To Perhaps Centralize all the discussion(s) going on regarding the relative hot topic of “Bring Your Own Device”
BYOD and Employee Privacy
December 12, 2012 at 12:44 pm #174529
From the RSA Conference Blog:
BYOD and Employee Privacy–Factors to Consider
Let’s say that your company has a “Bring Your Own Device” (BYOD) policy permitting employees to use personal mobile devices for work. Do your employees have a reasonable expectation that their mobile device information is private, even if some of that information is work-related? Can an employer compel access to that information?
A recent case sheds some light on the factors a court will use to determine if employees can consider their mobile device information private – Mintz v. Mark Bartelstein & Associates, Inc., No. CV 12-02554 SVW (SSx), 2012 WL 3553351 (C.D. Cal. Aug. 12, 2012). The case is in the U.S. District Court for the Central District of California in Los Angeles.
The facts of the case concern the common scenario of an employee who leaves an employer in order to join a competitor. In this case, Plaintiff Aaron Mintz left Defendant Mark Bartelstein & Associates, Inc., doing business as Priority Sports & Entertainment (Priority), in order to join a competitor. Mintz claims Priority illegally accessed his email, while Priority contends Mintz stole trade secrets and conspired with his new employer to steal Priority clients.
Priority served a subpoena on Mintz’s cell phone carrier, AT&T, to gain access to certain text messages. Priority also wanted data about the texts, including their dates, times, originating and receiving telephone numbers, and originating cell site and sector. Finally, Priority wanted similar data about incoming and outgoing calls associated with Mintz’s AT&T account, including the calls’ durations. Mintz sought relief from the court to quash (stop) the subpoena.
The court decided that the Stored Communications Act prohibits AT&T from disclosing the content of Mintz’s text messages in response to Priority’s subpoena. The court stated, though, that Priority could seek the text message content from Mintz directly. The court did not reach the question of whether privacy concerns would preclude compelling Mintz to turn over the content of his text messages to Priority.
Nonetheless, the more interesting part of the decision concerned factors bearing on whether Mintz had a reasonable expectation of privacy over the non-content information about the communications, such as date, time, duration (of the calls), and sending and receiving phone numbers. The court held that California’s privacy laws governed whether Mintz had a privacy interest in precluding disclosure of this information. It then listed a number of factors bearing on the question of whether Mintz had a reasonable expectation of privacy.
December 12, 2012 at 12:52 pm #174537
December 12, 2012 at 1:30 pm #174535
The only effective means of maintining privacy or control of personal devices, including your phone, tablet and home desktop, is to either only use them to access corporate/government data through a secure VPN or website that does not transfer and data or software (including cookies) and only allows manipulation of data or editing of documents through the secure connection. The only other alternative would be to decline to BYOD and inform your employer you prefer to actually have a life when not at work. I often end up carrying my personal Ipad, my personal Iphone and my government issued Blackberry. Sometimes it is a bother but given what I have seen of government IT, there is no way in h-ll I am going to let them anywhere near my personal devices. From what I am reading, people in the corporate world are learning the same lesson, often painfully as in this case.
December 13, 2012 at 12:59 pm #174533
When I started to have to carry 2 laptops, and two phones, and 2 tablets on business travel, I drew the line in the sand and said enough!… Worked with IT people to insure that my connection to organizational data was secure when accessing organizational data. We agreed that I would NOT be able to download data onto my devices, and I agreed to go through an extended shut down procedure when logging off to delete cache. I agreed that if my devices were lost they had the “right” to remotely wipe my device.
I believe/believed that if I engaged in illegal activity, that whoever had the right to investigate, although the investigators would have to “play by the rules“. Investigation could include: reviewing my email accounts, regardless where they were, reviewing my backup files, and any logs created.
IMO this legal case was about “playing by the rules” regarding attempting to find evidence of wrong doing, The case MIGHT have been a little different (although I suspect the outcome would been awful similiar) if Mr. Mintz had NOT been BYOD’ng (new word???)
December 13, 2012 at 3:34 pm #174531
That ‘right to remotely wipe my device” is one I am never going to allow. I simply do not trust government IT not to screw it up. As an ardent photographer, I have over 20,000 digital photos floating around between my various devices. There is no way I want to lose them.
I would rather carry multiple devices than turn over that level of control for my personal files.
If the government cannot provide me a secure portal which allows interaction with absolutley no transfer of data or software, one which I could use from a hotel business center if need be, than government can issue me whatever mobile devices my supervisor approves. And BTW, the government can D-mn well pay for them. I am not violating black letter GAO Redbook guidance by augmenting anyones appropriation.
You must be logged in to reply to this topic.