The dizzying array of personal computing device choices can be disorienting. Smartphones, tablets, laptops, netbooks, desktops, and sometimes all of the above, are amongst the device options individuals have these days (and within each category additional brand [iPhone v. Android], software and operating system choices exist). At the same time, organizations have recognized that mobile devices are crucial to their own success, and many have incurred significant expense purchasing and securing such devices, and equipping their workforce. Nonetheless, employees are increasingly using (or demanding to use) personal devices to store and process their employer’s data, and connect to their networks. The reasons for this vary from avoiding the need to carry and manage multiple devices, to the desire to use the most up-to-date devices that exist, to increased efficiency.
This trend has been named (as is the fashion), and is referred to as “COIT” (the Consumerization of Information Technology”) or BYOD (Bring Your Own Device). Some organizations believe that BYOD will allow them to avoid significant hardware, software and IT support costs. Even if cost-savings is not the goal, most companies believe that processing of company data on employee personal devices is inevitable and unavoidable. Unfortunately, BYOD raises significant data security and privacy concerns, which can lead to potential legal and liability risk. Many companies are having to play catch-up to control these risks. This blogpost identifies and explores some of the key privacy and security legal concerns associated with BYOD, including “reasonable” BYOD security, BYOD privacy implications, and security and privacy issues related to BYOD incident response and investigations.
BYOD “Reasonable Security”
The InfoLawGroup has written frequently on the concept of reasonable security, including posts about “legally defensible” security and court interpretations of reasonable security. Organizations implementing a BYOD strategy need to explore the concept of reasonable security for personal computer devices in the care, custody and control of their employees and contractors. Significant security challenges exist in this context, and most of them arise due to the lack of control companies have over their employees’ devices.
Take the example of company-owned laptop issued to an employee. When it comes to security, the company can:
- determine and limit the type of devices that can be used;
- implement minimum system requirements and configurations;
- install security-related software to the device;
- encrypt company data on the device;
- apply security patches;
- monitor the use of the device to detect misuse, hacking or malware;
- dictate how the device connects to the company’s network;
- install and update anti-virus software;
- provide support for the device; and
- obtain/access the device for purposes of an investigation (because the company owns the device).
When it comes to their employee-owned personal devices, organizations will partially or fully lose the ability to undertake these actions, and in any event will often be relying on its individual employees to secure their devices. Companies lose the consistency, scalability and efficiency they enjoy when they own their hardware, control their data, and can dictate and scale their IT infrastructure and information security.
Moreover, to the extent a company’s employees are unable or unwilling to implement particular security controls, the organization may be increasing its security risk. This can also increase legal and liability risk related to security. Organizations engage in complex decision-making processes when securing their systems and sensitive data and for purposes of maintaining reasonable and legally defensible security. The end result is set of technical, administrative and physical controls (typically reflected in a written security program) that the organization determines is sufficient to reduce its security risk to an appropriate level. From a legal point of view the written security program may also be used to set an organization’s minimum legal standard of care. The failure of an organization to comply with its own security program is a key factor that can (and will) be used by plaintiffs counsel or regulators to argue for liability after a security breach.
This presents a serious problem in the BYOD context. For example, assume an organization’s own mobile device security standard requires encryption of all sensitive data on company-owned computer devices, and the employee’s BYOD mobile device is not achieving this standard. If the employee’s personal device is hacked and the unencrypted sensitive data stolen the company’s Mobile Device Security will likely be used to argue that company did not implement reasonable security.
To reduce legal and liability risk, companies implementing a BYOD strategy need to carefully analyze their existing security policies to determine how they relate to and impact their employees’ use of their personal devices for business purposes. Policies that may be relevant, include (without limitation): mobile device security policies, password policies, encryption policies, data classification policies, acceptable use policies, antivirus software policies, wireless access policies, incident response policies, remote working policies, privacy policies, and others. If a company’s security policies already require certain security measures, it must be determined whether it is possible to match those measures for personal devices. If there are inconsistencies, organizations need to be ready to explain, why, despite the failure to follow policies that apply to similar devices, the security of an employee’s personal device was still reasonable.
Note, there may be reasonable differences between company-owned devices and employee personal devices, and both may be secured even if the methodology is not the same. Additional (but different) controls required on personal devices may compensate for missing controls required in company policies. For example, some companies are requiring employees to install software on their personal devices that provides additional security. Perhaps a lesser set of controls is appropriate in cases where storage of sensitive data on personal devices is prohibited (by policy or otherwise). In any event, for any BYOD implementation, it is important to investigate potential inconsistencies and rationalize why those differences do not equate to unreasonable security on personal devices. This process ultimately results in a Personal Device Use Policy that reflects the security trade-offs and requirements that come out of this analysis.
BYOD and Employee Privacy
The very nature of BYOD highlights the employee privacy challenges at issue. Employees and contractors of organizations will be using the same devices they use for work to engage in personal computing that involves a host of private activities and content, including web surfing history, personal emails, photos, chat histories, personally identifiable information, music, movies, software, user names and passwords and financial account numbers. We have already seen signficant legal activity relating to an employee’s expectation of privacy when using a company-issued device for personal reasons.
