What Are the Legal Problems with Bring Your Own Device (BYOD) Policies?

One of my clients legal department recently explained why we could no longer allow staff to freely use their personal cell phones / tablets to connect to our corporate email.  Their logic was that we have an obligation to keep all corporate data private when someone leaves the company and even if we remotely remove email from their personal cell there is no way to prove there is not some email residue stored on that cell.  Some email clients store copies locally so if you remove the account, the old email might still on the device even though the configuration has been removed.  As a result, their policy for staff that want to BYOD is to require them to allow IT to COMPLETELY wipe their perssonal cell/tablet when the leave the company… not a nice option for most.

I found the following bit from an AllStream (phone company) blog which referred to what a lawyer discussed at a recent IT / BYOD conference:

  • User athentication: Just as security experts have been preaching for years that IT departments need to do a better job of authenticating the devices they issues to employees, BYOD programs that overlook this practice will risk data loss or worse.
  • Due diligence: In the days when IT managers decided which desktop model would be chosen as the basis of its enterprise fleet, they would do a thorough background check on any vulnerabilities that could put their organization in legal hot water. Now, that role may be left up to the users (who probably won’t think to do it) unless the policy dictates otherwise. And many consumer devices may have plenty of apps with security holes only an experienced IT team can fill.
  • Remote wiping: With a corporate-issued machine, losing a laptop or smartphone wasn’t a huge deal because the IT department could simply eliminate its contents. A user’s own device, however, may contain a great deal of personal files, photos and other content that a company may not have the authority to throw away at will.
  • Surveillence: “Even if you could have a policy that allowed you see everything your employees are doing — which would probably be outside the bounds of what’s reasonable — ask yourself whether you really want to,” Ing said. Certain kinds of information about an employee’s outside pursuits, particularly criminal activity, could embroil the company into a legal situation it didn’t need to be in.
  • eDiscovery: Most companies ignore it until it happens to them, but in many lawsuits, courts are ordering enterprises to cough up not only printed documents but e-mail messages, photos, videos and all kinds of other files. In a BYOD era, many of these may be resident on an employee’s personal device. Make sure your policy includes the ability to comply with such requests.

Read the full story at http://blog.allstream.com/5-byod-legal-risks-it-departments-cant-ignore/?utm_source=userdatabase&utm_medium=email&utm_campaign=expertIP_Newsletter_September2012 

Questions or Comments?