Take the case of Larry Sitton, who in 2011 sued his former employer in Georgia after discovering that the CEO of his old company had gone into his office and accessed a personal email account on his personal laptop, which he was using in a BYOD capacity. Sitton argued that his former employer, a printing company with some 120 employees, was crossing the line and that its act was an invasion of privacy. The court, however, ruled that the company had the authority to access the computer because it was being used for BYOD.
To prevent such scenarios from happening, one approach may be to segregate data into separate silos: Keep personal data sequestered in personal directories, and keep company data in company-managed containers. Don't let personal and company data mix, and define a BYOD policy for management accessing company data on employee-owned devices.
This approach might work, but Rod Beckstrom, vice chairman of the Global Agenda Council on the Future of the Internet, World Economic Forum, expressed a more ominous view during the RSA conference's BYOD panel discussion. Beckstrom suggests that under various legal and compliance mandates, an organization may not legally be able to segregate data, or guarantee that personal data will be protected. As a corollary, if a company is ever required to surrender data under legal discovery, the personal data on a BYOD device may be forced into play--formal BYOD agreements between employers and employees notwithstanding.
Another problem is that once company data has landed on a modern BYOD device, it's exceptionally difficult to control where it goes. For example, if an employee has company data on a personal iPhone, and that data is backed up to iCloud, wiping the device is no longer sufficient to protect that data. It's difficult--if not impossible--to know which servers or devices are storing company data. So, if you're in charge of data security, you need to consider all the various places data might end up once it leaves the servers over which you actually exert control. You should also limit the data that employees can access (and therefore store) to information you're willing to set free in the wild.
4. What happens when it breaks?
One last thing to consider is who handles troubleshooting and support for employee-owned devices. For employers, one of the perceived benefits of BYOD is offloading the burden of hardware and software support, and letting employees work directly with device vendors and wireless providers to fix problems.