Security policies must address legal implications of BYOD

BYOD is controversial, particularly when it comes to security and privacy. Michael P. Kassner learns from an expert there is a legal can of worms as well.

The legal principle, Ignorance of the law excuses no one effectively eliminates, "I didn't know" as a defense. In that case, I might as well plead guilty to having some major "I didn't know" going regarding the very real legal pitfalls embedded in BYOD (Bring Your Own Device).

To get "un-ignorant," I asked David Navetta, attorney and founding partner of the Information Law Group, for his advice. David is particularly well suited, having done considerable research into the security, privacy, and legal implications of BYOD (Part One, Part Two).

"Own device" is exactly what?

One of the first questions Dave fielded from me was what qualifies as a personal device? Apparently, BYOD being a relatively new phenomenon, there is little case law to go by, so no "official" definition has surfaced.

Still, Dave took a stab at it, "First and foremost, the devices in question are not owned by the company." Trying to narrow it down a bit, I asked, "What if rather than run back to my desk, I used my personal cell phone to call an associate?" Dave said, "If the call was work-related, your phone then qualifies because it was used to do company work."

Why are IT-types adverse to BYOD?

If you spend any time at all reading legal papers about BYOD, you will undoubtedly come across the term "legally-defensible security" or its mate "reasonable security." And, being able to maintain this level of security has IT-types, responsible for maintaining of their company's systems and networks, worried — big time. Dave explains:

The era of legal defensibility is upon us. The legal risk associated with information security is significant, and will only increase over time. Security professionals will have to defend their security decisions in a foreign realm: the legal world.

As it stands now, IT security managers have "almost" dictatorial authority over company-owned devices. For example, security managers typically:

  • Determine what type of devices can be used, and how they are configured.
  • Install security-related software and software patches to the device.
  • Encrypt company data on the device.
  • Monitor the device to detect misuse or malware.
  • Dictate how the device connects to the company's network.

Introducing BYOD changes that authoritarian landscape; imagine telling C-level executives they can't use their personal smartphones at work. If you get past that, try getting the executives to agree to the above modifications, particularly monitoring their personal devices.

Time for an example

It gets even more complicated, and in order to show the complexity, let's look at an example. It's one I made up; still it's not that far-fetched.

Mike works for XYZ Company as a sales engineer. XYZ allows Mike to use his personal iPhone for work. The company is on top of things, having a security policy in place, signed by each individual, and stored in their HR file.

Mike was sent to a trade show, he happens to walk by a competitor's booth, spying what appeared to be a piece of equipment remarkably similar to the one XYZ was getting a patent on. Mike then moves on to the next booth, and takes a picture of something he found interesting.

Unnoticed by Mike, one of the competitor's sales personnel, also at the show recognized him, and saw him taking a picture. The sales person was sure Mike took a picture of their prototype.

Fast forward a few months, Mike attacking a huge mound of paperwork, having just returned from the Far East, sees his boss motioning for him to come into her office. "I'm sorry, Mike, I need your iPhone," she said. Mike, more surprised than anything. could only muster, "Why's that?" "We are being sued by our competitor for stealing trade secrets, and your iPhone was part of the plaintiff's list of items requested for e-Discovery."

What are we talking about?

Using the example, let's look at what could be facing Mike and the company he works for. Mike has two choices — turn the phone over or not. There are implications with each choice, and we need to look at each closely.

Scenario One: Mike turns the phone over, wondering when he was going to get it back. That is a complete unknown. Next, Dave points out in his paper what e-Discovery will mean to Mike:

If an image of a device's hard drive is needed for an investigation of a security breach or for e-Discovery purposes, the captured data is likely to include private/personal information of the employee.

Scenario Two: Mike doesn't turn the phone over; he is worried about his personal information stored on the iPhone. Two things then come into play if I understand correctly. Mike may become personally involved in the litigation, and Mike's company will face additional scrutiny for not complying with their security policy that requires turning over evidence for e-Discovery.

The Catch 22

Now it's time to get to the "I didn't know" stuff. First, the security policy referred to in the example. Like XYZ Company, most real-life companies feel their existing security policy will cover BYOD as is. Dave disagrees with their assumption:

If not adjusted, the company could be setting the same standard for personal devices as company-owned devices, and that standard may not be achievable (individuals do not, and often cannot, secure their mobile devices the same way a company can).

I asked Dave if creating a specific policy for BYOD would work:

[D]rafting different policies for personal devices would result in two different standards, which could pose liability risk to the extent the standards related to personal devices are less rigorous.

Now to why this is important for you decision-makers, and how you handle BYOD. Dave spent several minutes explaining the "behind the scenes" effort that would have occurred if the Mike and XYZ Company example would have been for real.

"Did not know" alert.

Dave told me in litigation like this, the first thing the plaintiff will request is all documentation related to the company's digital security policy. Dave explains why:

From a legal point of view, the written security program may also be used to set an organization's minimum legal standard of care. The failure of an organization to comply with its own security program is a key factor that can (and will) be used by plaintiffs, counsel, or regulators to argue for liability after a security breach.

Next "did not know" alert.

Dave also pointed out there is a nebulous area in my example of Mike and XYZ Company. Mike has certain rights under privacy laws, and there is not enough case law right now to know how they fit in with a company or plaintiff doing e-Discovery on personal devices — another headache for the decision-makers.

No idea

I asked several friends and colleagues, who are using personal devices for work, if they had any idea what it would mean to them personally if the company they work for became involved in any kind of litigation, especially if they themselves may be involved.

Like me, no one in the group had any idea of the extent they could be involved. Particularly bothersome to them was the fact e-Discovery is not required to differentiate between personal and company data. Here's something else I asked, "What if the company security policy requires all devices associated with an employee who is leaving be digitally wiped clean?"

Two opinions

I am glad to see that legal experts are finally voicing their opinions. Sean Doherty, TechRepublic contributor, penned this article about why BYOD is not a good idea for executives. Along those lines, I asked Dave how he would handle BYOD. He did not hesitate, firmly stating he would allow BYOD if:

  • Company information residing on personal devices is limited.
  • User access via the personal device is controlled.
  • Security policies, treating company and personal devices equally, are in place.
  • Users understand there is no expectation of private data.
  • The ability to digitally wipe is installed on personal devices.
  • A waiver is signed agreeing to all the above conditions.

Final thoughts

Dave is circumspect about BYOD; he feels it is inevitable, "The genie is out of the bottle." Dave believes as I do: neither companies nor individuals will think about the legal implications of BYOD, much less do something about them, until the proverbial "Sh** hits the fan."

Something else to think about is that more than once I have read (CIO, second page) experts, attorneys and consultants alike, suggest employees — considering BYOD — "lawyer up" before signing anything.

I'd like to thank Dave for taking the time this past Friday to help me, a complete rookie, through the legal morass of BYOD.


Information is my field...Writing is my passion...Coupling the two is my mission.

Editor's Picks

Free Newsletters, In your Inbox