'Bring your own device' creates privacy issues for employees

Back to TopCommentsE-mailPrintBookmark and Share

Smartphones and tablets allow professionals to essentially carry a computer wherever they go and, better still for companies, many employees are happy to buy their own mobile device and use it for work.

But while the convenience of handheld, portable computers enables employees to peruse email, communicate with clients and review documents without being tied to the office, the “bring your own device,” or BYOD, trend is creating tensions between how much access an employer can have to the worker-owned device and how much privacy an employee can expect.

Companies are concerned about security, keeping confidential data from falling into a competitor’s hands, and preventing financial account numbers from becoming known to hackers.

Employees want to keep prying eyes, including those of their employers, from looking at the photos of their children, text messages from friends and emails from family stored on their mobile devices.

Drawing a bright line between access and privacy is not possible, attorneys say. Still, rules and policies must be formulated to provide some guidance so businesses and workers will have some idea of what will happen when a company’s security is breached.

Attorneys, however, disagree from where that guidance should come. The role that market forces, courts and statehouses should play sparks debate because of the complex nature of the BYOD questions and the pace at which technology changes.

Nathan Baker compared smartphones to sunglasses – they are always being left behind.

The Barnes & Thornburg LLP partner said companies must be prepared for employees’ mobile devices to get lost or stolen. Protection measures like encryption and firewalls that are common on desktop and laptop computers are not easily applicable to smartphones and tablets. So whenever an employee leaves the office with the mobile device, company data will be walking around in public with little security.

Companies can mitigate the damage by having BYOD policies which lay out the expectations and requirements. But a policy alone is not enough, Baker said. Companies also need to train their workers on what the policies say and institute methods for ensuring the employees are complying with the rules.

Baker highlighted the hypothetical situation of an employee’s mobile device being stolen and the company wanting to remotely erase the data. Employees will less likely object to having their phones wiped – which will also obliterate their personal information – if they know long before their items are lost what the process will be.

A second reason for training and compliance is litigation, Baker said. If a company becomes the subject of a lawsuit, work-related items on employee-owned devices will have to be preserved for discovery purposes.

Failure to do so can bring stiff spoilage sanctions. One example of this came in January 2014 when the U.S. District Court for the Southern District of Illinois slapped pharmaceutical manufacturer Boehringer Ingelheim with a $900,000-plus fine, in part, because the company did not tell its employees to save work-related text messages on their personal phones.

Ann Grayson, partner at Barnes & Thornburg, pointed to the Boehringer Ingelheim sanction as an example of the courts providing guidance.

The bench, she said, will face more cases involving employee-owned mobile devices and as it issues more rulings, direction will emerge on how companies and workers can navigate the tension between privacy and access. The court decisions will give an idea of where the judiciary is headed on this matter and help inform business about how to craft policies.

Attorney Cameron Shilling, director and chair of the privacy and data security group at McLane Graf Raulerson & Middleton in New Hampshire, believes the job of defining what belongs to a company and what belongs to an employee in a BYOD world will need to be handled legislatively.

The courts, he said, do not understand the concept of company data on employee hardware. Moreover, disputes arising from BYOD do not always provide a legal issue that can be addressed by the judicial system, and any remedy that comes from the courts usually does not arrive fast enough given the speed at which BYOD matters can move.

He is helping to draft legislation to be introduced into the New Hampshire Legislature this fall. Shilling believes the measure, which will define personal data versus company data and personal device versus company device, will be the first of its kind in the nation.

An employer has a right to retrieve company data from an employee-owned mobile device, Shilling said, but the employer has no right to invade the privacy of the employee.

Businesses want tough regulation to force workers to give back company data, he said. But, he continued, any legislation should extend employee privacy to company hardware. The current thinking holds if an employee uses a company computer for personal business, the employer has a right to look at the data and the employee has no privacy.

“I disagree,” Shilling said. “I think to be fair we have to recognize a rule that says an employer shouldn’t unnecessarily invade personal data of an employee on a company device.”

Baker was hesitant about a solution coming from a statehouse.

“I’m always concerned when the legislature steps in particularly on issues like this that are still so new,” he said, explaining legislation typically prevents or prohibits things, and it’s too early to tell where this issue and technology are headed.

The market, he said, may be able to provide the answers. He noted the practice of some employers asking for passwords to job candidates’ Facebook pages. State legislatures enacted laws restricting that practice but, Baker said, the problem largely solved itself when the public’s adverse reaction to the practice made employers quit.

Attorney Ken Mortensen, managing director of the risk assurance practice at PwC U.S., said the judicial branch and the legislative branch can address the problems of BYOD.

Mortensen served as a panelist on one of two seminars examining BYOD issues during the August American Bar Association annual meeting. He joined the discussion on the collision between personal privacy and corporate security.

Shilling participated on the second seminar during the ABA meeting, which also examined privacy and data security concerns.

The courts will have to consider the issue and the legislatures will have to pass laws to address the concerns over the conflict between privacy and protection, Mortensen said. Legislatures are not better than the courts, he said, but the legislative branch can address the matter more comprehensively while a court’s ruling will be based on the facts of a particular case.

Both Baker and Grayson noted a key hurdle to finding a solution to BYOD issues. The variability of the situations coupled with the constant updates to mobile devices make blanket remedies difficult to formulate.

