ILNews

Companies need to draft 'bring your own device' policies

Back to TopCommentsE-mailPrintBookmark and Share

The technology of smartphones and tablets allow professionals to essentially carry a computer wherever they go and, better still for companies, many employees are happy to buy their own mobile device and use it for work.

But while the convenience of handheld, portable computers enables employees to peruse email, communicate with clients and review documents without being tied to the office, the “bring your own device,” or BYOD, trend is creating tensions between how much access an employer can have to the worker-owned device and how much privacy an employee can expect.

Companies are concerned about security, keeping confidential data from falling into a competitor’s hands, and preventing financial account numbers from becoming known to hackers.

Employees want to keep prying eyes, including those of their employers, from looking at the photos of their children, text messages from friends and emails from family stored on their mobile devices.

baker Baker

Drawing a bright line between access and privacy is not possible, attorneys say. Still, rules and policies must be formulated to provide some guidance so businesses and workers will have some idea of what will happen when a company’s security is breached.

Attorneys, however, disagree from where that guidance should come. The role that market forces, courts and statehouses should play sparks debate because of the complex nature of the BYOD questions and the pace at which technology changes.

Setting company policy

Nathan Baker compared smartphones to sunglasses – they are always being left behind.

The Barnes & Thornburg LLP partner said companies must be prepared for employees’ mobile devices to get lost or stolen. Protection measures like encryption and firewalls that are common on desktop and laptop computers are not easily applicable to smartphones and tablets. So whenever an employee leaves the office with the mobile device, company data will be walking around in public with little security.

Companies can mitigate the damage by having BYOD policies which lay out the expectations and requirements. But a policy alone is not enough, Baker said. Companies also need to train their workers on what the policies say and institute methods for ensuring the employees are complying with the rules.

Baker highlighted the hypothetical situation of an employee’s mobile device being stolen and the company wanting to remotely erase the data. Employees will less likely object to having their phones wiped – which will also obliterate their personal information – if they know long before their items are lost what the process will be.

A second reason for training and compliance is litigation, Baker said. If a company becomes the subject of a lawsuit, work-related items on employee-owned devices will have to be preserved for discovery purposes.

Failure to do so can bring stiff spoilage sanctions. One example of this came in January 2014 when the U.S. District Court for the Southern District of Illinois slapped pharmaceutical manufacturer Boehringer Ingelheim with a $900,000-plus fine, in part, because the company did not tell its employees to save work-related text messages on their personal phones.

Courts and legislatures

grayson-ann.jpg Grayson

Ann Grayson, partner at Barnes & Thornburg, pointed to the Boehringer Ingelheim sanction as an example of the courts providing guidance.

The bench, she said, will face more cases involving employee-owned mobile devices and as it issues more rulings, direction will emerge on how companies and workers can navigate the tension between privacy and access. The court decisions will give an idea of where the judiciary is headed on this matter and help inform business about how to craft policies.

Attorney Cameron Shilling, director and chair of the privacy and data security group at McLane Graf Raulerson & Middleton in New Hampshire, believes the job of defining what belongs to a company and what belongs to an employee in a BYOD world will need to be handled legislatively.

The courts, he said, do not understand the concept of company data on employee hardware. Moreover, disputes arising from BYOD do not always provide a legal issue that can be addressed by the judicial system, and any remedy that comes from the courts usually does not arrive fast enough given the speed at which BYOD matters can move.

He is helping to draft legislation to be introduced into the New Hampshire Legislature this fall. Shilling believes the measure, which will define personal data versus company data and personal device versus company device, will be the first of its kind in the nation.

An employer has a right to retrieve company data from an employee-owned mobile device, Shilling said, but the employer has no right to invade the privacy of the employee.

Businesses want tough regulation to force workers to give back company data, he said. But, he continued, any legislation should extend employee privacy to company hardware. The current thinking holds if an employee uses a company computer for personal business, the employer has a right to look at the data and the employee has no privacy.

“I disagree,” Shilling said. “I think to be fair we have to recognize a rule that says an employer shouldn’t unnecessarily invade personal data of an employee on a company device.”

Baker was hesitant about a solution coming from a statehouse.

