Legal pitfalls lurk in common enterprise BYOD practices
Legal pitfalls could lurk in common enterprise BYOD practices, such as remote wiping of data and tracking of employee-owned devices.
This is the warning from Route 1, a digital security and identity management firm, in a recent white paper.
Route 1 stresses that the practice of remotely wiping personal devices if they are lost or stolen and the GPS tracking of their devices are "legally ambiguous."
"As of now, the BYOD security strategies outlined above are not illegal. There is no current regulation nor is there case-law that has set precedent," the white paper explained.
To cover the legal bases, enterprises have begun asking employees to sign waivers or agreements giving the company permission to wipe or track personally-owned mobile devices in the event of a security incident.
"Such waivers are legally questionable. If an employee agrees to sign one, they have no choice but to have their personal information tampered with or have the location of their device monitored should a security situation warrant it. If they refuse to sign, the employer has no other option than to fire them on the spot. Additionally, there are concerns as to whether or not these waivers are legally binding, and it is unclear how an enterprise enforces them," the white paper observes.
"Even when an employee has given his written consent to BYOD security policy, the enterprise can still be liable under certain circumstances. If a security breach occurs and the enterprise feels the need to remotely monitor an employee's device, the employer could mistakenly view personal information that it is not legally allowed to see," the white paper adds.
FierceMobileIT recently reported on a court case in which an employer intentionally viewed personal information on an ex-employee's device. Although this case involved a corporate-owned device, it raised some of the same privacy issues that could arise in a BYOD environment.