“Because of the ever-changing technology with smartphones and mobile devices, the challenge is about the time you set a rule, a new problem crops up,” Grayson said.•


  • let the employer provide it all
    An employer has no right to ask an employee to use their own personal cell phone nor computer for their business. They need to pay for it all. The solution is the business phone is for business only, the employee has their own personal phone. If the employer wants to contact the employee, business phone, otherwise, don't bother calling the personal phone The employer has no right to see any of the employees personal phone records and the employee cannot use the business phone for any personal calls. Also, the employer has no right to ask the employee to use their home network for business purposes if they won't pay for it. Simply put, keep business on business devices, personal on personal devices and pretty much keep the employer out of the personal lives of the employee. This should be defined by the law and by legal, business processes and documents. For too long, employers have been creeping into peoples personal lives with computers, phones, networks, etc. and consuming, invading personal time. Unless absolultely necessary, the employers is only paying for time at work in the business environment and employees should draw the line on their personal lives and time. Once at home, it is of no concern to do the employers business even if salaried. Take back your lives and enforce employee demands on employers which means you don't own the employees time on a computer, cell phone 24 hours per day, laws should be passed to restrict work hours, hourly and salary. Salary means pretty much 40 hours per week, if you want more, pay overtime to salaried workers. Don't use it as an excuse to say you own the salaried workers time no matter what, no matter when. It is about time to put our foots down on this issue and tell them no. Retail abuses this more than anyone, working 50-60 hours per week and getting a diminishing marginal return on salary. Salary is a name to abuse the employees time and an excuse to say take it or leave it in the name of having a quote professional job. If that is the case, then pay overtime once 40 hours is reached. Should be a law written in the employees favor in this case. For far too long have employers exploited professionals and college degreed individuals saying a job is a career and being professional and salaried means working 40-60 or 70 hours per week. Lets put up the wall and tell the employers that work stops when we leave their business and if they want more, pay more, not an open check book to consume the employees life and home time. Too much 24 hour per day worrying and working for them. Didn't exist before cell phones, beepers, email, LinkedIn, netmeeting, etc. and when physical buildings were more prevalent for business. It was go to work, do 8 to 9 hours, go home and forget about work. We need to do this again, set up an employee code stating that once at work, only work, once at home, only family, friends, and home, no mixing the two. Take back your lives and refuse the grind that executives are demanding to dump all the work of shrinking workforces on fewer and fewer people. We should not have to take this and it should be a rule just like OSHA, worker safety, worker rights.
  • Bad Company Practice
    Many companies expect employees such as middle management and reps to be accessible by cell phone but do not provide them. And these days the employee better have a smart phone for the deluge of e-mails. The companies may "reimburse" the employees but that is not real compensation for being on-call 24/7. However, smart phones are provided to upper management as one of their perks. If my job requires a cell phone, then the company should provide it which is one of the reasons I'm still on a flip phone as a protest. I don't want to be so connected that I'm getting e-mails at all hours. Yes, two phones would be cumbersome but I like to keep my work and personal lives separate.
  • Personal Rights
    I believe that companies have the right to access personal mobile phone/apps for that are company issued. My problem comes into my personal devices. I receive emails after hours on my owned personal device from clients about questions. From what I am reading the courts may tell me that all information on personal device belongs to the company after they asked to install the emails to my phone. No way! My personal information is just that that - personal. Company information is company information. With the ways courts are going today, you really wonder if we are moving backwards in time. I work for a company that is it. After work my personal life is just that=personal. The EEOC should get involved because invasion of personal privacy is a violation under our constitution- at least it used be. What you going to fire me because comments I make on twitter, Facebook, and other sites don't list the my employers name. If so, may as move to Russia since the USA is becoming more communist since limited right to privacy.
  • Easier to have 2 phones
    I think that most employees would probably much prefer to have their own personal phones/tablets and let the company they work for provide a separate phone or tablet if they want them to be available and have mobile access. Yes carrying 2 phones/tablets can be a tad awkward at times but then this whole issue discussed in the article goes away....ie: Company provided phone or tablet is owned and paid for by the company. Personal phone or tablet is owned and paid for by the employee. Company info stays with company phone and/or tablet. Personal info stays with personal phone and/or tablet.
  • Insurance
    An interesting side issue is the lack of insurance for exposure of privacy data or business interruption related to network issues. Most business owners have no idea they are not insured for this exposure or they purchase a "data compromise" policy which provides no coverage for business interruption caused by hackers. You really should have your insurance agent review this coverage on your current policies. Cyber, Privacy & Media liability insurance is not just for tech companies.
  • Do more research
    Bit surprised the author didn't bring up the fact, there are many applications, like MobileIron, Good Technology, and of course, Blackberry BES available, to "sandbox" any corporate data and communications. Thereby allowing the company to immediately wipe that corporate info from the lost phone. Why wasn't this brought up? Its a simple matter to require BYOD phones to have this software on their phones, if a person wants their company's access on their personal device. The personal info stays personal, and the corporate info stays corporate. The corporation can even decide which websites etc a person can access, or allow or deny certain apps if they wish.

Post a comment to this story

We reserve the right to remove any post that we feel is obscene, profane, vulgar, racist, sexually explicit, abusive, or hateful.
You are legally responsible for what you post and your anonymity is not guaranteed.
Posts that insult, defame, threaten, harass or abuse other readers or people mentioned in IBJ editorial content are also subject to removal. Please respect the privacy of individuals and refrain from posting personal information.
No solicitations, spamming or advertisements are allowed. Readers may post links to other informational websites that are relevant to the topic at hand, but please do not link to objectionable material.
We may remove messages that are unrelated to the topic, encourage illegal activity, use all capital letters or are unreadable.

Messages that are flagged by readers as objectionable will be reviewed and may or may not be removed. Please do not flag a post simply because you disagree with it.

Sponsored by

facebook - twitter on Facebook & Twitter

Follow on TwitterFollow IBJ on Facebook:
Follow on TwitterFollow IBJ's Tweets on these topics:
Subscribe to IBJ