The legal implications of BYOD
The legality of the common practice of remotely wiping or tracking an employee’s mobile device while asking workers to sign waivers giving their consent for such a policy remains highly ambiguous, as there is little to no case law in this area.
Employee resentment over these invasions of personal privacy is growing with concerns about losing personal data when using their own devices for work, and the potential violation if their employer viewed their personal information.
Employees of the federal government are facing the same threat to their privacy with respect to GPS tracking, under the Freedom of Information Act. With both Enterprise and government employees concerned about their privacy, unions will likely become involved in the BYOD security debate and mobilize on behalf of the workers they represent.
The Enterprise risks litigation when remote monitoring of employee devices leads to the viewing of confidential personal information. Acts such as the Genetic Non-discrimination Act of 2008 and the Americans with Disabilities Act protect information pertaining to workers’ genetics and disabilities. These Acts present significant legal implications to organizations viewing such information.
Companies also face legal action from the federal government if their inadequate security measures fail to preserve client data. For example, the U.S. Department of Health and Human Services has recently obtained seven-figure settlements from healthcare institutions that failed to protect patients’ health information under the regulations provided in the Health Insurance Portability and Accountability Act (HIPAA) of 1996.
As the workforce becomes more disgruntled about BYOD security policies, Enterprises may face mass litigation soon, with no clarity on how to react.
Tony Busseri, CEO of Route1, stated, “Along with security concerns, BYOD has brought the potential of major legal issues for the Enterprise to the forefront of senior management discussions. Many current BYOD corporate policies leave enterprise data unprotected in the event of a security breach and during an employee’s exit from the company. The policy of tracking and wiping an employee’s personal device opens the enterprise up to the potential for mass litigation.”