Karlyn to discuss the keys to a good BYOD policy, one that can provide companies and employees with some measure of security as BYOD barrels ahead.
Can a personal smartphone be seized and searched if a company is involved in litigation?
Personal devices may be subject to search and review in the event of litigation that involves an employer or other similar legitimate reason, which can include any business information on the phone. It's just like any other evidence or document or computer that could be confiscated and looked at for evidence. That's litigation procedure.
Infographic: BYOD's Dirty Little Secret
Yet I can even tell by your question that most people find this surprising. Where's the policy that makes it clear that the company has these rights with respect to these devices?
Today's mobile device management software allows for searching and wiping only business data. Could a search include personal data, too?
I was reading recently about a company that put into practice where they would only access business content on a personal device that's used for business purposes. They defined business content as email and business-related documents. They specifically excluded photographs, the assumption being that photographs would be only personal in nature.