BYOD: Time to Adjust Your Privacy Expectations
Some employees thought they were pretty sneaky downloading confidential data from corporate computers to thumb drives days before they turned in their resignations and bolted to a competitor.
More often than not, they didn't get away with it. Armed with forensic computer analysis--namely, the USB port registry--managers confronted these employees during the exit interview.
What gives managers the right to pursue legal action or at least ask for those incriminating thumb drives back? The answer: a smorgasbord of protective polices with employees' signatures on them, including the confidentiality non-disclosure policy, the ethics policy, the conflict of interest policy, the authorized use of computers policy.
"The BYOD fact pattern isn't that dramatically different, and policies can be written to provide that type of protection for the employer," says Brent Cossrow, partner at Fisher and Phillips, a law firm specializing in labor and employment law.
He adds: "Given the business interest that could be in jeopardy, there are employers who would take a look at how their computers were used in a certain time period. If a BYOD policy was written in a certain way, it could provide support for that examination."
Cossrow's practice area is employee defection and trade secrets, and so he helps companies navigate the murky legal waters that BYOD, or bring-your-own-device, stirs up. An employee-owned BYOD smartphone or tablet blurs the line between personal and work use. Compared to the thumb drive, a BYOD can easily store trade secrets either locally on the device or via a cloud storage service.
At the center of the legal debate is an employee's expectation of privacy. Cossrow says the smartest companies will craft a detailed, customized BYOD policy that works in harmony with existing protection policies. Among the more restrictive regimes, employees would have to sign away their expectation of privacy with a BYOD smartphone or tablet that's being used in conjunction with corporate computers.
Without an expectation of privacy, employees should assume they have no privacy on their personally owned BYODs.
For employees, it may get even worse. "I think we're going to see case law evolve over time with companies wanting to do more ambitious and extensive searches of personal data on those devices," Cossrow says.
A Legal Precedent?
On the upside, BYOD employees have at least one legal precedent in their workplace privacy corner, Stengart v. Loving Care Agency.
In December 2007, Marina Stengart resigned from Loving Care Agency in New Jersey and sued for gender discrimination. Just before resigning, Stengart communicated with her attorney via a personal, password-protected Yahoo email account on a company computer.
This use case blends personal and work actions on a single device, a precursor to BYOD.
Loving Care Agency hired a computer forensics expert who burned a forensic image of the computer, which uncovered HTML screen shots of the personal emails. A trial judge ruled that the emails were not protected by attorney-client privilege because a policy stated that emails were company property.
Stengart and her attorney took the matter to the New Jersey Superior Court, and the appellate judge reversed the decision. The judge held that those personal communications were protected. A big win for employee privacy, right?
Many factors played in the reversal, such as Stengart's sophistication of computers. While the employee handbook might state that an employee waives the expectation of privacy, this doesn't mean that the employee has a knowledge of how HTML files are created and whether or not a password will protect access to those files.
The Stengart v. Loving Care Agency case, though, has a big flaw for BYOD employees: The reversal toward employee privacy rights was anchored in the attorney-client privilege.
"It's not likely that the same quality of protection would be available for non-privilege communication under those facts," Cossrow says. "How broadly will Stengart be used? We're going to see different types of [BYOD] policies, and they're going to be tested in court over time."
The BYOD Policy
BYOD policies are subject to state and federal laws, which can vary depending on the type of industry a company serves.
As stated earlier, a BYOD policy should work in harmony with existing protection policies. BYOD policies can be written to provide some protection against certain risks and some policies allow companies to inspect the BYOD in an exit interview.
BYOD employees better know what they're signing, which often entails giving up their expectations of privacy.
"The art to this BYOD employment practice is defining the ground rules on which these devices can be used," Cossrow says.
"If the employer is saying that you do not have an expectation of privacy with a personal device that you use in conjunction with corporate systems, this lets the employee know the device could be subject to a search or a review."
Tom Kaneshige covers Apple and Consumerization of IT for CIO.com. Follow Tom on Twitter @kaneshige. Follow everything from CIO.com on Twitter @CIOonline and on Facebook. Email Tom at firstname.lastname@example.org