Enterprise Security

TECHNOLOGY LAW CORNER

The BYOD Maelstrom: Legal, Technical Issues Abound

When companies started issuing BlackBerry phones, the world changed. With the advent of the iPhone andAndroid, the world changed again. Employees started using the newer, hotter technologies, and manycarried the company BlackBerry and the iPhone or an Android handset but did not like carrying two devices — one forwork and one for personal stuff.

Some, but not many companies, started issuing iPhones and Android phones. Others simply said “Bring Your Own Device” and either supplemented the costs or did not. Either way, employers had to figure out how to support the new BYOD world.

However, BYOD has created new challengesfor those employers who permit, encourage or require their employees to buy and use their own smartphones, tablets or computers for company business. Those issues, both legal andtechnical, exist whether the employer supplements the costs or not.

While it is clear, thanks to a 2010 U.S. Supreme Court 9-0 ruling, that employees are not entitled toprivacy on their smartphones (or tablets or computers) if they use an employer’s issued device, it isnot so clear when employees rely on their own smartphones (or tablets or computers) for email and remoteaccess.

The legal questions center around whether the device is used for personal or business use, andwhether an employer’s contribution to the cost of the device or service makes a difference.

What Are the Technical Issues?

BYOD poses several challenges to an enterprise, according to a just-released Juniper Networks survey of more than 4,000 mobile-device users and IT professionals:

  • Adapting mobility policies to align with the current trend of employees using personal mobiledevices for corporate use
  • Delivering secure, remote access for mobile devices, while enforcing granular access controls
  • Securing corporate and personal data and mobile devices from malware, viruses andmalicious applications
  • Mitigating the risk of loss, theft or exploitation of corporate and personal data residing onmobile devices
  • Providing all of the above for an ever-increasing range of mobile devices and platforms.

Obviously, these challenges create complexities for the IT professionals, many of which areintertwined with legal issues.

What Are the Legal Issues?

1. Privacy and Email

In the U.S., the Federal Trade Commission regulates privacy, and the law is simple. Employee emailson employer systems are owned by the employer, and the employee does not have any privacy rightsin those. That means the employee should have no expectation of privacy for emails when anemployee uses the employer’s systems (equipment, server or cloud), or even Internet access.

However,in the EU, Canada, and a number of other countries (all referred to as “EU” for simplicity), the oppositeis true. In the EU, the presumption is that employees do have privacy rights to emails they send andreceive under the 1995 Data Directive.

If an email on an employee-owned device is sent or received for company business, an employer canmake a great argument that the employer has ownership rights in the email and the employee has noright of privacy over that email. However, it is not so easy to determine whether any particular email isa business email.

In addition, if the employee sends emails from a personally owned device and useswebmail such as Gmail, Hotmail or Aol, it is less clear than if the employee is using the employer’s emailsystem. In order to make that determination, all emails may have to be reviewed.

In the EU, it’s likely that all email on employee-owned devices is private to the employee regardless ofwhether those emails are for company business or not.

It gets even more complicated when a resident of the EU uses a personally owned device for companybusiness and send emails to the U.S. Does U.S. law or EU law apply? Does it depend on whichjurisdiction the sender or recipient is in? Unfortunately, there are no clear answers to these questionsas yet.

2. Intellectual Property

Under the U.S. Constitution, authors of copyrighted materials and inventors of novel ideas that can bepatented have a monopoly on using that intellectual property. The law presumes that when inthe normal scope of their employment, employees create copyrighted works, trade secrets or andtrademarks, the intellectual property rights in those works are owned by the employer.

However, withrespect to invention of patents, the law presumes that the inventions are owned by the inventor, notthe employer. So, most employers require in employment contracts that employees assign ownershipof patents.

For independent contractors (1099 folks), if there is nothing in writing to the contrary, the law in the U.S.presumes that all IP developed by independent contractors is owned by the independent contractor.

What About Intellectual Property on BYODs?

Determination of IP ownership is complicated when it comes to devices owned by employees. Ifemployees are using their personal smartphones, tablets or computers as tools in the normalcourse of their employment without a written agreement that describes who owns what IP, thenthe employee could probably claim that the employer does not own the IP. Such IP may include art,designs, copyrighted works and the like.

Or if employees are using their own smartphones, tablets or computers outside the normalcourse of their employment, such as on evenings or weekends, can employers make any claim to IPownership? Perhaps the IP ownership determination would turn on whether an employee was workingon an employer’s project or if an employment agreement carved out a 24/7 IP ownership claim.

Another complicating issue might be if the employer is paying the employee a portion of the costs of thesmartphone or related service. Would that somehow give the employer a better claim to IP? Not soclear.

What Employment Contracts or Policies Address

Given all these BYOD issues, it seems pretty clear that there should be a written document specificallydelineating the rights and obligations relating to the employee’s use of employee-owned smartphones,tablets and computers. In addition to addressing IP and email, the document should address employerrequirements for security software, encryption and passwords on these devices if the employees haveaccess to the employer’s email, system and the like.

Simply by addressing these types of issues up front in written agreements, companies can go a long waytoward reducing the risk of misunderstanding and compromise of their systems. In the U.S., theycan also clarify expectations with respect to email and IP rights.

Peter S. Vogel

E-Commerce Times columnist Peter S. Vogel is a trial partner atGardere Wynne Sewell, where he is chair of the eDiscovery Team and Chair of the Technology Industry Team. Before practicing law, he was a systems programmer on mainframes, received a masters in computer science, and taught graduate courses in information systems and operations research. His blog coverscontemporary technology topics.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories
More by Peter S. Vogel
More in Enterprise Security

E-Commerce Times Channels