May 13, 2013, 1:09 PM — If your company lets employees bring their own devices for workpurposes, you'd better have a formal BYOD policy-one thatunderstands employee privacy rights and employer access rights.
Such policies are often crafted by legal experts for goodreason. Violations of certain rights can land companies in hotwater. Management consulting firm Janco Associates hascreated a 14-page BYOD policy template covering everything fromhelp and support to disaster recovery to access control.
In the privacy section, Janco outlines legal issues.
Janco cites one of the cornerstone legal considerations calledthe Stored Communications Act, or SCA. It deals with the disclosureof stored wire and electronic communication and transaction recordsretained by third-party Internet service providers, or ISPs.
Essentially, SCA prohibits ISPs from divulging a customer'scontent. Companies attempting to access electronic communicationsstored at an ISP without authorization can be fined or imprisoned.The employee can also seek a civil remedy.
There is a legal precedent favoring employee rights: Pietrylov. Hillstone Restaurant Group in 2009, whereby a couple ofemployees created a MySpace page to complain to registered membersabout the company. Managers allegedly pressured one member, anotheremployee, to give up her log-in ID and password to access theMySpace page.
The two employees that created the MySpace page were outed andfired, yet the court upheld the jury's verdict that Hillstonewas liable for violations of the SCA.
One can only imagine similar scenarios playing out on a BYODsmartphone or tablet. These devices access an employee'sFacebook page and other password-protected social networks andpersonal data residing on servers. With the rise of BYOD,technology and legal experts are now predicting employee lawsuitsconcerning privacy violations, unpaid overtime and otherissues.
The message is, do not try to gain unauthorized access to anemployee's private social networks, says Janco. Youshouldn't even ask an employee to provide log-ins and passwordsto a private site, because you may have to show that you didn'tcoerce or threaten the employee to comply.
"The Stored Communications Act is outdated as its authorsnever contemplated the prevalence of social media and BYOD (BringYour Own Device) computing environment," Janco writes in itspolicy template.
"Companies don't have to stop monitoring because of theStored Communications Act; they just have to be smart about it. Ifyou ask the owner or administrator for access to a private site andthey say no, walk away. Recognize the limitations imposed byemployment and privacy laws on your ability to monitor employeesites."
Tom Kaneshige covers Apple, BYOD and Consumerization of IT for CIO.com. Follow Tom on Twitter @kaneshige. Follow everything from CIO.com on Twitter @CIOonline, Facebook, Google + and LinkedIn. Email Tom at firstname.lastname@example.org
Read more about byod in CIO's BYOD Drilldown.