Lost in BYOD's uncharted legal waters

As companies and users engage in shared ownership of devices and data, there's no clear answer on the right legal approach

The majority of businesses now allow employees to choose -- or even bring -- their own mobile devices rather than require the use of corporate-issued units. The BYOD phenomenon quickly moved from a "not in my business" option in 2010 to the de facto standard in 2011. BYOD also intermingles personal and professional usage, data, and ownership, creating uncharted territory for businesses and individuals alike as to who has rights over what, as well as to what are the best legal approaches to securing their respective interests.

Even in the BYOD world there remains the question of who should legally own the device, in addition to the questions of who owns the data consumed and created on it. The harsh truth is that there are no answers to these questions -- the courts haven't ruled on them, and legislators haven't written laws to address them. The good news is that we're in a period of experimentation to see what works best; the bad news is that the resulting uncertainty and inconsistency make "doing the right thing" very difficult.

[ Join the #CoIT discussion at InfoWorld's "Consumerization" LinkedIn group. | Learn about consumerization of IT in person March 4-6, 2012, at IDG's CITE conference in San Francisco. | See Galen Gruman's presentation on the real force behind the consumerization of IT. | Get expert advice about planning and implementing your BYOD strategy with InfoWorld's 29-page "Mobile and BYOD Deep Dive" PDF special report. ]

Until society figures out the rough answers itself, we're likely to stay in this situation, says Peter Vogel, an attorney at Gardere Wynne Sewell who specializes in and teaches technology- and communications-related law. (I recommend you read his blog on legal issues in IT regularly.) That's because the courts and the legislatures typically act when there is some consensus, not before.

Whether you're in IT, HR, legal, or a business unit, you're largely on your own about decisions on ownership of devices, data, and so forth. But you should be aware of clusters of approaches that could be starting points for what might fit your culture, risk tolerance, trust assessment, and regulatory context.

The possible forms of device ownership
Although the era of the company-owned and company-provisioned mobile device seems to be coming to a close, there's still an ownership issue -- or at least a permissions issue -- to be addressed. These issues apply to more than just mobile devices, though it's a rare company that seems to think them through for employees' home PCs and the like, which face the same fundamental issues.

Organizations in government, health care, and defense especially face the legal question of who actually needs to own the device, though the concern isn't exclusive to them. There's no clear answer to that question as yet, but the underlying issue concerns when ownership is necessary to gain management control. But more conservative organizations often decide they need legal ownership of the device.

1 2 3 Page
Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies