In our last post (Here are Five BYOD Principles to Consider from a Highly Respected Source), we discussed the five terrific principles for addressing Bring Your Own Device (BYOD) policies and BYOD devices in discovery from The Sedona Conference Commentary on BYOD: Principles and Guidance for Developing Policies and Meeting Discovery Obligations. The use of BYOD devices for work establishes privacy concerns for employees when devices are used for both work and personal needs, but it also establishes security concerns for employers seeking to protect sensitive data about their business.
Is Personal Data Protected on BYOD Phones?
In these days of heightened data privacy concerns, is the privacy of personal data protected on BYOD phones? Certainly, as we discussed in the post Mobile Device Forensic Discovery: Here’s a Case That Illustrates the Importance, data from mobile devices is discoverable in litigation (even forensically) if the relevance of the data is significant enough, regardless of privacy concerns.
But what about in general use of BYOD devices? Is the personal data of employees protected there?
We found one case from a few years ago – Rajaee v. Design Tech Homes, Ltd. – where the issue came up. In that case, the plaintiff resigned from his employer and was immediately terminated, then a few days later, his former employer conducted a remote wipe of his BYOD device, restoring it to factory settings and deleting all the data, not just work-related, but personal as well. He sued, alleging violations of the Electronic Communications Privacy Act (ECPA) and the Computer Fraud and Abuse Act (CFAA). But the Court dismissed his claims with regard to both alleged violations, stating the plaintiff’s personal data was not protected under the ECPA and that the plaintiff failed to provide evidence that he sustained $5,000 in cognizable “loss” under the CFAA.
It’s important for employers to recognize that there are limits to employee privacy concerns when it comes to devices used for work purposes.
Two Important Mechanisms for Security of BYOD Devices
The other consideration for employers is the security of sensitive company information on BYOD devices – that data must be protected, and the employer needs to preserve the ability to do so. Here are two mechanisms for protecting sensitive company information on BYOD devices:
Mobile Device Management (“MDM”) and Remote Wipe: 70 million smartphones are lost each year, with only 7 percent recovered. With so many devices lost and stolen each year, it’s likely a matter of when, not if, it will happen to an employee of your company. As in the Rajaee case above, employers need to preserve the ability to remotely wipe a BYOD device, especially if that device is lost or stolen.
Mobile Compromise Assessment: The other security risk, which is even more common, is the potential presence of malware on BYOD devices that are not lost or stolen. As we discussed in the post Attention Android Users! Here are Some of the Latest Malware Attacks You Need to Know, Android devices are particularly vulnerable to cyber attacks as there are many more Android users than iOS and Android’s malware problems are more prevalent than iOS due to its open platform, making it considerably easier for hackers to target victims. It’s important for an employer to establish the right to assess mobile devices of their employees to evaluate whether the device has been hacked or whether it is vulnerable to data theft.
We’ve said it before and we’ll say it again! The best way to establish the rights of an employer to protect sensitive company information on BYOD devices is through a comprehensive BYOD policy that establishes those rights and requiring an employee to agree to the terms of the BYOD policy. Not only does a comprehensive BYOD policy agreed to by employees protect employer security, but it also establishes expectations with regard to employee privacy and what employees can expect there, helping to avoid disputes later on. A comprehensive BYOD policy is the best way to balance concerns of employee privacy and employer security!
For more information about Forensic Discovery’s Mobile Compromise Assessment services, click here.