Organizations that let employees use personal mobile devices should consider the BYOD privacy issues and other legal concerns that may arise.
Organizations can easily track employees and their device activities with mobile device management
BYOD privacy fears
The BYOD movement has taken organizations by storm. Managers and workers embrace the trend with equal vigor, leaving IT to try to catch up with the security and privacy issues that personal devices bring to the workplace.
Workers' BYOD privacy fears are justified. Mobile technology and MDM software make it possible for organizations to track employees' every move, whether they're on or off the clock. Workers who participate in a BYOD program might unwittingly agree to let IT perform an assortment of actions, such as installing apps, wiping data, monitoring usage or collecting personal information.
Even a simple Microsoft Exchange ActiveSync connection makes it possible for IT to remove personal data from a user's device. Any MDM system requires at least some access to employees' personal information, so it's not much of a stretch to imagine that employers can access contacts, installed applications, Facebook account data and browser histories.
That's not to say IT or anyone in an organization necessarily wants to see users' personal information. In many cases, management and legal departments are just as interested as the workers themselves in keeping employees' personal information private because of possible legal ramifications. For example, if an organization were to discover that an employee was involved in an illegal activity, would management be required to take action? What if management did nothing?
Even if a company takes steps to separate personal and business data, employees are still subject to discovery requests in relation to litigation. Attorneys can request that employees turn over devices, resulting in any number of third-party individuals having access to personal data, including browser histories, financial information, social networking accounts and information about users' families and friends. In fact, the courts can require any sort of forensic review when it's deemed applicable to a case.
How to preserve BYOD privacy
Employers can do little to prevent an employee's personal device from being confiscated for forensic review, but they can take steps to address their employees' BYOD privacy concerns, while still addressing security issues.
One step is to implement an MDM system that treats personal information separately from corporate data. For example, MDM products from MaaS360 and MobileIron let companies wipe corporate data from devices without touching personal files. Such products don't address tracking and monitoring considerations, but at least employees won't lose their summer vacation photos.
Another approach to protecting personal information is to manage the data rather than the device. In this case, IT could implement mobile application management (MAM) to control only work-related applications and workers' access to corporate data. MAM can set and enforce role-based policies, specify how related files can be stored and shared, remove data and de-provision apps if an employee leaves the organization or loses the device. Managing enterprise apps and the data they control helps IT admins ensure that data doesn't leak into personal programs and services. That means workers can spend as much of their free time playing Angry Birds as they want -- without putting sensitive information at risk. Ultimately, compliance and security come down to the data, not the device.
Some organizations have set up virtual desktops for BYOD access; others implement virtual phone lines on specially-configured Android devices. At some point, these options might compete with MDM and MAM systems. Whatever approach organizations take to separate and protect private data, companies must make it clear to their workers what they're signing up for when they participate in a BYOD program.
BYOD policy for privacy
Before an organization can do anything with personal devices, including installing MDM or MAM clients, employees must give explicit and fully informed consent. Without consent, the organization could be in breach of data privacy laws if they access the devices in any way. That's where a carefully planned BYOD policy statement comes in.
More on BYOD privacy
BYOD and HIPAA compliance
BYOD infographic: The good, the bad and the ugly
Costs and ROI for BYOD
AUAs combat BYOD security issues
The statement should clearly define both the employer's and employee's rights and responsibilities, including how private data will be protected. It must inform employees what the company can access and install on personal devices and what steps will be taken if employees lose devices or leave the company. Employees should know exactly what the organization is allowed to do, including circumstances that could lead to seizure and search of a device. When employees sign the statement, they must do so with a full understanding of what they're agreeing to. The policy's goal should be to protect both the organization and its employees.
But creating a BYOD policy is no small task. Policies are subject to state and federal laws, which can vary widely depending on the type of industry. A multinational company has an even tougher task because different nations permit different levels of monitoring and device control. Policies cannot violate workers' BYOD privacy, no matter where they're located. For this reason, no policy should be implemented without fully understanding the implications of monitoring and controlling personal devices. Organizations must tread carefully to avoid potential legal entanglements.
The future of BYOD privacy
When it comes to the consumerization movement, it's hard to imagine going back to pre-BYOD days, but many unknown factors remain, particularly around the legal protections afforded employees. Even if an employee were to sign an agreement, questions about a company's access to that device could arise. Legal precedence has yet to be determined when it comes to employee protections under such circumstances. And no policy can protect against discovery.
At the same time, if organizations make their policies too stringent, employees might choose not to participate in BYOD programs, which could lead to increased expenses and the loss of competitive edge. And it would be difficult for any organization to mandate that employees use their own devices, even if working with a mobile device makes it easier for employees to perform their jobs effectively.
So where does that leave us? Could privacy issues become so complex that employees are forced to carry a second device for business? Could the legal issues around BYOD privacy become so difficult to negotiate that organizations will be forced to pull back from their BYOD programs?
The world of BYOD is a young one at best, and the rules are still in flux. The only certainty is that regardless of the circumstances, issues of personal data and workers' rights to BYOD privacy are not going away. So the sooner those issues are addressed, the better for everyone involved.
This was first published in January 2013