Consumerization 101 – Employee Privacy Vs. Corporate Liability

Three pitfalls your BYOD program can’t afford to ignore.

Mary D. joined MD&M Inc. in 2009. Being an Apple enthusiast, she was quite excited to learn that the company offered an innovative BYOD program that allows employees to use their own iPhone for work. As part of the new hire package, Mary signed the acceptable use policy and was granted access to corporate email on the go.

Mary’s started having performance problems in her second year, and her manager put her on notice. After six months, Mary was terminated. When her manager clicked the ‘terminate’ button within the company’s HR system, a series of automated tasks were initiated, including the remote wipe of all information on Mary’s iPhone.

As it turned out, Mary had been performing poorly because her son John was dying of cancer. Just a few weeks before Mary was terminated, her husband took a picture of her and his son using Mary’s iPhone. It was the last photo Mary had of her son, and MD&M Inc. unknowingly destroyed it. Mary sued the company for damages.

Just how much is the last photo of a mother and son worth? Attorneys and expert witnesses sought to answer that question. They arrived at $5 million.

Three pitfalls your BYOD program can’t afford to ignore.   

While Mary’s story is a fictitious case* debated last year by the International Legal Technology Association (ILTA), it’s just a matter of time before stories like this become mainstream reality. A recent survey by Trend Micro** clearly shows that a majority of companies are already allowing employees to use their personal devices for work-related activities– 75% of organizations in the U.S. offer BYOD programs.

Besides preserving data security and managing a myriad of personal devices, companies must also consider a new set of legal and ethical issues that may arise when employees are using their own devices for work. Here are just three pitfalls to consider:

Pitfall #1: Remote deletion of personal data:  Under what circumstances (if any) should the company have a right to remove any non work-related content from an employee-owned device?

Pitfall #2: Tracking individual location: What corporate applications might ‘track’ the location of an employee-owned device?  Is the employee aware that this is possible?

Pitfall #3: Monitoring Internet access: Should accessing questionable websites be restricted, when an employee is also using a personal device for work?

COMING NEXT: How to Avoid These Pitfalls.

Reference **

About Cesare Garlati
Co-Founder, Hex Five Security, Inc. - Chief Technologist prpl Foundation

One Response to Consumerization 101 – Employee Privacy Vs. Corporate Liability

  1. It’s a great, thought provoking post. Here’s my take on it, for what it’s worth. Also thanks to my friend Mark Townsend for pointing me to the blog. Lots of great stuff.

    We tell people if they want to use their personal device to get their corporate email. that they need to be aware that we have the right to wipe. if you don’t like it, we will get you a corporate device…. but… not sure that this will protect us since in this case, she had signed an AUP, which I assume had the same sort of language in it that we use in ours. Which basically says, if you connect it to us you give us the right to wipe all data off of it.

    Now I feel bad about it, but if she had lost the photo because she dropped the iphone would she have sued apple? Would the building owner be responsible for having too hard of a floor? Would the flooring people be responsible? At some point people need to be responsible for backing up data that they want to keep. I mean she had the picture for a few weeks…

    Regarding tracking location. If you don’t want the company to do that, don’t use it to connect to corporate, turn it off, or leave it on your desk. After all we aren’t tracking the user, we are tracking a device that is accessing corporate resources. Is that much different than tracking IP’s on a website? Other than the granularity I would say no…

    As far as accessing questionable websites while at work. I would say if it was done using the corporate LAN (or WLAN) the company has the right to monitor. If on your personal cell phone plan then no. My network, my rules. IMHO

    The trickier piece is if we let you bring your device to work and it already has questionably, or even illegal content on it (piracy, inappropriate etc) is the company liable? Do we have the right or obligation to report it if we see it? We had a case many years ago where a field guy sent his laptop in for repair and it had illegal files on it. Our policy was not to look. but if we saw something illegal to report it. Clear enough if it is a company owned machine, but if it’s not what should we do??? I mean if someone has a bag of pot in their car in our parking lot are we liable?

    Tricky issues and while I think my answers make sense, that doesn’t mean the law will agree. I would not want to be the test case..

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: