If your company is involved in litigation, then your personal smartphone used for work-even merely for receiving corporate email-can be seized and searched for evidence during the discovery phase, according to an NBC News report. This is just one of many unforeseen consequences of "Bring Your Own Device," or BYOD, a technology trend sweeping corporate America today.
Even worse, most companies have the right to search your BYOD smartphone anyway. That's because you likely signed your privacy rights away in a multipage user policy chock full of legalese. Did you read the fine print? Probably not.
"I can't tell you the number of times we get an issue where a company needs to reach in and wipe a device or look at a device, and the employee is shocked to learn that this is permitted under the company policies," says Matt Karlyn, partner in the technology transactions practice group at Boston law firm Cooley LLP.
Karlyn believes BYOD boils down to a well-drafted and comprehensive policy that spells out the rights for both companies and employees. Such a policy covers a company's right to monitor, access, review and disclose company or other data on a mobile device, and the employee's expectations of privacy with respect to that device.
CIO.com sat down with Karlyn to discuss the keys to a good BYOD policy, one that can provide companies and employees with some measure of security as BYOD barrels ahead.
Can a personal smartphone be seized and searched if a company is involved in litigation?
Personal devices may be subject to search and review in the event of litigation that involves an employer or other similar legitimate reason, which can include any business information on the phone. It's just like any other evidence or document or computer that could be confiscated and looked at for evidence. That's litigation procedure.
Yet I can even tell by your question that most people find this surprising. Where's the policy that makes it clear that the company has these rights with respect to these devices?
Today's mobile device management software allows for searching and wiping only business data. Could a search include personal data, too?
I was reading recently about a company that put into practice where they would only access business content on a personal device that's used for business purposes. They defined business content as email and business-related documents. They specifically excluded photographs, the assumption being that photographs would be only personal in nature.
They came to find out that there were a lot of photographs of white boards. People had taken pictures of white boards that contained all kinds of business information. It dawned on the [company] in the article that you can't make assumptions about what's business and what's personal.
Sign up for CIO Asia eNewsletters.