The U.S. Supreme Court recently considered this issue in the City of Ontario, California v. Quon (for a closer look at Quon please visit this ILG post). Quon involved a search by a city concerning an employee’s (a police officer in this case) alleged use of the city’s device for personal texting (including sexually explicit materials) both on and off duty. The police officer argued that the city’s actions represented an unreasonable search in violation of the Fourth Amendment of the US Constitution, the privacy clause found in Article I, section 1 of the California constitution, and also the federal Stored Communications Act (SCA).
The key issue in front of the Court was the extent to which the police officer had a reasonable expectation of privacy with respect to private messages sent and received on a city-owned device while on or off duty, and if so, whether the city’s search was unreasonable. Unfortunately, the Court did not rule on whether an expectation of privacy existed, and instead assumed that such an expectation was present for the sake of argument (the Court did note, however, that the city’s policies disclaimed any expectation of privacy, and that this was a factor in determining whether any expectation reasonably existed). It then turned to whether the city’s search was reasonable, and held that the city’s search of text message content was reasonable because it was undertaken for a work-related purpose and was not excessively intrusive under the circumstances. In this case, the city’s review was limited to a two-month sample of messages. In addition, to limit the intrusion into Mr. Quon’s personal life, the city redacted the officer’s messages sent and received while he was off duty.
How does privacy play out in a BYOD context? Again it comes down to looking at how an organization monitors its employees’ behavior when using computer devices owned and issued by the organization. For example, it is not unusual for companies to monitor their employees’ activities while working on the company’s network (regardless of the type of device connected to that network). For company-issued devices, additional monitoring of employee usage may occur at the device level (e.g. key-stroke logging or mobile device management software that tracks the geolocation of mobile devices). However, when it comes to personal devices, because it is known that personal and private activities are likely to take place on the device, for privacy reasons, the same types of monitoring may not be appropriate.
As discussed further below, another key privacy-related issue relates to investigations involving personal devices. If an image of a device’s hard drive is needed for an investigation of a security breach or for e-Discovery purposes, the captured data is likely to include private/personal information of the employee. Organizations can try to limit the scope of an investigation or data capture involving a personal device, but if they fail to preserve data that may be evidence in litigation they could face spoliation problems in court or miss key information needed for an investigation or remediation of a breach.
In all, companies need to carefully consider their intended goals when it comes to monitoring their employees’ use of their own devices, and balance those goals against these privacy concerns and potential legal limitations. Organization’s should make their employees aware of the privacy trade-offs and the reasonable expectations of privacy related to their use of a personal device for work. Note, expectations of privacy in this context may be higher because a personal device is at issue, and this should be taken into account by companies considering a BYOD strategy and informing their employees of privacy-related issues. If monitoring or an investigation is necessary, organizations should design their efforts in a manner that seeks to minimize the potential exposure of personal and private information.
BYOD Incident Response and Investigations
BYOD poses significant challenges related to incident response and investigations that impact privacy, security and legal concerns. Since individual employees own and possess their personal devices, when something goes wrong it may be difficult to actually obtain access to or possession of the device. This can be especially true when the employee itself is the subject of an investigation. If data collection and preservation is necessary, the inability to access and possess a physical device can be extremely detrimental. For example, if an organization is not able to preserve data that may constitute evidence in litigation, it could face court sanctions. This issue also poses problems for the individuals themselves who will likely (at least temporarily) be unable to use their personal device while it is being investigated. In addition, as mentioned above, capturing data or images of hard drives related to personal devices implicates potential privacy issues. In developing their BYOD strategies companies need to develop BYOD incident response procedures and inform their employees of those procedures.
Beyond investigations, for security reasons, some organizations may want to enable remote wiping, bricking and blocking of personal devices that are lost or breached. This too may pose challenges. First, it may be necessary to have employees load certain software to their personal devices or configure their devices in a certain manner to allow for remote wiping, bricking and blocking. Employees should be notified of these requirements and consent to them. Second, the wiping, bricking or blocking of a device could damage the device and/or data residing on the device. If a device is remotely wiped to remove sensitive company data from it, that wiping could also wipe out the employee’s personal emails, pictures, videos and software. Again, employees should be notified that damage, loss of use and data loss are all possibilities if they use their personal device for work purposes. Moreover, they should sign a waiver consenting to such activities and holding the organization harmless for any such damage, loss of use or data loss. All of this should be reflected in the organization’s Personal Device Use Policy and accompanying waivers and consent forms.
All too often companies considering a BYOD policy find that their employees are already using their personal devices for work purposes and to store sensitive information. This makes it more difficult to manage these issues in a deliberate manner and set up policies that address the security, privacy and legal risks associated with BYOD. Nonetheless, the complex legal implications of BYOD must be carefully considered using a multi-disciplinary approach (e.g. legal, security, privacy, IT, risk management, etc.) that takes the company’s existing infrastructure and risk tolerance into account. The end result should be a Personal Device Use Policy that addresses the various risks and strikes a balance that works for the organization. Also key, because of the personal nature of the devices in this context, is informing, educating and training employees concerning the privacy, security and incident response implications of using their own device for work purposes. Working through these issues can help to reduce the legal and liability risk that companies may face.