Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back

BYOD: Has Your Company Addressed Its Privacy and Data Security Risks?

Written by: Cameron G. Shilling

Co-Authored by:
Colleen Karpinsky Cone, VP Talent & Culture, DYN

Published in the ACC Docket

Bring your own device, or BYOD, presents significant privacy and data security risks to companies.  To reduce these risks, businesses should implement appropriate written data security and information use policies and procedures, before a disaster occurs.

BYOD appeals to both companies and their employees.  Employees prefer to select the type of mobile device they want to use for business and personal purposes.  Companies use BYOD to avoid some or all the costs of purchasing and supporting mobile devices for employees, and to simplify the processes when hiring employees and when employees depart.

When an employee uses a personal device to perform work and access the data systems of the company, valuable business information accumulates on the device.  The presence of that data on the device is a security risk if the device is lost, stolen, or compromised, and privacy concerns can arise if the company needs to access the device to recover its data.  These issues should be properly addressed in written data security and information use policies.

Several state and federal laws require companies to implement security measures to safeguard sensitive information.  The Massachusetts and California data security laws and the Health Insurance Portability and Accountability Act, or HIPAA, are good examples.  These laws require encryption of ‘data in motion’, such as data transported on mobile devices, laptops, and USB drives, and data transmitted electronically by email and in other ways.  BYOD companies often do not encrypt data in motion on employee-owned mobile devices, and devastating data breaches have resulted from the loss, theft, and compromise of such devices.

Mobile device management, or MDM, is currently a good technology solution for encryption of business data on personal devices.  MDM is not only generally commercially available and technologically viable, it also provides companies with other benefits, such as the ability to monitor an employee’s remote business activities, and to remotely erase company data from lost and stolen devices and from the devices of departing employees.

Encryption technology also is readily available for laptops and business email systems; dual authentication virtual private networks, or VPNs, provide employees with encrypted access to company systems from offsite; and secure portals and similar technologies can be implemented for the encrypted transmission of large amounts of data.  In short, encrypting sensitive data on personal mobile devices and during data transmission, like email, is no longer optional under data security laws.

Privacy concerns with personal devices present equally serious issues.  The company data that accumulates on such devices mixes with personal data of the employee.  Because the employee owns the device, the company does not have unfettered access to its data on the device, particularly for disgruntled and departed employees, and even cooperative employees can have legitimate concerns about handing over their personal devices to corporate officials.  Also, the company has little (if any) control over apps that employees download to their personal mobile devices, and malicious apps pose threats to company data on the device and can provide access through the device to company servers and other data stores.

In addition to these difficult personnel issues, recovering business data from a personal mobile device can be a legal minefield.  An unauthorized interception of an electronic communication, such as an email or text sent to a personal email account or cellphone number connected to the device, can violate the federal Electronic Privacy Communications Act.  Likewise, unauthorized access to stored electronic communications, such as an employee’s Facebook, LinkedIn, or other social media account, can violate the Stored Communications Act.

Beyond those two federal statutes, an employee also may assert a common law claim that the company’s intrusion into the employee’s personal device violates the employee’s legitimate expectation of privacy.  In 2014, the U.S. Supreme Court recognized in Riley v. California that, as a society, we have developed a strong sense that the data on our personal mobile devices is private.  The Court explained its reasoning as follows:

Modern cell phones are not just another technological convenience.  With all they contain and all they may reveal, they hold for many Americans ‘the privacies of life’ ....  The fact that technology now allows an individual to carry such information in his hand does not make the information any less worthy of the protection for which the Founders fought.

Sound information use policies and technology practices are the best solutions to avoid data privacy problems.  A company should clearly notify its employees in its information use policy that the company owns its business data, and that employees cannot have any expectation of privacy with respect to their possession or use of it.  A company also should notify its employees that the company has a right to access employee-owned devices to recover business data, and the company should establish parameters in its policy for doing so.  And, company IT personnel need to be properly trained to avoid intentional and inadvertent violations of the federal statutes mentioned above when accessing personal devices.

BYOD is not likely to subside – if anything, its prevalence will increase.  Companies that foster this practice should address the privacy and data security concerns of BYOD, by implementing appropriate written data security and information use policies and by adopting sound technology practices, like MDM and encryption.

Colleen Karpinsky Cone is the VP, Talent & Culture at Dyn, a cloud-based Internet Performance company headquartered in Manchester, New Hampshire.  Cameron Shilling is a Shareholder and Director at McLane Middleton, and Chair of the firm's Privacy and Data Security Group. He can be reached at 603-628-1351 or [email protected].

Integrity and trust

At McLane Middleton we establish and maintain long-standing relationships with our clients to help us better achieve their unique goals over time. This approach to building trust requires that our esteemed lawyers and professionals use their broad, in-depth knowledge and work together with integrity to ascertain sound resolutions to legal matters for their clients.

Strength in numbers

McLane Middleton is made up of more than 105 attorneys who represent a broad range of clients throughout the region, delivering customized solutions. As a firm we are recognized as having the highest legal ability rating. The firm is rated Preeminent by Martindale Hubbell and is recognized as one of the nation's leading law firms in Chambers USA. Our attorneys are distinguished leaders in their respective practice areas.

Meet Our People

Commitment and collaboration

McLane Middleton's versatile group of attorneys and paralegals become trusted authorities on each case through collaboration. We work with our clients to learn their individual needs first and foremost and, together, we develop comprehensive solutions to their specific legal matters. This approach helps us exceed our clients' expectations efficiently and effectively, client by client, case by case.

Practice Areas

A history of excellence

McLane Middleton was established in 1919 in New Hampshire, and has five offices across two states. However, deep historical roots don't allow you to become innate. Our firm is organized, technological, and knowledgeable. Our history means we are recognized. But our reputation is built on the highest quality of service and experience in very specific areas of law.

The Firm

Intelligence paired with action

Our team continuously seeks opportunities to enhance their professional development and put key learnings to action. The pursuit of further insight guides us to volunteer service opportunities, speaking engagements, and teaching roles. Our lawyers are sought after thought leaders across their industries, and recipients of leadership awards throughout the region.