|
> > |
META TOPICPARENT | name="FirstPaper" |
Employee Privacy and the BYOD Movement
-- By LuChen - 06 Mar 2015
No Expectations of Privacy
It is no secret that little privacy is afforded to employees who use company-provided computers, phones, and other technology, regardless of whether their use falls under the realm of business or personal. Employers are naturally inquiring, and their curiosity is not easily tempered by such insignificant barriers as privacy concerns. In Stengart v. Loving Care Agency, an employee took what she believed to be reasonable precautions by using her personal (rather than employer-based) email account, without saving her password anywhere on the computer, but nonetheless had her email exchange retrieved from the company’s temporary storage system. The emails in this particular example were communications between the employee and her personal lawyer, making the trespass even more egregious since it violated attorney-client privilege. Even so, circuits have split on whether an employee has a reasonable expectation of privacy in these circumstances, with some courts actively defending the right of the employer to such information. For example, Holmes v. Petrovich held that an employee’s communications sent via computer in this way could be equated to speaking “in her employer’s conference room, in a loud voice, with the door open.”
The BYOD Movement
But what if an employee uses a personal device for work, instead of company-provided computers? BYOD, or “Bring Your Own Device,” is a relatively new movement that allows employees to bring their own devices to work, replacing company-provided technology with their personal iPhone, Android, or other device of their choosing. Some companies have even incorporated a BYOC policy, or “Bring Your Own Computer.” Employees like it because it’s convenient for them, and employers like it because it cuts costs and improves functionality.
It’s therefore no surprise that the BYOD movement is popular and growing fast. In 2011, the Aberdeen Group showed that 51% of surveyed companies allowed employees to use any personal mobile devices for business purposes, and an additional 24 percent exercised a similar policy for compliant devices. A study by IDC and Unisys found that 40.7 percent of the devices used by information workers to access business applications were ones they owned themselves. Furthermore, 74 percent of IT organizations agreed that the growth of BYOD policies was “inevitable.” Companies such as Kraft Foods, Sybase, and Citrix have started subsidizing purchases of personal devices that are to be used for work purposes.
Problems with BYOD
But although the BYOD movement certainly has its allure, such a policy is not without its own (often greater) problems. Because employers are entrusting their employees with work-related data on their personal devices, they believe it necessary to be able to protect their business information. This protection most often comes in the form of installing software on the employees’ devices and implementing a BYOD policy that enables them some degree of monitoring and control.
Indeed, instead of curtailing intrusions, many BYOD policies grant employers extensive access to the seemingly “personal” devices that employees bring into work. Depending on the employer, the specific BYOD contract, and the software that the company chooses to install, all of the following information is possible to access by an employer:
- Address book and contacts
- Usernames and passwords for different accounts
- Internet history
- Personal photos and videos
- Chat and messaging history
- Personal emails
- Phone records
- Calendar appointments
- GPS and location information
The list is non-exhaustive, and also depends heavily on the employee’s type of use concerning the device. For instance, an employee that uses an “app” to monitor her health may inadvertently reveal a medical condition to her employer that she would not want to disclose. In another example, in the case of Pure Power Boot Camp v. Warrior Fitness Boot Camp, the employer accessed his employee’s Hotmail and Gmail account after discovering her log-in credentials.
Remote Wipe
Neither does an employer necessarily have to confine himself to passively gathering data from an employee’s dual-use device. Many employers are empowered to do a “remote wipe” of a device, which entails deleting all information stored on that device - including not only business information but also the employee’s personal contacts, emails, photos, books, music, and any other data stored on the dual-use device - and making the device itself unusable by locking it. This is accomplished through software that the company’s IT departments download onto the device, though sometimes even that is unnecessary; ActiveSync? , a remote wipe and lock feature, comes preinstalled in most consumer mobile devices.
Employers assert, of course, that the remote wipe is a precautionary feature used in the case of the device being lost or stolen, lest company data fall into the wrong hands. However, the remote wipe leaves employees with the short end of the stick, as most policies do not require employee approval for remote deletion, do not retain personal data after a wipe, and do not have a policy of reimbursement for the loss of personal content such as music and applications. If an employee values security and privacy in his personal information, free from tampering, then subscribing to a BYOD policy is far from the safest option.
Conclusion
The central issue inherent in managing a dual-use device is the difficulty in separating personal information from company-owned data - that is, when employers attempt to make the distinction at all. Privacy concerns abound, for employers not only monitor the personal data of an employee but are capable of deleting data altogether if it suits their needs. And these are only the issues on an average day; if the company becomes involved in litigation, dual-use devices may be seized in their entirety, and any personal information on them surrendered. It is true that some BYOD policies are more generous to employees than others, but an employee would be well-advised in reading BYOD policies carefully, and considering the alternative of instead just carrying two separate devices. |
|