Consent is Key for BYOD

Friday, December 12, 2014

With Black Friday behind us and holiday shopping still heating up, ‘tis the season when many of us will acquire new gadgets and technology to power our digitally-enhanced lives.  For businesses, this time of year also means thinking about how best to accommodate employees who want to use their personal smartphones, tablets, or other electronic devices to connect to company networks.

BYOD (“bring your own device”) programs offer benefits to both employers and employees.  Employers, for example, benefit from reduced IT costs associated with providing expensive technology to employees, while employees benefit from the freedom to choose their own devices for work and play.   Yet the ability to access both work and personal content on a single employee-owned device presents some challenges, particularly with respect to data security and privacy.  On occasion, an employer may need to access an employee’s personal device to protect company information, such as when the employee departs or the device is lost or stolen.  However, if the employer does not have explicit authorization from the employee to access the device, it may end up having not only a disgruntled employee, but potential liability as well.

As a case in point, last month a federal district court in Texas ruled on claims asserted by an employee that his former employer violated the federal Computer Fraud and Abuse Act (“CFAA”) and other federal and state laws when it remotely accessed his personal smartphone and deleted all data on the phone, including personal and professional data, without his consent.  The employee in the case, Rajaee v. Design Tech Homes, Ltd., claimed damages to the tune of $105,100 attributable to his lost passwords, contacts, and photographs.  In this case, the court found these damages were not compensable under the CFAA on the grounds that the act covers only losses associated with investigating or responding to a violation of the act.  Because Rajaee did not produce evidence of any costs incurred to investigate or respond to the deletion of his data, the court concluded he had no losses under the CFAA, and therefore no claim.  Of course, had Rajaee established that he did incur such costs, the result in this case may very well have been different.

So, what does this mean for employers implementing BYOD programs?  At a minimum, it means that employers providing BYOD access should have policies in place describing the circumstances under which it may be necessary to access personal content on an employee’s personal device.  To allay legitimate privacy concerns, the policy should provide specific examples of when such access may be necessary, including situations involving lost or stolen devices, or technical support.  With an effective BYOD policy in place, employers should then require employees to provide written consent to the policy.