The BYOD Maelstrom: Legal, Technical Issues Abound
When companies started issuing BlackBerry phones, the world changed. With the advent of the iPhone and Android, the world changed again. Employees started using the newer, hotter technologies, and many carried the company BlackBerry and the iPhone or an Android handset but did not like carrying two devices -- one for work and one for personal stuff.
Some, but not many companies, started issuing iPhones and Android phones. Others simply said "Bring Your Own Device" and either supplemented the costs or did not. Either way, employers had to figure out how to support the new BYOD world.
However, BYOD has created new challenges for those employers who permit, encourage or require their employees to buy and use their own smartphones, tablets or computers for company business. Those issues, both legal and technical, exist whether the employer supplements the costs or not.
While it is clear, thanks to a 2010 U.S. Supreme Court 9-0 ruling, that employees are not entitled to privacy on their smartphones (or tablets or computers) if they use an employer's issued device, it is not so clear when employees rely on their own smartphones (or tablets or computers) for email and remote access.
The legal questions center around whether the device is used for personal or business use, and whether an employer's contribution to the cost of the device or service makes a difference.
What Are the Technical Issues?
BYOD poses several challenges to an enterprise, according to a just-released Juniper Networks survey of more than 4,000 mobile-device users and IT professionals:
- Adapting mobility policies to align with the current trend of employees using personal mobile devices for corporate use
- Delivering secure, remote access for mobile devices, while enforcing granular access controls
- Securing corporate and personal data and mobile devices from malware, viruses and malicious applications
- Mitigating the risk of loss, theft or exploitation of corporate and personal data residing on mobile devices
- Providing all of the above for an ever-increasing range of mobile devices and platforms.
Obviously, these challenges create complexities for the IT professionals, many of which are intertwined with legal issues.
What Are the Legal Issues?
1. Privacy and Email
In the U.S., the Federal Trade Commission regulates privacy, and the law is simple. Employee emails on employer systems are owned by the employer, and the employee does not have any privacy rights in those. That means the employee should have no expectation of privacy for emails when an employee uses the employer's systems (equipment, server or cloud), or even Internet access.
However, in the EU, Canada, and a number of other countries (all referred to as "EU" for simplicity), the opposite is true. In the EU, the presumption is that employees do have privacy rights to emails they send and receive under the 1995 Data Directive.
If an email on an employee-owned device is sent or received for company business, an employer can make a great argument that the employer has ownership rights in the email and the employee has no right of privacy over that email. However, it is not so easy to determine whether any particular email is a business email.
In addition, if the employee sends emails from a personally owned device and uses webmail such as Gmail, Hotmail or Aol, it is less clear than if the employee is using the employer's email system. In order to make that determination, all emails may have to be reviewed.
In the EU, it's likely that all email on employee-owned devices is private to the employee regardless of whether those emails are for company business or not.
It gets even more complicated when a resident of the EU uses a personally owned device for company business and send emails to the U.S. Does U.S. law or EU law apply? Does it depend on which jurisdiction the sender or recipient is in? Unfortunately, there are no clear answers to these questions as yet.
2. Intellectual Property
Under the U.S. Constitution, authors of copyrighted materials and inventors of novel ideas that can be patented have a monopoly on using that intellectual property. The law presumes that when in the normal scope of their employment, employees create copyrighted works, trade secrets or and trademarks, the intellectual property rights in those works are owned by the employer.
However, with respect to invention of patents, the law presumes that the inventions are owned by the inventor, not the employer. So, most employers require in employment contracts that employees assign ownership of patents.
For independent contractors (1099 folks), if there is nothing in writing to the contrary, the law in the U.S. presumes that all IP developed by independent contractors is owned by the independent contractor.
What About Intellectual Property on BYODs?
Determination of IP ownership is complicated when it comes to devices owned by employees. If employees are using their personal smartphones, tablets or computers as tools in the normal course of their employment without a written agreement that describes who owns what IP, then the employee could probably claim that the employer does not own the IP. Such IP may include art, designs, copyrighted works and the like.
Or if employees are using their own smartphones, tablets or computers outside the normal course of their employment, such as on evenings or weekends, can employers make any claim to IP ownership? Perhaps the IP ownership determination would turn on whether an employee was working on an employer's project or if an employment agreement carved out a 24/7 IP ownership claim.
Another complicating issue might be if the employer is paying the employee a portion of the costs of the smartphone or related service. Would that somehow give the employer a better claim to IP? Not so clear.
What Employment Contracts or Policies Address
Given all these BYOD issues, it seems pretty clear that there should be a written document specifically delineating the rights and obligations relating to the employee's use of employee-owned smartphones, tablets and computers. In addition to addressing IP and email, the document should address employer requirements for security software, encryption and passwords on these devices if the employees have access to the employer's email, system and the like.
Simply by addressing these types of issues up front in written agreements, companies can go a long way toward reducing the risk of misunderstanding and compromise of their systems. In the U.S., they can also clarify expectations with respect to email and IP rights.