Let’s say you need to pull some corporate data off an employee’s personal iPad. Under the newly and hastily crafted bring-your-own-device policy, or BYOD, the employee is required to hand over the iPad to the IT computer forensics team.
The team finds child pornography on the iPad in areas unrelated to the job.
Did the team have permission to conduct e-discovery on personal data? Is the team obligated to call law enforcement? Would the finding be admissible in court? Was the employee’s privacy rights violated? Was the BYOD policy thorough enough to cover such scenarios?
Welcome to the foggy world of BYOD, where the blending of personal and work lives on a single device open up a host of problems. CIOs often fret about security and management, but BYOD can land a company in murky legal water, too.
“It’s a slippery slope,” says Ben Tomhave, principal consultant at governance, risk and compliance vendor LockPath. While he isn’t a lawyer, Tomhave is co-vice chairman and incoming co-chairman of the American Bar Association’s SciTech Information Security Committee and regularly blogs about risk management issues.
If CIOs think they can get off this slippery slope by blocking BYOD at the front door, think again.
Juniper Networks just released results of a survey of more than 4,000 mobile-device users and IT professionals. This IT-gets-burned stat stood out: Many employees circumvent their employers official mobile-device policies, with 41 percent of all respondents who use their personal devices for work doing so without permission from the company, the report states.
“The IT departments that I talk to on a regular basis don’t think [the risk] is that high,” says Dan Hoffman, chief mobile security evangelist at Juniper Networks. “They think they have a lot more control and insight than they really do.”
Rogue BYOD behavior puts a company at even further legal risk because there aren’t any formal policies to fall back on when things go south—which will happen.
Child porn on an iPad is an extreme case (at least, let’s hope it is), but a more likely scenario is that IT conducts a search on a BYOD iPad and stumbles upon signs that an employee has been working on a project that potentially undermines or competes with the organization.
If the employee was doing this on his own time—that is, not company time—can the company fire the employee based solely on this potentially ill-gotten evidence?
Here’s a follow-on scenario adding even more intrigue: Let’s say the employee is terminated and the company remote wipes his iPad, which deletes personal data. Is the company culpable? “You’ve got to make sure policies and legal agreements clearly articulate the expectation,” Tomhave says.
This legal white-hot knife cuts both ways; employees need personal protections, too.
Companies (and IT departments) can be just as sneaky when it comes to BYOD. Abuses of access run rampant in the tech industry, headlined by Hewlett-Packard surreptitiously obtaining phone records of board members and press in order to ferret out leakers in 2006.
Today, companies will pressure employees to give up Facebook passwords for hiring and firing purposes. What does this mean for BYOD? Most employees have a Facebook app on their personal smartphones and tablets, whereby the app automatically logs them in with their usernames and passwords. When those devices are in the hands of IT, all of a person’s Facebook account is accessible.
Tomhave advises employees to lawyer up before signing the BYOD agreement. He envisions a cottage industry of legal advice that helps employees build a privacy protection shield. “You’ll want to sign a policy that clearly delineates what the business is allowed to do and not allowed to do,” including conditions for seizing and searching the BYOD device in the first place, he says.
Another alternative is to go back to the days of carrying around multiple devices: a personal smartphone and a business smartphone, even if that business phone falls under BYOD. That way, you don’t run the risk with crossover.
It’s clear that companies and employees need good legal agreements in place for participating in a BYOD program. Unfortunately, such agreements are scarce.
“I don’t think a complete risk analysis has been done on any of this stuff,” Tomhave says. “A lot of organizations are playing catch-up.”
Tom Kaneshige has been covering business and technology in Silicon Valley for two decades. As senior online writer at CIO.com, Tom covers Silicon Valley culture, BYOD and consumer tech in the enterprise.