Glass shards sprinkle across the hotel parking lot as a thief smashes the passenger window. A gloved hand scours underneath the seat and brushes the familiar smooth surface that can only mean another laptop.
The end of the sales convention’s happy hour soon reveals double pain. The employee had waived insurance on the car. Worse yet, the chief information officer had just emailed to that computer an Excel spreadsheet with confidential financials prepared for the upcoming stock sale.
Now what?
This scenario is the new reality given the emergence of Bring Your Own Device (BYOD), which refers to the policy of permitting employees to bring personally owned mobile devices (laptops, tablets and smartphones) to their workplace and use those devices for access to privileged company information and applications.
In 2014, the scales of justice are working full tilt to sort out competing interests of security, privacy, productivity and personal use.
On the one hand, the monitoring of privately owned devices creates a significant policy dilemma for companies: If one monitors too much, it can be seen as invading employee privacy, and in some states, may even be breaking the law. Several state legislatures have passed laws requiring employers to notify employees when monitoring their electronic communications.
With too little oversight, the company’s data is placed at a huge risk. A potential security breach also occurs when an employee leaves the company and keeps his or her iPhone. And company applications and other data may still be present on that device.
Recently, an Ohio court ruled that even if a former employee used a company-owned BlackBerry for personal use, that employee’s supervisor did not have valid authorization to access personal emails after her termination. Further, the employee’s failure to scrub the phone before returning it to the company did not constitute implied consent to continued access, a potential violation of the federal Stored Communications Act.
Now is the time to address these opposing interests with the implementation of a Bring Your Own Device program for the workplace. Consent is a key component because it empowers the company to govern and monitor the activity of employees’ privately owned devices without appearing to be secretive or deceptive. At a minimum, a BYOD policy provides that (a) the company controls all data on an employee’s personal device, (b) requires employees to synchronize certain data with the company’s servers, and (c) requires installation of an application that permits the company to remotely “wipe” the device if it were lost, for example.
However, one important consequence of a Bring Your Own Policy policy unfolds in the event of civil litigation. An employee’s personal device could be subject to discovery request or computer forensic inspection by an opposing litigant. That means such devices must be addressed in a “legal hold” order issued by corporate counsel.
Technology to measure technology is coming to the market, as well. For example, AppGuru allows an IT department to have a company-wide snapshot of app usage, as well as the ability to monitor cloud app activity in real time.
Complex legal issues aside, several studies have reported that allowing the use of personal devices in the workplace has resulted in increased productivity and worker satisfaction. At the end of the day, just as BYOB became a social norm, a creative and solid legal approach to BYOD can bring stability to the workplace.