“I’m always concerned when the legislature steps in particularly on issues like this that are still so new,” he said, explaining legislation typically prevents or prohibits things, and it’s too early to tell where this issue and technology are headed.

The market, he said, may be able to provide the answers. He noted the practice of some employers asking for passwords to job candidates’ Facebook pages. State legislatures enacted laws restricting that practice but, Baker said, the problem largely solved itself when the public’s adverse reaction to the practice made employers quit.

Attorney Ken Mortensen, managing director of the risk assurance practice at PwC U.S., said the judicial branch and the legislative branch can address the problems of BYOD.

Mortensen served as a panelist on one of two seminars examining BYOD issues during the August American Bar Association annual meeting. He joined the discussion on the collision between personal privacy and corporate security.

Shilling participated on the second seminar during the ABA meeting, which also examined privacy and data security concerns.

The courts will have to consider the issue and the legislatures will have to pass laws to address the concerns over the conflict between privacy and protection, Mortensen said. Legislatures are not better than the courts, he said, but the legislative branch can address the matter more comprehensively while a court’s ruling will be based on the facts of a particular case.

Both Baker and Grayson noted a key hurdle to finding a solution to BYOD issues. The variability of the situations coupled with the constant updates to mobile devices make blanket remedies difficult to formulate.

“Because of the ever-changing technology with smartphones and mobile devices, the challenge is about the time you set a rule, a new problem crops up,” Grayson said.•

ADVERTISEMENT

Post a comment to this story

COMMENTS POLICY
We reserve the right to remove any post that we feel is obscene, profane, vulgar, racist, sexually explicit, abusive, or hateful.
 
You are legally responsible for what you post and your anonymity is not guaranteed.
 
Posts that insult, defame, threaten, harass or abuse other readers or people mentioned in Indiana Lawyer editorial content are also subject to removal. Please respect the privacy of individuals and refrain from posting personal information.
 
No solicitations, spamming or advertisements are allowed. Readers may post links to other informational websites that are relevant to the topic at hand, but please do not link to objectionable material.
 
We may remove messages that are unrelated to the topic, encourage illegal activity, use all capital letters or are unreadable.
 

Messages that are flagged by readers as objectionable will be reviewed and may or may not be removed. Please do not flag a post simply because you disagree with it.

Sponsored by
ADVERTISEMENT
Subscribe to Indiana Lawyer
  1. Yes diversity is so very important. With justice Rucker off ... the court is too white. Still too male. No Hispanic justice. No LGBT justice. And there are other checkboxes missing as well. This will not do. I say hold the seat until a physically handicapped Black Lesbian of Hispanic heritage and eastern religious creed with bipolar issues can be located. Perhaps an international search, with a preference for third world candidates, is indicated. A non English speaker would surely increase our diversity quotient!!!

  2. First, I want to thank Justice Rucker for his many years of public service, not just at the appellate court level for over 25 years, but also when he served the people of Lake County as a Deputy Prosecutor, City Attorney for Gary, IN, and in private practice in a smaller, highly diverse community with a history of serious economic challenges, ethnic tensions, and recently publicized but apparently long-standing environmental health risks to some of its poorest residents. Congratulations for having the dedication & courage to practice law in areas many in our state might have considered too dangerous or too poor at different points in time. It was also courageous to step into a prominent and highly visible position of public service & respect in the early 1990's, remaining in a position that left you open to state-wide public scrutiny (without any glitches) for over 25 years. Yes, Hoosiers of all backgrounds can take pride in your many years of public service. But people of color who watched your ascent to the highest levels of state government no doubt felt even more as you transcended some real & perhaps some perceived social, economic, academic and professional barriers. You were living proof that, with hard work, dedication & a spirit of public service, a person who shared their same skin tone or came from the same county they grew up in could achieve great success. At the same time, perhaps unknowingly, you helped fellow members of the judiciary, court staff, litigants and the public better understand that differences that are only skin-deep neither define nor limit a person's character, abilities or prospects in life. You also helped others appreciate that people of different races & backgrounds can live and work together peacefully & productively for the greater good of all. Those are truths that didn't have to be written down in court opinions. Anyone paying attention could see that truth lived out every day you devoted to public service. I believe you have been a "trailblazer" in Indiana's legal community and its judiciary. I also embrace your belief that society's needs can be better served when people in positions of governmental power reflect the many complexions of the population that they serve. Whether through greater understanding across the existing racial spectrum or through the removal of some real and some perceived color-based, hope-crushing barriers to life opportunities & success, movement toward a more reflective representation of the population being governed will lead to greater and uninterrupted respect for laws designed to protect all peoples' rights to life, liberty & the pursuit of happiness. Thanks again for a job well-done & for the inevitable positive impact your service has had - and will continue to have - on countless Hoosiers of all backgrounds & colors.

