Avoiding BYOD Legal Issues – Route1 Inc. September 2013
“Today’s business landscape is facing emerging legal issues stemming from bring your own device (BYOD) initiatives. The shift towards the use of personal computing devices (laptops, tablets, smartphones and now watches) to conduct business in theory is a win-win strategy for both the Enterprise and its employees. Enterprises avoid costs associated with providing devices and employees can work using the personal devices they are already comfortable with. In reality, BYOD poses serious legal problems for the Enterprise.
Protecting Data or Breaking the Law? BYOD is undoubtedly convenient, but it poses grave risks to Enterprise security. Simply put, BYOD devices are not currently used in a secure manner. Although 90% of American workers use their smartphones for work, only 60% use password protection to lock their device.1 Perhaps more alarming, 50% frequently connect their smartphones to unsecured Wi-Fi networks.2 Poor BYOD security habits mean that sensitive Enterprise data is often unsecured and easily accessible to malicious third parties. Of course, Enterprises want to prevent their information from falling into the wrong hands. The question is: do security concerns give businesses the right to protect their data by remotely monitoring and wiping an employee’s personal device?
BYOD means that employees often co-mingle personal and business information on their devices. Generally, device software has few measures to distinguish between sensitive Enterprise data and the owner’s personal information. When an employee’s device is compromised (hacked, stolen, etc.), the Enterprise wipes all data on that device – both business and personal. Enterprises have no other option to protect their sensitive data, but the destruction of employees’ personal property is legally ambiguous. Another common practice is GPS tracking. If an employee’s personal device contains confidential Enterprise information and is lost or stolen, the Enterprise may use the device’s GPS capabilities in an attempt to locate it. Again, this strategy is legally unclear as it raises issues of monitoring employee whereabouts.”