Lost in BYOD's uncharted legal waters

As companies and users engage in shared ownership of devices and data, there's no clear answer on the right legal approach

Page 2 of 3

The result has been three different approaches to handling ownership, in order of popularity:

  • Shared management. The organization's contractor and employment policies boil down to "if you access business resources from a personal device, you give us the right to manage, lock, and even wipe that device, even if you end up losing personal data and apps as a result." This is often codified with a written agreement that spells out management expectations for both parties.
  • Corporate ownership and provisioning. The organization buys and owns the device, even if it allows nonbusiness use on it. Employees who don't like the phone service on such devices (they may not get free minutes when calling family members and friends) are free to carry a personal device as well that has no corporate access.
  • Legal transfer. The organization buys the device from the user. In some cases, that ownership is permanent -- a surefire way to dissuade employees from participating. In other cases, the organization buys the device for a token amount (say, a dollar) and gives the user the right to use it for personal purposes, then commits to selling it back for the same price when the employee leaves the organization. That's more likely to gain user acceptance than a one-way purchase.

I've heard from several organizations recently that took the legal-transfer approach but are now rethinking it and getting more comfortable with shared ownership. The number of companies insisting on corporate ownership is shrinking, except in industries where the devices are custom, such as the signature pads used by UPS and FedEx drivers.

Vogel says that none of these approaches is more right or wrong from a legal point of view -- yet. But if you want to ensure access to all communications and data on the devices (including PCs), you need to own them, for reasons explained later in this post.

If you have European employees, you need to be aware of an additional factor, notes SAP CIO Oliver Bussmann, who supports 12,500 iPads in a mix of corporate- and employee-provisioned devices. That factor is European privacy rights, which lets employees opt out unilaterally from their agreement of giving employers access to their personal information, even incidentally, in a context such as BYOD. There's no easy way to address this issue; the employees often bring enough benefit to the company with such access that cutting them off would hurt too much.

The uncertain ownership of data
It used to be that in the United States you could reasonably assume that personal information communicated through cellphones and other such devices were considered private to the employee, based on various court cases and a set of laws called the Stored Communications Act. The key to that privacy was that the data was stored by a third party (a telco or Internet service provider), not by the company, which would have access to rights to whatever it stored, such as on its email servers. Essentially, the Stored Communications Act extended Fourth Amendment protections of a person and his or her property to that person's electronic data even when stored on "neutral" property (that is, a telco's or ISP's servers).

| 1 2 3 Page 2