Lost in BYOD's uncharted legal waters

As companies and users engage in shared ownership of devices and data, there's no clear answer on the right legal approach

1 2 3 Page 3
Page 3 of 3

But last year, the Supreme Court upended that assumption in a ruling that said employers had the right to access all communications on corporate-issued devices, regardless of where it was stored. Vogel says that this unanimous ruling essentially sidelined the Stored Communications Act, which had originally been designed to address subpoenas of chat boards and the like, not mixed-use devices such as corporate cellphones.

The court explicitly said that right to access applied to corporate-owned devices. That could suggest the justices intended that employee-owned devices don't fall under companies' information access rights, Vogel says -- or it could simply mean the justices didn't think through their ruling in a BYOD context, which at the time was still emerging, and at some point they'll fix what was an inadvertent limitation.

As a result, strictly speaking, employees have no privacy rights for what's transmitted on company equipment, but employers don't necessarily have access rights to what's transmitted on employees' own devices, such as smartphones, tablets, and home PCs. Also unclear are the rights for information that moves between personal and corporate devices, such as between one employee who uses her own Android and an employee who uses the corporate-issued iPhone.

This confusion extends to trade secrets and other confidential data, Vogel notes, as well as to e-discovery. When employees store company data on their personal devices, that could invalidate the trade secrets, as they've left the employer's control. Given that email clients such as Outlook and Apple Mail store local copies (again, on smartphones, tablets, and home PCs) of server-based email, theoretically many companies' trade secrets are no longer secret.

This automatic local storage can also cause issues in e-discovery, both in terms of whether personal devices are subject to such discovery and what happens when normally purged information still exists as a copy on an individual's personal device. An employee could keep local copies in hopes of later blackmailing a company, for example, or more innocently have part of a communications thread that could be seen as damaging only because the rest of the context was purged as part of normal data-cleansing operations.

Until something changes in the law or in future court rulings, owning all the equipment an employee uses does give a business the most control over its data and communication. Of course, that contradicts the trend to let people use their home PCs and personal devices, which many businesses like for the cost savings and lower accounting and asset-management overhead. The real question: What's that control worth to your business?

The bottom line is that the laws and court cases haven't caught up to the intermingled world of consumerization, where information flows through both personal devices and corporate devices, where data travels through a mix of corporate, personal, and third-party networks and services (think "cloud"), and where it is stored in a mix of corporate, personal, and third-party locations (think Gmail, Salesforce.com, Amazon Web Services, iCloud, Office 365, local mail clients, home PCs, and so on).

The good news is that whatever you're doing is probably not wrong, legally speaking. But the bad news is that it may not be right, either.

This article, "Lost in BYOD's uncharted legal waters," was originally published at InfoWorld.com. Read more of Galen Gruman's Smart User blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.

Copyright © 2012 IDG Communications, Inc.

1 2 3 Page 3
Page 3 of 3