Lost in BYOD’s uncharted legal waters

The majority of businesses now allow employees to choose — or even bring — their own mobile devices rather than require the use of corporate-issued units. The BYOD phenomenon quickly moved from a “not in my business” option in 2010 to the de facto standard in 2011. BYOD also intermingles personal and professional usage, data, and ownership, creating uncharted territory for businesses and individuals alike as to who has rights over what, as well as to what are the best legal approaches to securing their respective interests.

Even in the BYOD world there remains the question of who should legally own the device, in addition to the questions of who owns the data consumed and created on it. The harsh truth is that there are no answers to these questions — the courts haven’t ruled on them, and legislators haven’t written laws to address them. The good news is that we’re in a period of experimentation to see what works best; the bad news is that the resulting uncertainty and inconsistency make “doing the right thing” very difficult.

Until society figures out the rough answers itself, we’re likely to stay in this situation, says Peter Vogel, an attorney at Gardere Wynne Sewell who specializes in and teaches technology- and communications-related law. (I recommend you read his blog on legal issues in IT regularly.) That’s because the courts and the legislatures typically act when there is some consensus, not before.

Whether you’re in IT, HR, legal, or a business unit, you’re largely on your own about decisions on ownership of devices, data, and so forth. But you should be aware of clusters of approaches that could be starting points for what might fit your culture, risk tolerance, trust assessment, and regulatory context.

The possible forms of device ownership Although the era of the company-owned and company-provisioned mobile device seems to be coming to a close, there’s still an ownership issue — or at least a permissions issue — to be addressed. These issues apply to more than just mobile devices, though it’s a rare company that seems to think them through for employees’ home PCs and the like, which face the same fundamental issues.

Organizations in government, health care, and defense especially face the legal question of who actually needs to own the device, though the concern isn’t exclusive to them. There’s no clear answer to that question as yet, but the underlying issue concerns when ownership is necessary to gain management control. But more conservative organizations often decide they need legal ownership of the device.

The result has been three different approaches to handling ownership, in order of popularity:

• Shared management. The organization’s contractor and employment policies boil down to “if you access business resources from a personal device, you give us the right to manage, lock, and even wipe that device, even if you end up losing personal data and apps as a result.” This is often codified with a written agreement that spells out management expectations for both parties.
• Corporate ownership and provisioning. The organization buys and owns the device, even if it allows nonbusiness use on it. Employees who don’t like the phone service on such devices (they may not get free minutes when calling family members and friends) are free to carry a personal device as well that has no corporate access.
• Legal transfer. The organization buys the device from the user. In some cases, that ownership is permanent — a surefire way to dissuade employees from participating. In other cases, the organization buys the device for a token amount (say, a dollar) and gives the user the right to use it for personal purposes, then commits to selling it back for the same price when the employee leaves the organization. That’s more likely to gain user acceptance than a one-way purchase.

I’ve heard from several organizations recently that took the legal-transfer approach but are now rethinking it and getting more comfortable with shared ownership. The number of companies insisting on corporate ownership is shrinking, except in industries where the devices are custom, such as the signature pads used by UPS and FedEx drivers.

Vogel says that none of these approaches is more right or wrong from a legal point of view — yet. But if you want to ensure access to all communications and data on the devices (including PCs), you need to own them, for reasons explained later in this post.

If you have European employees, you need to be aware of an additional factor, notes SAP CIO Oliver Bussmann, who supports 12,500 iPads in a mix of corporate- and employee-provisioned devices. That factor is European privacy rights, which lets employees opt out unilaterally from their agreement of giving employers access to their personal information, even incidentally, in a context such as BYOD. There’s no easy way to address this issue; the employees often bring enough benefit to the company with such access that cutting them off would hurt too much.

The uncertain ownership of data It used to be that in the United States you could reasonably assume that personal information communicated through cellphones and other such devices were considered private to the employee, based on various court cases and a set of laws called the Stored Communications Act. The key to that privacy was that the data was stored by a third party (a telco or Internet service provider), not by the company, which would have access to rights to whatever it stored, such as on its email servers. Essentially, the Stored Communications Act extended Fourth Amendment protections of a person and his or her property to that person’s electronic data even when stored on “neutral” property (that is, a telco’s or ISP’s servers).

But last year, the Supreme Court upended that assumption in a ruling that said employers had the right to access all communications on corporate-issued devices, regardless of where it was stored. Vogel says that this unanimous ruling essentially sidelined the Stored Communications Act, which had originally been designed to address subpoenas of chat boards and the like, not mixed-use devices such as corporate cellphones.

The court explicitly said that right to access applied to corporate-owned devices. That could suggest the justices intended that employee-owned devices don’t fall under companies’ information access rights, Vogel says — or it could simply mean the justices didn’t think through their ruling in a BYOD context, which at the time was still emerging, and at some point they’ll fix what was an inadvertent limitation.

As a result, strictly speaking, employees have no privacy rights for what’s transmitted on company equipment, but employers don’t necessarily have access rights to what’s transmitted on employees’ own devices, such as smartphones, tablets, and home PCs. Also unclear are the rights for information that moves between personal and corporate devices, such as between one employee who uses her own Android and an employee who uses the corporate-issued iPhone.

This confusion extends to trade secrets and other confidential data, Vogel notes, as well as to e-discovery. When employees store company data on their personal devices, that could invalidate the trade secrets, as they’ve left the employer’s control. Given that email clients such as Outlook and Apple Mail store local copies (again, on smartphones, tablets, and home PCs) of server-based email, theoretically many companies’ trade secrets are no longer secret.

This automatic local storage can also cause issues in e-discovery, both in terms of whether personal devices are subject to such discovery and what happens when normally purged information still exists as a copy on an individual’s personal device. An employee could keep local copies in hopes of later blackmailing a company, for example, or more innocently have part of a communications thread that could be seen as damaging only because the rest of the context was purged as part of normal data-cleansing operations.

Until something changes in the law or in future court rulings, owning all the equipment an employee uses does give a business the most control over its data and communication. Of course, that contradicts the trend to let people use their home PCs and personal devices, which many businesses like for the cost savings and lower accounting and asset-management overhead. The real question: What’s that control worth to your business?

The bottom line is that the laws and court cases haven’t caught up to the intermingled world of consumerization, where information flows through both personal devices and corporate devices, where data travels through a mix of corporate, personal, and third-party networks and services (think “cloud”), and where it is stored in a mix of corporate, personal, and third-party locations (think Gmail, Salesforce.com, Amazon Web Services, iCloud, Office 365, local mail clients, home PCs, and so on).

The good news is that whatever you’re doing is probably not wrong, legally speaking. But the bad news is that it may not be right, either.

This article, “Lost in BYOD’s uncharted legal waters,” was originally published at InfoWorld.com. Read more of Galen Gruman’s Smart User blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.