Security

Security policies must address legal implications of BYOD

BYOD is controversial, particularly when it comes to security and privacy. Michael P. Kassner learns from an expert there is a legal can of worms as well.

The legal principle, Ignorance of the law excuses no one effectively eliminates, "I didn't know" as a defense. In that case, I might as well plead guilty to having some major "I didn't know" going regarding the very real legal pitfalls embedded in BYOD (Bring Your Own Device).

To get "un-ignorant," I asked David Navetta, attorney and founding partner of the Information Law Group, for his advice. David is particularly well suited, having done considerable research into the security, privacy, and legal implications of BYOD (Part One, Part Two).

"Own device" is exactly what?

One of the first questions Dave fielded from me was what qualifies as a personal device? Apparently, BYOD being a relatively new phenomenon, there is little case law to go by, so no "official" definition has surfaced.

Still, Dave took a stab at it, "First and foremost, the devices in question are not owned by the company." Trying to narrow it down a bit, I asked, "What if rather than run back to my desk, I used my personal cell phone to call an associate?" Dave said, "If the call was work-related, your phone then qualifies because it was used to do company work."

Why are IT-types adverse to BYOD?

If you spend any time at all reading legal papers about BYOD, you will undoubtedly come across the term "legally-defensible security" or its mate "reasonable security." And, being able to maintain this level of security has IT-types, responsible for maintaining of their company's systems and networks, worried -- big time. Dave explains:

The era of legal defensibility is upon us. The legal risk associated with information security is significant, and will only increase over time. Security professionals will have to defend their security decisions in a foreign realm: the legal world.

As it stands now, IT security managers have "almost" dictatorial authority over company-owned devices. For example, security managers typically:

  • Determine what type of devices can be used, and how they are configured.
  • Install security-related software and software patches to the device.
  • Encrypt company data on the device.
  • Monitor the device to detect misuse or malware.
  • Dictate how the device connects to the company's network.

Introducing BYOD changes that authoritarian landscape; imagine telling C-level executives they can't use their personal smartphones at work. If you get past that, try getting the executives to agree to the above modifications, particularly monitoring their personal devices.

Time for an example

It gets even more complicated, and in order to show the complexity, let's look at an example. It's one I made up; still it's not that far-fetched.

Mike works for XYZ Company as a sales engineer. XYZ allows Mike to use his personal iPhone for work. The company is on top of things, having a security policy in place, signed by each individual, and stored in their HR file.

Mike was sent to a trade show, he happens to walk by a competitor's booth, spying what appeared to be a piece of equipment remarkably similar to the one XYZ was getting a patent on. Mike then moves on to the next booth, and takes a picture of something he found interesting.

Unnoticed by Mike, one of the competitor's sales personnel, also at the show recognized him, and saw him taking a picture. The sales person was sure Mike took a picture of their prototype.

Fast forward a few months, Mike attacking a huge mound of paperwork, having just returned from the Far East, sees his boss motioning for him to come into her office. "I'm sorry, Mike, I need your iPhone," she said. Mike, more surprised than anything. could only muster, "Why's that?" "We are being sued by our competitor for stealing trade secrets, and your iPhone was part of the plaintiff's list of items requested for e-Discovery."

What are we talking about?

Using the example, let's look at what could be facing Mike and the company he works for. Mike has two choices -- turn the phone over or not. There are implications with each choice, and we need to look at each closely.

Scenario One: Mike turns the phone over, wondering when he was going to get it back. That is a complete unknown. Next, Dave points out in his paper what e-Discovery will mean to Mike:

If an image of a device's hard drive is needed for an investigation of a security breach or for e-Discovery purposes, the captured data is likely to include private/personal information of the employee.

Scenario Two: Mike doesn't turn the phone over; he is worried about his personal information stored on the iPhone. Two things then come into play if I understand correctly. Mike may become personally involved in the litigation, and Mike's company will face additional scrutiny for not complying with their security policy that requires turning over evidence for e-Discovery.

