BYOD is so great for so many reasons (For individuals: fewer things to carry around, everything in one place, no device confusion, you can use your shiny new phone more often. For corporations: less expensive, less need for support/IT, fewer whiny employees asking why they can’t use their iPhone/Nexus 5/Surface instead of the boring old Blackberry) that it’s easy to ignore pitfalls. But the mingling of personal and corporate data on a single device does create a lot of headache, and when you think about it, the privacy implications of BYOD are kind of obvious and something both corporates and users should be aware of.
Most disquieting to employee users of BYOD may be that when it comes to litigation, the fact that the phone is yours means nothing. If the phone or data on it are requested as part of a warrant or relevant civil e-discovery request, it must be turned over – with all of your personal photos, texts, banking information and Words with Friends high scores along with it. This can come as somewhat of a shock, not only because you are turning over private data that may potentially be searched by co-workers and third parties, but because you’ll be without your device as long as it is part of an investigation or discovery process. It’s enough to make you think twice about the ‘burdens’ of carrying two devices!
However, this is not to say that employees are entirely disadvantaged. Federal law does afford some protections, including statutes barring unauthorized, intentional access to employee-owned devices. A recent federal case, Lazette v. Kulmatycki, in the Northern District of Ohio upheld the idea that a company’s search of private employee data on a mobile device violated the Stored Communications Act because such a search was ‘unauthorized’ –even though in this case the device was owned by the company. It can be logically surmised that a similar search on an employee-owned device could create a similar outcome if also unauthorized.
Actually, this idea of ‘authorization’ is one of the strongest takeaways from statutes and case law in this area. And by ‘authorization’ I mean the informed consent of an employee for the employer to search all data on the device. It is absolutely essential that a corporation make the notion of informed consent a central part of any BYOD policy. But we may be getting ahead of ourselves, especially considering that according to a recent survey, 60% of corporations using BYOD lack a policy surrounding it.
Another takeaway is that when investigating surrendered devices, organizations should train staff to understand exactly which data to target and how to avoid data that is private and off-limits or just plain unnecessary to the matter. Technology and written process can help to narrow search and collection to specific date ranges, subjects and data types on a phone or tablet – allowing users to avoid those things that irrelevant and/or in a grey area when it comes to privacy concerns.
Providing an example of what not to do, the investigator/supervisor in the Lazette case accessed over 48,000 of an employee’s personal emails (from an account she thought she had deleted from the device) over an 18 month period as part of his investigation of her surrendered Blackberry. He then shared details of the personal emails with third parties. This is the type of practice companies want to train investigators to avoid. Unless the employee’s personal email is somehow relevant to the case, it shouldn’t be reviewed and definitely not discussed with parties outside of the litigation.
These two strategies are good for both parties because the statistics are showing that BYOD is here to stay and only getting bigger. This year, a Gartner survey of CIOs showed that 38 percent of companies expect to stop providing devices to employees altogether by 2016. And another survey shows that a majority of younger workers are willing to actually contravene a corporate anti-BYOD policy in order to use their own devices on the job. Clearly corporations and their employees are rushing headlong into the BYOD future together. The good news is that with a bit of forethought, some education and the right tools the privacy implications for such a future do not necessarily need to be grim.