Mention BYOD to CISOs and IT administrators, and there's a good chance you'll see some unease. As convenient and as cost-saving as it can be, BYOD also comes with some tough security challenges. There are also BYOD legal implications, and if you plan on selling BYOD-supportive or BYOD-related technologies, you must be familiar with them.
The BYOD trend took off so quickly that the law hasn't yet had time to catch up. Little case law precedent exists around BYOD, as Government Technology's Brian Heaton pointed out, making the arena even more difficult to navigate. Still, there are several key considerations.
1. Regulatory compliance
Compliance with regulations around data privacy, security, and access control is top of mind for CISOs in many industries. Your customers have no doubt made investments in the security of their own infrastructure and devices in order to remain in compliance, but when it comes to data breaches and noncompliance, data privacy laws typically don't discriminate between corporate-owned devices and employee-owned devices. The BYOD legal implications are therefore serious. If an employee-owned device handles protected data in a noncompliant manner, or if an employee-owned device is the source of a data breach, the organization will still be liable.
2. Corporate data privacy in the event of noncorporate legal action involving an employee
The process of legal discovery these days typically involves the seizure and examination of computing devices, including smartphones, tablets, and laptops. If an employee is involved in a legal action and must turn over his or her personal device(s) as part of the discovery process, private corporate data could be compromised and exposed: e-discovery "can't be described as a surgical operation," as TechRepublic's Sean Doherty wrote. It's probably that everything on the device will be examined, not just whatever is relevant to the action at hand. The BYOD legal implications are severe enough that Doherty advises CXOs not to adopt BYOD themselves.
3. Employee privacy in the event of corporate legal action
BYOD legal implications related to the discovery process go both ways. While still a murky area, concerns also abound regarding employees' legal right to privacy should they be compelled to turn over their personal devices during corporate-related legal proceedings. Luckily, the answer to this conundrum is a little simpler than answers to the rest of the BYOD legal implications discussed here: education. Employees must be made clearly aware of the possibility that corporate legal issues may force them to hand over their personal devices at some point. Clarity will go a long way towards mitigating the risk that an employee will believe his or her rights violated during the course of corporate legal proceedings.
4. Legality of BYOD waivers and agreements
In order to deal with these and many other BYOD legal implications and concerns, most experts advise the crafting of clear BYOD policies that employees must sign. Those policies often include employee acknowledgement that the company can remotely wipe or disable their personal devices if lost, stolen, or otherwise believed to be compromised. But are such waivers and agreements even legal, or legally enforceable? Some experts, like Wired's Tony Busseri, observe that there may be an element of coercion involved—what happens to employees who refuse to sign?
There is no easy answer to these and other BYOD legal implications, at least not yet. Security expertise and knowledge of partitioning, sandboxing, and remote wipe technologies can assuage some CISO doubts, but not all. Still, BYOD adoption doesn't look like it will go away anytime soon, and even the experts who've articulated BYOD legal implications often advise corporations to go ahead with BYOD, just with eyes wide open and clear policies in place. And as a VAR, the more you know about enterprises' BYOD doubts and worries, the better placed you'll be to address them with the technologies available.
What are some worrisome BYOD legal implications? Tell us your thoughts in the comments.