Legal Aspects of BYOD
The bring your own device (BYOD) trend is coming whether companies like it or not -- and the legal aspects of BYOD can raise questions around the workplace. In fact, 68% of employees already use their personal devices for work, according to a survey by software provider Globo. If your company hasn’t thought through the implications of BYOD or developed a mobile device management (MDM) plan, it should.
BYOD presents many intellectual property, security and privacy risks that could carry significant liability if not managed appropriately including:
Intellectual Property: If a device is owned by the employee but used for both work and personal purposes, who owns any IP created using the device? In the US, copyrights created in the scope of employment are considered “work for hire,” i.e, they belong to the employer if created by an employee. Contractors must assign those rights via agreement. In contrast, under US patent law, it is assumed that the inventor owns the IP, thus any attribution otherwise (e.g., to an employer) must be assigned as part of the patent application. Absent an agreement, employers still may be able to claim shop rights (inventions were created on the employer’s time and in the scope of the employer’s business). State law may also have specific statutes that provide clarification. For example, California law specifies that unless related to the business of the employer, inventions created on the employee’s own time and with his own resources belong to the employee. When adding BYOD to the mix, employers must ensure their employment and contractor agreements state clearly the terms of ownership for any potential intellectual property created using a personal device.
Data Security: Company trade secrets and confidential information, such as customer data, can’t fall into the wrong hands. There is a risk when employees access less secure, consumer cloud storage services such as Dropbox or SugarSync. Furthermore, if a company is governed under specific regulations such as HIPAA or PCI, any data breach can result in negligence liability and noncompliance sanctions. Data leakage can also occur if a device is lost, stolen, or disappears with a terminated employee. In a "Bring Your Own Device" environment, companies must carefully safeguard their data to minimize liability risk.
Privacy: Can the employer access or destroy data on an employee-owned device? In the US, the Fourth Amendment prevents citizens from unreasonable search and seizure, and the Stored Communications Act extends this right to a person’s electronic data when stored on neutral property (e.g., an ISP). Emails sent by employees using employer resources are owned by the employer; the employee has no right to privacy whether or not the email was business-related, according to the Federal Trade Commission, which governs electronic privacy. The Supreme Court has reinforced this position in the City of Ontario, California v Quon. In this case, the court concludes that the search of a public employee’s text messages was reasonable because a work-related purpose exists (an audit of excessive data usage on cops’ devices) and the scope of the search was limited.
However, the law is still evolving regarding personal information on personal devices used for work. Certainly employers must be able to retrieve data when required by law, or face court sanctions. Ultimately, companies need to navigate a quagmire of legal issues when implementing BYOD programs.
In a future post, we will discuss ways in which companies can mitigate these risks so they can focus on the benefits of BYOD.