"Once information ends up on devices not controlled by me or my company, it is harder for me to audit and ensure that my employees are following the necessary protocols," she stated, reiterating that clear security and management policies are key to minimizing these potential headaches.
Broadly speaking, outside of industry-specific regulations like HIPAA for the healthcare sector and various laws governing banks and financial institutions, the U.S. doesn't have any real nationwide standards for data protection in general, let alone specific regulatory standards for employee-owned devices. Some agencies, including the Federal Trade Commission, tackle privacy issues, but most of its recent actions have targeted the consumer sector, rather than enterprise mobile device users.
However, that lack of a unified standard means that, instead, businesses are subject to a patchwork of state laws that can vary widely. That can make life difficult for companies that operate in several states, and requires a detailed look at specific laws. And one has only to examine the fallout from the recent hack of the federal Office of Personnel Management to recognize that the threat to employee privacy is very real.
Fortunately, there are resources out there for concerned businesses the National Conference of State Legislatures publishes a state-by-state breakdown of data breach notification laws, for example. That could be a good place to start, in terms of examining liability in a worst-case scenario. And, as mentioned above, heavily regulated industries like healthcare, insurance, and finance have far more specific guidelines to follow.
According to Chris Gallagher, national director of e-discovery vendor eQ, the rules governing those specialized industries can sometimes come into play in unexpected areas.
"Companies are at risk of legal action if they act on information obtained through snooping practices, ranging from privacy laws such as the Computer Fraud and Abuse Act and Stored Communications Act to even more esoteric areas," he told Network World. "For example, if an employee has a diabetes management app, a company's access to that data can implicate HIPAA, the Genetic Information Nondiscrimination Act (GINA), and many other areas."
Gallagher, as well, echoed the importance of clear policy-setting to successfully navigating the legal dangers of BYOD.
"Companies should continually remind employees that their data can be seen and reviewed, so that employee consent is real and ongoing," he stated. "Courts look carefully at whether employees actually know company privacy policies, not just whether companies did the bare minimum to give notice."
Sign up for CIO Asia eNewsletters.