BYOD – A Legal Perspective

BYOD, or “Bring Your Own Device” is a topic that is gaining all kinds of interests, though as of yet, there is very little case law referencing it.  However, that doesn’t mean that the prepared attorney has to wait for a judge to rule against your client.

The pros and cons of such an arrangement are discussed in our blog “BYOD – Bring Your Own Device,  or Bought Your Own Disaster …. ??”, which you can read here.

The thing is, you have clients to protect, and to do that we have to know what the options are.  At the heart of any workplace dispute is the corporate handbook which outlines the Acceptable Use Policy.  This is the policy that states that computing devices of the company are to be used strictly for the business operations of the company, and the employee acknowledges that all information contained on the computers of the company belongs to the company, and the employee should expect to enjoy no expectation of privacy.  Your clients have one of those right ??   I am sure that they will shortly if they don’t now.

The acceptable use policy is typically broad enough to cover all of the devices that are owned by the company, however the question becomes a little different if the company is expecting/permitting/requesting the employee to use their own personal equipment for corporate gain.

This is the time for a very specific outline of expectations and a reasonable and enforceable plan of action should the employment condition be altered by one party or another.

What many folks do not know is that most corporate electronic mail systems have the ability to remotely destroy all of the information on a corporately attached device.  This means that if your employee is getting their corporate email on their personal device, the Technology Department of your company likely has the ability to destroy that phone.  The idea is that, should a corporate executive with the secret sauce recipe of his company on his phone, lose the device in a New York cab, he can simply call the IT department and have them perform a remote “wipe” of the device.  This will destroy ALL information on the phone keeping the sauce recipe safe from prying eyes.  The ramifications of this ability, however, can be legally problematic if the employee is not notified that this ability exists, and acknowledges it through the acceptable use agreement.  Should the employee be terminated, the IT department may be instructed to destroy the device as it has sensitive corporate data on it.  The problem is that is may have also had the last text from a deceased relative that could never be replaced.

Many people believe that if an employee does not sign a waiver which explicitly absolves the employer of damages for a remote wipe, that the employee has grounds for a lawsuit.

But these devices are not just phones.  iPads, iPods, Surface, Tablets, and laptops are all devices that could contain corporate information.  These all must be taken into consideration when crafting an Acceptable Use document, and any accompanying waivers of liability.

The other workplace concern is the access of confidential information on a personal OR corporate device by the police if the holder is arrested. The Supreme Court of California recently upheld the warrantless search of mobile phone text messages in People v. Diaz, 51 Cal. 4th 84 (2011). The decision places little to no restrictions on the data police officials may access when searching an arrestee’s devices This could open a world of problems should the information of the device be sensitive and unencrypted.

The subject in this case involved searching text messages on a phone,  however,  there is no limitation which would prohibit accessing confidential emails, documents, and voicemail messages that may contain private business or client information and/or information of a personal nature.  Telephone devices are not the only devices which may be at risk, flash drives, digital cameras, and laptops found on the person may also be searched.

In conclusion, the choices are very clear : either prohibit the use of personal devices to perform business operations, or write a very inclusive Acceptable Use Policy and waiver which the employee must sign.


Leave a Reply

Your email address will not be published. Required fields are marked *