The Catch 22

Now it's time to get to the "I didn't know" stuff. First, the security policy referred to in the example. Like XYZ Company, most real-life companies feel their existing security policy will cover BYOD as is. Dave disagrees with their assumption:

If not adjusted, the company could be setting the same standard for personal devices as company-owned devices, and that standard may not be achievable (individuals do not, and often cannot, secure their mobile devices the same way a company can).

I asked Dave if creating a specific policy for BYOD would work:

[D]rafting different policies for personal devices would result in two different standards, which could pose liability risk to the extent the standards related to personal devices are less rigorous.

Now to why this is important for you decision-makers, and how you handle BYOD. Dave spent several minutes explaining the "behind the scenes" effort that would have occurred if the Mike and XYZ Company example would have been for real.

"Did not know" alert.

Dave told me in litigation like this, the first thing the plaintiff will request is all documentation related to the company's digital security policy. Dave explains why:

From a legal point of view, the written security program may also be used to set an organization's minimum legal standard of care. The failure of an organization to comply with its own security program is a key factor that can (and will) be used by plaintiffs, counsel, or regulators to argue for liability after a security breach.

Next "did not know" alert.

Dave also pointed out there is a nebulous area in my example of Mike and XYZ Company. Mike has certain rights under privacy laws, and there is not enough case law right now to know how they fit in with a company or plaintiff doing e-Discovery on personal devices -- another headache for the decision-makers.

No idea

I asked several friends and colleagues, who are using personal devices for work, if they had any idea what it would mean to them personally if the company they work for became involved in any kind of litigation, especially if they themselves may be involved.

Like me, no one in the group had any idea of the extent they could be involved. Particularly bothersome to them was the fact e-Discovery is not required to differentiate between personal and company data. Here's something else I asked, "What if the company security policy requires all devices associated with an employee who is leaving be digitally wiped clean?"

Two opinions

I am glad to see that legal experts are finally voicing their opinions. Sean Doherty, TechRepublic contributor, penned this article about why BYOD is not a good idea for executives. Along those lines, I asked Dave how he would handle BYOD. He did not hesitate, firmly stating he would allow BYOD if:

  • Company information residing on personal devices is limited.
  • User access via the personal device is controlled.
  • Security policies, treating company and personal devices equally, are in place.
  • Users understand there is no expectation of private data.
  • The ability to digitally wipe is installed on personal devices.
  • A waiver is signed agreeing to all the above conditions.

Final thoughts

Dave is circumspect about BYOD; he feels it is inevitable, "The genie is out of the bottle." Dave believes as I do: neither companies nor individuals will think about the legal implications of BYOD, much less do something about them, until the proverbial "Sh** hits the fan."

Something else to think about is that more than once I have read (CIO, second page) experts, attorneys and consultants alike, suggest employees -- considering BYOD -- "lawyer up" before signing anything.

I'd like to thank Dave for taking the time this past Friday to help me, a complete rookie, through the legal morass of BYOD.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

17 comments
Jay_H
Jay_H

Actually as a user I keep my devices separate (even though we are allowed reasonable personal use on company smartphones and they do support some BYOD). I really want no company access to my device and at the same time I don't want to risk any company or legal issues with company business by having a compromised device. So I am more than happy to carry a company smartphone (and laptop on occasion) which is fully under control of the company, and my own devices which are fully under the control of me.

Pete6677
Pete6677

Make sure your CEO and chief legal council sign off on your BYOD policy, after you brief them on all relevant issues. After that, the legal risk is their problem.

topshelftech
topshelftech

The example given is not as contentious as one would think simply because: The item in question was at a tradeSHOW - - it was out on the open floor for all to see. If the plaintiff was so concerned about 'security' the device would not have been UN-SECURED!!! This is the same issue of 'no expectation of privacy when you are out in PUBLIC'. Any lawyer should be able to mount a credible defence on just the above observations alone - except for those who want to milk their clients ;). so please give us a better example of BYOD vs SECURITY.

