*Image extracted from Google
*Article extracted from Solutions for State and Local Government
Experts discuss the legal pitfalls of public-sector agencies allowing employees to use personal computing devices for work.
/ OCTOBER 7, 2013
Let’s face it — public-sector employees are likely using their personal mobile devices for government business, even if they're not supposed to. So what should be your first move when considering a formal BYOD program? Call a lawyer.
While
it’s easy to allow devices onto a public-sector agency’s network, handling the
fallout from lost or stolen smartphones could be a bigger headache than you
think. Sure, you may be able to remotely wipe data, but there are privacy
issues that may challenge even the clearest BYOD policy.
RELATED
According
to experts, there’s little case law established in the courts regarding BYOD,
particularly in the public sector. So while you can draft a policy that permits
an agency to access, track and wipe a device, a BYOD program can still expose a
government to legal action in an extreme situation.
Attorney
Alix Rubin, principal of Alix Rubin Law in New Jersey, said the main difference
between the public and private sector is that employees in the private sector
have a right to free speech. And while that doesn’t give public-sector workers
the right to disclose confidential government information, an agency has to be
extremely careful to segregate private and public information on a device.
Although
it can be difficult to do, Rubin advised that public-sector employers deploy
whatever technology is available to separate information and monitor only
government data. Applications exist to partition storage in mobile devices for
email, but they aren’t a perfect solution, as items like photos and text
messages can be co-mingled.
Tony
Busseri, CEO of Route1 Inc., a digital security and identity management
provider, said there’s no technology out there today that can guarantee that
every bit of governmental data on a device can be stored in one area. That
could spell trouble if a device is wiped and personal data gets erased.
“We
know whether it be privacy laws or other laws and regulations that surround
this subject, it’s a touchy matter,” Busseri said. “I’m not going to go into
First Amendment law or things like that, but when government walks into our
personal territory, there can be a very dramatic response to it.”
Portage
County, Ohio, is considering a BYOD policy for county employees. Like many
public-sector agencies around the country, Portage County is looking at how to
support BYOD without clear guidance on how to proceed.
Portage
County CIO Brian Kelley felt one of two of the biggest issues concerning BYOD policies
are public records requests and e-discovery. Kelley explained that even though
a device is personal, if it’s being used for government work, it’s subject to
e-discovery, which could potentially expose personal data.
Lee
Neubecker, president of Forensicon, a computer forensics firm based in Chicago,
agreed. He said that if for some reason discovery in a legal process required
searching personal devices used for work, keyword searches might turn up
unrelated content that is highly personal in nature, bringing privacy rights
into question.
Although
it varies whether or not data such as text messages are admissible in a court
of law, Neubecker added that parties to litigation are typically allowed to
look and see what facts are on various documents and electronic devices.
For
example, if a person accidentally sends an email from his Gmail account instead
of his government email application and it’s on a personal device he is using
for work, that email constitutes a government communication. The same could
theoretically apply to photos, call logs and other data generated or received
by an employee.
If an
employee felt that material exposed on his device was personal, he could sue
the agency. The uncertainty surrounding a public agency’s liability by having a
BYOD program can be frustrating to technologists who want to keep up with the
times and keep employees happy.
“As
CIOs in government and IT leaders, we’re faced with either quickly permitting
BYOD to happen within our organizations, or we’re obstructionists to it
happening,” said Kelley.
Kelley
also pointed out that device support is still a gray area for BYOD. If an
employee’s device gets infected with malware or is lost, and the employee can’t
do his or her job because of it, whose responsibility is it to clean or replace
the device? Even if the responsibilities are clearly denoted in a BYOD policy,
there could be legal challenges given the lack of case law on the topic.
PROTECT YOURSELF
So
what’s the solution? Unfortunately there’s no be-all, end-all fix to the legal
risks associated with BYOD programs.
Busseri
recommended government employers look into technology that allows employees to
use their own mobile devices to review information, but not allow storage of
that government data on the device. If a program is instituted that way, you
get away from the legal issues in favor of data security.
“From
my perspective, you use a technology that never brings that data onto the
device,” Busseri said. “It doesn’t mean you can’t use the device to look at it
and manipulate it, but there’s no technical reason that if I want to use a
mobile device, the data has to come to it.”
But a
carefully worded policy document may help reduce the likelihood of a lawsuit if
a disgruntled employee isn’t happy with the way government data is being
handled on his or her device. Case law on BYOD issues may be scarce, but
policies should be drafted based on what exists on similar issues, such as
electronic communication, invasion of privacy and First Amendment law.
Rubin
said if segregating data on a device is cost-prohibitive, then agencies should
craft a search-access agreement in its BYOD policy that clearly states that the
government entity will not intentionally look at personal
data. The policy should also include a financial disclaimer that the public-sector
entity isn’t purchasing any device or upgrading it, or paying for service,
unless they’ve agreed to do that.
She
added that agency BYOD policies should require employees to password protect
their personal devices that are used for government business and give those
passwords to the employer. Although the latter might not be popular with
people, Rubin felt it was an important step for governments to protect critical
information contained on devices.
“Even a
good policy doesn’t prevent you from getting sued, but at least it gives you a
good defense,” Rubin said.
No comments:
Post a Comment