  3. Diversity is important, but with some limitations. For instance, diversity of experience is a great thing that can be very helpful in certain jobs or roles. Diversity of skin color is never important, ever, under any circumstance. To think that skin color changes one single thing about a person is patently racist and offensive. Likewise, diversity of values is useless. Some values are better than others. In the case of a supreme court justice, I actually think diversity is unimportant. The justices are not to impose their own beliefs on rulings, but need to apply the law to the facts in an objective manner.

  4. Have been seeing this wonderful physician for a few years and was one of his patients who told him about what we were being told at CVS. Multiple ones. This was a witch hunt and they shold be ashamed of how patients were treated. Most of all, CVS should be ashamed for what they put this physician through. So thankful he fought back. His office is no "pill mill'. He does drug testing multiple times a year and sees patients a minimum of four times a year.

  5. Brian W, I fear I have not been sufficiently entertaining to bring you back. Here is a real laugh track that just might do it. When one is grabbed by the scruff of his worldview and made to choose between his Confession and his profession ... it is a not a hard choice, given the Confession affects eternity. But then comes the hardship in this world. Imagine how often I hear taunts like yours ... "what, you could not even pass character and fitness after they let you sit and pass their bar exam ... dude, there must really be something wrong with you!" Even one of the Bishop's foremost courtiers said that, when explaining why the RCC refused to stand with me. You want entertaining? How about watching your personal economy crash while you have a wife and five kids to clothe and feed. And you can't because you cannot work, because those demanding you cast off your Confession to be allowed into "their" profession have all the control. And you know that they are wrong, dead wrong, and that even the professional code itself allows your Faithful stand, to wit: "A lawyer may refuse to comply with an obligation imposed by law upon a good faith belief that no valid obligation exists. The provisions of Rule 1.2(d) concerning a good faith challenge to the validity, scope, meaning or application of the law apply to challenges of legal regulation of the practice of law." YET YOU ARE A NONPERSON before the BLE, and will not be heard on your rights or their duties to the law -- you are under tyranny, not law. And so they win in this world, you lose, and you lose even your belief in the rule of law, and demoralization joins poverty, and very troubling thoughts impeaching self worth rush in to fill the void where your career once lived. Thoughts you did not think possible. You find yourself a failure ... in your profession, in your support of your family, in the mirror. And there is little to keep hope alive, because tyranny rules so firmly and none, not the church, not the NGO's, none truly give a damn. Not even a new court, who pay such lip service to justice and ancient role models. You want entertainment? Well if you are on the side of the courtiers running the system that has crushed me, as I suspect you are, then Orwell must be a real riot: "There will be no curiosity, no enjoyment of the process of life. All competing pleasures will be destroyed. But always — do not forget this, Winston — always there will be the intoxication of power, constantly increasing and constantly growing subtler. Always, at every moment, there will be the thrill of victory, the sensation of trampling on an enemy who is helpless. If you want a picture of the future, imagine a boot stamping on a human face — forever." I never thought they would win, I always thought that at the end of the day the rule of law would prevail. Yes, the rule of man's law. Instead power prevailed, so many rules broken by the system to break me. It took years, but, finally, the end that Dr Bowman predicted is upon me, the end that she advised the BLE to take to break me. Ironically, that is the one thing in her far left of center report that the BLE (after stamping, in red ink, on Jan 22) is uninterested in, as that the BLE and ADA office that used the federal statute as a sword now refuses to even dialogue on her dire prediction as to my fate. "C'est la vie" Entertaining enough for you, status quo defender?

ADVERTISEMENT