BYOD heads to court

Two of the most risky factors to consider in a Bring Your Own Device environment are privacy and ownership. The employee owns the mobile device and the contents within – after all, they purchased the phone and their name is on the carrier contract. This has been a major area of concern for many businesses since the start of the BYOD trend.

What happens to a phone and its contents if an employee is terminated or quits? The phone number goes with them, which is an obvious issue: Just one missed call from a client could cost the company a significant sum, probably much more than its monthly BYOD savings.

But it’s not just the number that exits with an employee. Unless a company has taken steps to install software that allows it to wipe the device, the former employee may walk away with a mobile filled with company documents, emails, sensitive information and trade secrets.

Who would have the legal upper hand in such a situation? A recent US District Court case in California (Mintz v. Mark Bartelstein & Associates, Inc.) has shed some light on the matter. The plaintiff left his job at sports and entertainment talent agency for a position with a competitor. His former employer alleged he stole clients and trade secrets upon his exit. He shot back with a claim his email had been illegally accessed. The former employer subpoenaed AT&T, hoping to gain access to text messages and calls, including times, dates, call length and numbers the text messages were sent between.

The court’s ruling fell somewhere in the middle. It found the Stored Communications Act prohibited AT&T from handing over the text message information that was subpoenaed. When it came to the phone calls, the court found the employee did have a limited expectation of privacy. Since the company paid for a portion of the device and circulated a policy stating it had the right to review communications – though the employee denied having ever received or read it – AT&T was ordered to hand over the call information in the end.

In his analysis of the ruling, Silicon Valley lawyer Stephen Wu pointed out a few important lessons businesses can learn from the court’s decision. Wu said companies wanting control over devices should provide the phone number, pay for the entire cost of the device, and have a signed agreement in place with the employee. There should be no personal use of the phone.

“… Companies with BYOD policies will have to accept that employees will have a greater expectation of privacy than a non-BYOD workplace,” Wu wrote. “The phone account may predate employment and may be in the employee’s name. The employer will know that personal calls, texts, and emails will be made using the device. And if the employer does not pay all of the cost of the device, the employee will have a greater expectation of privacy. These factors may be unavoidable with a BYOD policy.”