Tom Kaneshige at CIO.com warns that the “Bring Your Own Device” love affair is coming to an abrupt and bitter end, and the lawyers are circling. He argues that in the early days of BYOD, say, last year, employees, especially Millennials, fell madly in love with the idea of using their own Apple (AAPL) iPhones, Google (GOOG) Android smartphones, and newfangled tablets for work. Finally, they could finally ditch corporate-issued BlackBerrys (BBRY).
BYOD ushered in a new era of consumer tech in the enterprise, one that promised employees and employers will live happily ever after. But the BYOD romance has suddenly turned sour. Employees are questioning corporate intrusion on their personal devices. Did IT turn their beloved smartphone into a spy that tracks their whereabouts? The article says employees are beginning to sense companies taking advantage of BYOD by intruding on personal time to get free work time.
Now they’re thinking about suing. John Marshall, CEO at AirWatch, an enterprise mobile device management (MDM) vendor with 6,500 customers, told CIO, “I anticipate a bunch of little [lawsuits], then something big will happen that’ll be a class action and become headline news.”
CEO Marshall reports that the suits have already started. A federal case in Chicago is winding its way through the courts which claims that the city owes some 200 police officers millions of dollars in overtime back pay. The case centers on allegations that the city pressured officers into answering work-related calls and emails over department-issued BlackBerrys during off-hours.
There’s no question BYOD blurs the line even more between work life and personal life. The Airwatch CEO not surprisingly recommends a Mobile Device Management (MDM) application to control email delivery to BYOD devices. This way an employer can set a business rule that won’t allow delivery of corporate email to a subset of users during off-hours. Or a CIO can address this issue in the BYOD terms-of-use agreement. (rb– Both would be best)
The CIO article offers up another legal nightmare scenario: Lacking MDM tools to block out what can and cannot be seen on a BYOD smartphone, a help desk technician notices that an employee’s device has a lot of personal apps about a health problem—and mentions his concern to the employee in the cafeteria.
“The employee can say, ‘How in the world did you know that?‘” Mr. Marshall says. “All of a sudden, something that’s very benign and innocuous turns into something that’s blown out of proportion.” (rb- Help Net Security cites recent U.S. DHSS seven-figure settlements from healthcare institutions that failed to protect patients’ health information under HIPAA regs.)
Mr. Marshall recommends a comprehensive BYOD terms-of-use agreement, along with transparency about the capabilities and limitations of the technology, will help ward off such scenarios. The IT staff also needs to be educated about their role in a BYOD environment.
However, this doesn’t mean problems won’t crop up. Part of the problem, the article indicates, is that BYOD often puts business unit managers who aren’t well-versed in technical user agreements in a leadership position with mobile apps. They’re likely to give the green light to rogue mobile apps that violate such agreements.
For instance, employees are chiefly concerned about privacy and especially location-based services with BYOD, and so many user agreements stipulate that apps will not collect location-based information. But someone who wants to be helpful, builds a map app for the corporate campus that allows employees to schedule conference rooms and find safety information, such as where to go if there’s a tornado. Airwatch’s Marshall explains:
Maybe there’s also a button on there that says where you are in the campus … All of a sudden people wake up and realize that every single device using that app is collecting location-based information—that’s an issue. These are really plausible scenarios … There’s so much copy and paste and reuse of all these components that these things can happen very innocently.
Then there’s the dreaded remote wipe, which can land a company in some legal hot water according to the article. Help Net Security says there is little to no case law in this area. CIO.com reports that just last year, CIOs said they felt comfortable with BYOD because they held security’s holy grail: remote wipe, a scorched-earth capability for wiping all data on a mobile device.
But employees weren’t happy with the idea that the company can wipe personal data on their personal device. Some employees refused to take part in the BYOD program for this reason. Others waited days or weeks before reporting a lost or stolen device so that IT wouldn’t wipe it.
MDM software advanced quickly and seemed to come up with a fix. Now companies can wipe only corporate apps from a BYOD smartphone or tablet, leaving personal apps untouched. In fact, AirWatch won’t even allow a full device wipe anymore for legal reasons. While this helps tremendously, it doesn’t completely solve the problem.
Mr. Marshall proposed a scenario where a company buys the popular productivity app, Evernote, for employees to put on their BYOD smartphones. Since the company paid for the app, the company can remove it at any time. The note-taking app collects company data but also might store personal data, too. An employee can use Evernote to create a shopping list, recipes, vacation plans, or perhaps something more critical to their job.
Guess what happens to this personal data when the employee leaves the company? The app, along with all the data, is wiped from the device and account. If the BYOD terms-of-use agreement about Evernote wasn’t spelled out clearly, who is liable for the lost data?
The bloom is off the BYOD rose, and so companies had better add protections against employee lawsuits in the BYOD terms-of-use agreement and leverage MDM to make sure the agreement is followed.
Truth is, employees tend to get a bit emotional when their privacy is violated or their location is tracked via a mobile device that they personally own. They don’t like their personal data to be wiped, either. When these things happen, companies can expect the wrath of a scorned employee. “That’s where it gets tricky,” Mr. Marshall told CIO.com.
Tony Busseri, CEO of Canadian digital security firm Route1, told Help Net Security:
Along with security concerns, BYOD has brought the potential of major legal issues for the Enterprise … Many current BYOD corporate policies leave enterprise data unprotected in the event of a security breach and during an employee’s exit from the company. The policy of tracking and wiping an employee’s personal device opens the enterprise up to the potential for mass litigation.
rb-
Misco in the UK reported that the majority of employees will not cooperate with employers’ BYOD efforts. According to the data:
- 82% of the survey participants viewed their employer’s ability to track their location as an invasion of privacy;
- 82% are concerned or extremely concerned about having their browsing history monitored;
- 76% stated that they would not allow their company to view the applications installed on their personal mobile devices;
- 75% said they would not go along with an installation made by their employer;
- Only 15% had no concerns about employers tracking activities.
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.
Agreeing to a BYOD policy could land an employee in jail. Courts can go after employee personal phones in litigation involving companies. Michael Kassner, an information security consultant told FierceMobileIT that employees could be dragged into civil or criminal litigation.
Employees could be required to give up their personal device to the courts or even have all the data on the device searched, with possible legal ramifications for the owner. According to Mr. Kassner, “There is legal precedence involving e-discovery and plain-view doctrine that allows the seizure of evidence whether it is related to the case under investigation or not.” There are three possible legal scenarios involving BYOD, says Mr. Kassner who consulted with Tyler Pitchford, with the law firm of Brannock and Humphries.
“In the above scenario we’re talking about a legal contract, which means if the employee signed the contract, he agreed to its terms, granting his employer the right to reset the employee’s phone,” comments lawyer Pitchford.
In the third scenario brought up in the article, the employee’s company does business with a firm that is the subject of a criminal proceeding. Authorities issue a warrant for the employee’s phone because the employee has done work for the targeted firm. Incriminating evidence is found on the employee’s phone and the employee is now under criminal investigation.
Mr. Kassner concludes: “Until case-law or new technologies decide which way the legal winds are blowing about BYOD, it might be in your best interest to avoid BYOD and its alluring convenience.”