More than 60 percent of employees say it is OK to transfer work documents to personal devices or online file-sharing apps. Given that statistic, it's no surprise that companies want to rein in BYOD. However, there may be alternative: A move to company-owned-personally-enabled devices promises to give employers greater control of mobile devices without trampling on privacy.
By Tom Kaneshige
Let’s face it, you’re a thief.
At some point in your life, you swiped something from a previous employer — business contacts, source code, staplers — and used it for personal gain,
perhaps as a sacrificial, competitive offering to your next employer or to help kick-start your own business. Fact remains, the stuff wasn’t yours.
But it’s so simple, you say, especially in these early days of BYOD. It’s easier than ever to whip out your smartphone and record a strategic meeting, take a
screen shot of a document or photo of a whiteboard, copy and paste company information contained in an email to a personal cloud storage service, shoot
off untraceable text messages, and other violations of the eighth of The 10 Commandments.
With BYOD, you don’t even have to employ multiple devices or stealthily use a thumb drive like the techies in the geek cult classic “Office Space,” or
stupidly create an electronic paper trail by forwarding corporate email to a personal email account. Rather, you can do all your pillaging from the safety and
comfort of your cubicle with little chance of getting caught.
COPE Offers IT and Workers Middle Ground
Companies, though, are smartening up. While they know they can’t
stop the powerful current of consumer gadgets flooding the enterprise, they can slow down BYOD. They’re regaining control with an emerging computing
model and big-time contender to BYOD called company-owned-personally-enabled devices, or COPE. It’s a hybrid that sits between free-for-all BYOD and
traditional company-owned computers that forbade personal use and held zero expectations of privacy for employees.
“We have seen several large companies moving to the company-owned-personally-enabled-model primarily to give the employer greater access to
mobile devices without creating privacy snafus,” says Larry Ponemon, founder of research firm Ponemon Institute. “This approach appears to be acceptable
to data protection authorities and other privacy regulators, including those in high-risk countries such as Germany, France and other EU nations.”
BYOD’s meteoric rise is starting to slow down because of security concerns, thus opening the doors to COPE. Ponemon Institute surveyed 895 IT and
security specialists and found that 60 percent are unsatisfied with current BYOD solutions, mostly due to cost and inadequate security.
Workers and Employers Both Wary of BYOD
A Workshare survey found that the number of employees adopting BYOD decreased from 80 percent to 62 percent, largely due to the increase in IT
security and in the awareness of the dangers of BYOD.
Protecting intellectual property in the age of BYOD has become paramount for companies big and small, in every industry. Consider this startling statistic
from a Symantec survey earlier this year: Half of employees who left or lost their jobs in the last 12 months kept confidential corporate data, and 40 percent
plan to use it in their new jobs.
The majority of the offenders don’t believe this is wrong, either. Sixty-two percent of employees say it is acceptable to transfer work documents to
personal devices or online file sharing apps. On the tech front, 42 percent believe a software developer has some ownership of his work and do not think it’s
a crime for him to reuse the source code, without permission, in projects for other companies.
It’s no surprise that companies feel a need to rein in BYOD, given its supporting role as the getaway driver in intellectual property theft.
“Corporations will side step from BYOD in 2014 to the more practical use of COPE,” says Bob Janssen, CTO of RES Software. “With COPE devices,
organizations will have greater control and security over the devices used by employees. The device will then have the ability to be used personally and
professionally, and will be able to switch between the two contexts.”
COPE devices have some enormous advantages when it comes to data security, says attorney Paul Starkman, who heads the labor employment group at
law firm Pedersen & Houpt in Chicago. For starters, he says, COPE acts as a deterrent — that is, employees are less inclined to steal using a corporate-owned
Many companies also get cyber-risk insurance to protect against lost or stolen devices with sensitive information on them, such as social security
numbers or customer health information, but those policies don’t cover personally-owned devices. When a legal dispute arises, law enforcement will often
help get the device back if it’s company property, not personal property.
How Much Privacy Does COPE Imply?
COPE’s biggest advantage might be in the judge’s mind. An employer needs to have authorization or consent to pull data from a device, Starkman says,
and it’s much easier to establish that the employee has no expectation of privacy when using a corporate-owned device than a personal one. This allows
companies to search a device for evidence of intellectual-property theft.
“It’s a much easier sell to a judge to say, ‘This is a company-owned device, and while we let them use it for personal use, we told them that whatever
they do with it, they need to understand that personal activity is open to scrutiny and may be monitored,'” Starkman says.
On the other hand, COPE’s greatest danger is giving a false sense of security to IT. While there may be no expectation of privacy for employees, Starkman
advises companies not to go snooping into personal stuff. “You don’t want to cross into password-protected personal accounts and websites and social
media,” he says. “COPE is not a full-proof plan.”
In the case of Borchers v. Franciscan Tertiary Province of the Sacred Heart, Diane Borchers, a food service director, was issued a computer with a
written policy permitting “occasional personal use.” In 2007, she reported to human resources that she was being sexual harassed by her supervisor, Michael
Frigo. (The follow-up internal investigation found no evidence.)
After Borchers left, Frigo directed his administrative assistant to check Borchers’ computer for business-related information — and found Borchers’
personal AOL account. Borchers’ emails contained everything from spiteful feelings toward co-workers to intensions to take advantage of disability
benefits. Upon realizing that Frigo had seen her emails, Borchers promptly withdrew her sexual harassment claim.
Then Borchers sued in state court, alleging violations under the federal Stored Communications Act. A state judge granted summary judgment to the
employer, claiming that the administrative assistant did not act with wrongful intent. But the Illinois Appellate Court revived the privacy lawsuit, citing that
the administrative assistant printed out more than 30 personal emails.
“The question is, if the device is company-issued, does that somehow raise the likelihood that the employee has no expectation of privacy? That may
not be the case,” says Heather Egan Sussman, co-head of the global privacy group at law firm McDermott Will & Emery. “It may be that the employee,
because they’re allowed to do some personal activity, retained some sort of an expectation of privacy.”
More and more cases concerning employee privacy and intellectual-property theft on computers and mobile devices are bubbling to the surface.
Whether it’s employees claiming privacy violations or employers arguing theft, companies would be in a better position with COPE rather than BYOD. But, as
the Borchers case illustrates, COPE alone doesn’t keep companies out of hot water.
“If you allow personal use, then you’re blurring the lines,” Starkman says.