RNR1995
RNR1995

Companies never think of the legal implications of anything until the s*** flies

HAL 9000
HAL 9000

Only thing I have to say is that Courts overrule Privacy Laws if they even exist so if any Discovery Motion is allowed I personally would not expect that there would be any Privacy Involved. Though I must admit that very much depends on where it is you live and the Local Laws. If it is any help here the Legal People [b]Do Not[/b] use their own devices for any work related item and actually don't have them turned on while in the Office. Granted I don't do much legal work now days and only at the higher end of Barristers, Queens Councils and the occasional Judge who are more than slightly Paranoid so maybe they are not representative of the entire profession. Also while Ignorance of the Law isn't a defense the ability to Prove Intent is so it's possible to argue that Ignorance of the Law is your Defense as if you didn't know that what you had done was not legal you obviously didn't have any Intent to Break the Law. ;) Col

Michael Kassner
Michael Kassner

For both the individual and company. Learn what you could be dealing with before you decide whether to use your personal devices at work or not.

Michael Kassner
Michael Kassner

That is where the problem with BYOD is really apparent. CEOs, themselves, have to be extra careful if they use BYOD, as they are more likely to be involved in any litigation.

Michael Kassner
Michael Kassner

It was my goal to show what could happen after the suit started. And anyone can sue in civil court, your argument of being in public does not matter. Besides there could have been other circumstances, and Mike was swept into it.

Michael Kassner
Michael Kassner

I am not seeing too much concern on users part either. Now, I am trying to figure out what that means.

Michael Kassner
Michael Kassner

I like your comments. This is an area where I did a lot of research to make sure I had it as close to right as I could get. I'm still thinking it is so nebulous that each case seems like it will be different.

w-techrepublic
w-techrepublic

What if Mike's company did not have a BYOD policy, and it was his personal iPhone with no business use? How about if there was not BYOD policy but his boss/coworkers called him on it for work because he did not have a company device?

HAL 9000
HAL 9000

There is room for lots of argument and Open Ended Fishing Trips when it comes to Discovery. However if the case you mentioned was the one in question I would imagine that the Courts would Rule that all the Photos on the iPhone where Legitimate Discovery Items but nothing else. The company involved would argue that there was Commercial in Confidence Material involved and as the case involves the possible theft of IP by Photo only the Photos on the Phone would be required or could be considered as Legitimate Discovery Items. Of course the person arguing the case for the company bringing the case would argue that not only did J Citizen photograph the item but they E Mailed that Photograph so it could also cover all Sent E Mails on the date in question and any latter dates. As obviously any email sent prior to the date in question couldn't have any connection to the case and the complainants should have their Discovery Limited to only data that is possibly related to the case. Though it all depends on the quality of the Legal People arguing the case on both sides as it is possible that a Junior could be sent by one side who doesn't have the same level of understanding/legal arguing as the opposing council. It is also possible that the Judge will not understand what it is that they are being asked to rule on and offer a Blanket Ruling for everything. But even if that was to happen if any Personal Data not related to the case was to be used against the person who owned the iPhone in this case those using it and those who leaked it would be in Contempt of Court and for Legal People that is a very bad position to be in. ;) Col

Michael Kassner
Michael Kassner

Depending on whether it's a legal or civil suit, and then it gets more nebulous if it's discovered by the IT department. If they did not follow protocol, the evidence may have to be thrown out. Please remember this is as I understand it, the whole thing is a major "can of worms" and why I wanted to get this out to you members -- lots to think about.

Michael Kassner
Michael Kassner

If it's civil that means a whole different thing than legal. Then there's the warrant thing going on too.

TRgscratch
TRgscratch

including non-work-related illegal material (eg, child porn) ?

HAL 9000
HAL 9000

And I'm certainly no expert in things like this but generally speaking if the new find is in relation tot he current case it gets added. If it relates the the company instigating the current case it could be used to start another case. Though with the last depending on the wording of the Discovery Motion they may only be allowed to look for specific items and should reapply if other information about a different case is found. Col

Michael Kassner
Michael Kassner

I didn't get a chance to ask Dave. Maybe you would know, what happens if they find other illegal stuff during e-Discovery?