Bring your own lawyer!

The landscape around bring your own device (BYoD) is both complex and constantly evolving. Jay Abbott shares some trains of thought to focus thoughts on how it might impact on your company.

I recently spoke about ByoD (bring your own device) and the numerous issues surrounding it at an ACCA networking event. One of the areas covered was in relation to the potential legal issues surrounding the subject.

I’ll start by stating, for the record, that I am not a lawyer, nor do I possess any form of legal training!

That said, the issues are not difficult to work out and there are plenty of sources of information on the subject.

The issue of privacy

Privacy has to be one of the main issues in relation to BYoD, but when I say privacy we have to think of it from two perspectives. First, the perspective of the employer who wishes to keep its data private, and then the perspective of the employee, who also wants to keep their personal data private. Clearly these are obviously aligned values that should allow both parties to achieve their goals with little or no impact on the other?

Unfortunately not as these requirements do actually conflict.

The employee wants privacy in general, including from their employer. This unfortunately creates a bit of an issue in relation to how the employer can go about protecting its privacy. For the employer to protect its privacy it needs to know what’s happening on the device that holds its data and that, more often than not, exposes the employee’s sensitive data to the employer.

This exposure opens up the employer to potential legal issues in relation to how it acts upon the data it observes. For instance, what if the employee was conducting illegal or illicit activities from the device and the employer noticed? If it acts upon the information it could be in breach of privacy law and/or employment law. So let's assume the employer has no visibility on the device and the employee can do whatever they so desire with the data. Clearly that’s just not an option, but unfortunately, it’s not far from the truth of many organisations that have ByoD deployed ad hoc with no formal approach or strategy.

Typical scenario

Privacy is the tip of the iceberg though and some interesting scenarios exist that are set to test the current legal landscape. Let’s take a look at a typical scenario for ByoD use.

Joe works for Global Corp and has opted into their shiny new BYoD programme as he does not want a personal and business phone in his pocket. Joe has signed a policy stating that any company data on his device may be deleted in the event of a security issue.

To be fair to Joe, although a little concerned that he did not truly understand the company’s ability to differentiate between his data and theirs, he assumed that IT knew what they were doing.

As well as his smartphone, Joe decided to add his tablet to the equation as that tends to be the device that is most used at home and saves having to get the work laptop out and booted up to look at a spreadsheet. Joe’s wife Jessica also uses Joe's tablet when Joe’s not at home to write her life’s work, a romantic novel, and to generally surf the net.

There are any number of issues to consider in the above scenario, but let’s focus on the one of legend. In the legend Global Corp, for whatever reason, initiates a remote device wipe of all of Joe's devices that they see connected to their systems.

Joe is the sole user of his smartphone and signed a policy stating that this was a possible outcome, but to be fair to him, he thought that his holiday snaps were out of scope so was a little upset when the device was essentially factory reset!

The tablet, however, creates an interesting issue. It was not just Joe’s. It was also Jessica’s and more importantly it contained the only copy of her life’s work!

So the question is, given that Jessica did not sign up to a remote data wipe, can she sue Global Corp for damages? As I mentioned before, I’m not a lawyer so I don’t know if she could or could not, but the scenario serves the purpose of outlining the intricacies of BYoD use and how the end user who you think is signing up to your policy may not be the only device user who should be signed up.

A number of other questions exist in this scenario such as, did Joe have the right to add the tablet? Did Global Corp adequately protect themselves in the policy? Did IT have the right tools to properly enforce and control the technology? Had all parties received sufficient training, awareness and guidance on what was acceptable, expected and impactful in the use of the programme?

The cloud

Another common situation to be mindful of is the cloud. If an employee has an iPhone and joins your BYoD programme, what happens when they plug their iPhone back into their home computer? Typically, iTunes will complete a full backup of the device. Unless you are doing BYoD properly you just allowed the corporate data on that device to be copied to a personal computer, and worse, it’s likely that it was also copied to iCloud at the same time.

So is that data in the EU or is it in China? Do you know? What if that employee had been emailed a list of customer names and addresses? Clearly this situation is going to create some serious data protection headaches with the Information Commissioner!

In the end with BYoD issues, aside from the right technology solutions to minimise the issues and put in place adequate control, the only thing that is going to protect all parties involved is a good, well written, reasoned policy – backed up by a solid educational programme that clearly articulates the intricacies at play to all parties.

Of course, once you have invested in and written your policy, everything will be just fine, right?

Pace of change

Not exactly! The biggest observation I made while looking into the legal issues with BYoD was the pace of change. Advice on what is and is not a good approach is moving and changing rapidly. As an example, a couple of years ago advice was to make your policies loose and broad, but these have been tested legally and have not fared well, so now the opposite is true. Advice is to make them highly specific and very tight.

Precedent being set

As fast as the advice changes, precedent is being set. A recent ruling in the California Court of Appeal has created an interesting new issue. Specifically, the Court of Appeal in Cochran v. Schwan's Home Service stated:

‘We hold that when employees must use their personal cellphones for work-related calls, Labor Code section 2802 requires the employer to reimburse them. Whether the employees have cellphone plans with unlimited minutes or limited minutes, the reimbursement owed is a reasonable percentage of their cellphone bills.’

The interesting feature of this ruling is that if an employee uses their personal device you are legally required to repay them, which in the context of a cellphone and a phone call is pretty obvious but what about data usage?

How do you know what you are paying for? How do you differentiate between an employee that is highly productive and running up genuine large data bills vs the one who is using his data to watch Netflix? Do you have the right technology in play to know the difference? How do you know that the use by the employee is just theirs and not the whole family's?

This is just one example of how precedent could require you to rewrite your policies and deploy new technology to prevent a significant financial impact to the organisation, and I am sure there will be others.

The legal aspects of the BYoD conversation are complicated and with limited precedent so make sure you get proper advice and remember, just letting the C-Suite have their email on their iPhones sounds simple but could have some seriously far-reaching consequences.

Jay Abbott – managing director, Advanced Security Consulting Limited

Sources

CESG / CPNI BYOD Guidance: Executive Summary
Network World Technology, the law, and you: BYOD
CIO How BYOD Puts Everyone at Risk
CIO Court Ruling Could Bring Down BYOD
ICO BYOD Guidance