MDM frequently employs GPS tracking devices. On the one hand, such devices are useful in pinpointing the location of the employee's hardware to determine where the device is located, thereby increasing the possibility of retrieving lost devices. And it can remotely wipe clean devices that have been stolen, thereby decreasing the likelihood of a significant data breach. But they can, of course, also foster the unpleasant perception that Big Brother is always watching, even when the employee is off the clock or on vacation.
To avoid potential privacy challenges, companies employing MDM should require employees to consent to MDM installation and use by express agreement to opt in to a BYOD program. Such an agreement would have employees provide informed consent for the company's use and implementation of GPS trackers and other mobility-tracking devices, as well as the company's ability to remotely wipe clean an employee's device. Such a contract should incorporate by reference the company's use policy, and both in turn should clearly reserve the company's right to access employees' devices and protect proprietary data, even when access is only possible through the most invasive means available.4
Finally, a company should clearly and explicitly disclaim any liability for the loss of Angry Birds, junior league videos and any other personal apps, information and software stored on an employee's device. If a BYOD is accidentally left on the soccer field or at a gaming convention, an employer's ability to remotely wipe the device should not be deterred by consideration for the employee's personal data.
While some newer and more sophisticated (and commensurately more expensive) MDM can distinguish between employer- and employee-owned information, others may not. And therefore, an employee should be willing to pay the price of risking personal data loss for the privilege of being able to use the latest, fastest, sleekest, coolest device.
Ultimately, most of the steps outlined above will be ineffectual against a planned, targeted and intentional attack on a company's proprietary data. But in all other instancesaccidents, employee negligence, etc.the steps outlined above will go a long way toward protecting company information from the hazards of BYOD.
Cynthia Larose and Narges Kakalia are partners at Mintz Levin Cohn Ferris Glovsky & Popeo.
1. While the litigation and electronic discovery risks of BYOD are clearly beyond the scope of this article, it bears noting that BYOD implicates more than just the security of a company's data. When data is backed up to a home network along with an employee's personal photographs, videos, games and financial spreadsheets, that data may no longer be subject to a company's regular data-retention policy, may become discoverable in litigation, and may put at risk of discovery the employee's other personal information stored alongside it.
2. AllianceBernstein v. Atha, AD3d, 2012 NY Slip Op. 07766 (1st Dept. 2012).
3. Jailbreaking and rooting are colloquial terms that usually refer to the process of hacking into a smartphone or tablet's operating system in order to use the device with an unapproved telecom carrier, or to add programs, apps or software that are not approved by the manufacturer for use on that device.
4. Other privacy concerns may also be implicated in specific industries or geographical areas. Companies should consult counsel about how their policies may affect, and be affected by, statutory concerns involving the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH Act), the Americans with Disabilities Act and by the laws of individual states and countries where their employees live and work.