Bring Your Own Device Policy - Part 1

Many employers ask or allow employees to use their own technology to conduct business.  This practice is known as "bring your own device" or BYOD.

BYOD raises issues on privacy, record retention and employer liability.

I am drafting a form BYOD policy to cover both devices and services.  What do you think of the following clauses as part of a BYOD policy?

[BEGIN DRAFT]

Devices

Employees are informed, and employees agree, as follows:  When an employee uses his or her own device, such as a computer, a digital tablet or a smartphone, to conduct business within the scope of employment (the “Device”), then:

Tablets | Phones
(a) the Device is creating records that belong to the Company; and

(b) the Company has the right to take possession of the Device to retrieve or preserve records.


Services

Employees are informed, and employees agree, as follows: When an employee uses his or her own service account (e.g. on Twitter, Facebook, Dropbox, Hotmail and so on) to do work within the scope of employment (the “Service”), then

(a) work records in the Service belong to the Company, and

(b) the Company has the right to take control of the Service.

[END DRAFT]

I have posted more draft clauses for a BYOD policy, which has led to an extended discussion on my Google+ page.

Comments invited.


Related:
Bring Your Own Online Service

BYOD part 3: Should employees be given privacy assurances?

[Again: Nothing I publish in public is legal advice for any particular situation. Use what I publish at your own risk. If you need legal advice, you should consult your lawyer.]
1 comments

How to Write Enterprise Archive Policy

Many of the policies I see for internal enterprise operations use rigid language.  They say the enterprise "will" do this or "shall" do that.

Drafting Policy
My concern with such language -- especially as it applies to the retention of records -- is that often the enterprise will not, across the course of years, do exactly what its policy states.  As the years go by, the enterprise may encounter legal, privacy, budget, technical or other problems that preclude it from keeping records as the policy "requires."

Strives

Thus, when I write policy for enterprise clients, I try to use softer language.  Instead of saying the enterprise "will" or "shall" keep records, I say the enterprise "strives" to keep records.

With the word "strives," I seek to avoid giving anyone -- such as an employee who sues the enterprise for some reason -- assurance that the records he wants will in fact exist at the time he wants them.

Preamble

Further, it is common for  me start enterprise policy with a preamble that states the policy sets general guidelines rather than rigid rules.  The preamble explains reasons why general guidelines make more sense for a policy that will stretch over multiple years.

Here is sample language I offer in in-house workshops I lead on enterprise record retention:

This states the policy of ___________ [insert name of business] (the “Company”) for the retention of electronic mail, instant messages and managed electronic documents. This policy sets general guidelines, recognizing

• the impracticality of adhering to rigid rules,

• the massive volume of records created by the ever-growing collection of digital devices and services used in the Company, and

• the need for record retention efforts to be proportionate with the value of the records, the cost of keeping them and the legal duties associated with them.
Proportionality

The word "proportionate" appeals to the growing body of law that says the standard for compliance in e-discovery and record retention is "proportionality."  Proportionality recognizes the difficulty of setting absolute, universal rules in data law.

What do you think?

--
1 comments

How to Respect Privacy in a Social Media Investigation


Privacy Impact Assessment

Social networks like Facebook hold so much information about our thoughts, our behavior, our relationships that official investigations naturally seek to uncover it.

Privacy on the Ascendancy

But as technology collects more data, powerful voices are championing greater respect for the privacy of the data.  These voices arise from around the world; I’ll point to two voices from the US.

The White House has published a Consumer Privacy Bill of Rights, broadly declaring, “Consumers have a right to expect that companies will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data.”  Although this document focuses on the rights of consumers, it is consistent with rising expectations that the privacy of individuals be respected at a time when technology is enabling an unprecedented accumulation of personal data.

Free from Unreasonable Search
The US Supreme Court recently ruled, for the first time under the Fourth Amendment, that citizens have a right to privacy when in public.  United States v. Jones held that police must obtain a search warrant in order to track the public movements of a suspect with a GPS device.


A Rift in Society

A rift has emerged in society.  On one side are the forces of justice that seek to discover the truth about disputes and compliance with law.  These forces are represented by all the means through which our legal system supports the gathering of evidence -- subpoenas . . . safety inspections . . . inquiries by police . . .e-discovery in civil litigation . . . due diligence by prospective employers . . .  evidence collection in divorces and child custody battles . . . probes by disciplinary officials at schools and colleges . . . audits by government tax or regulatory officials . . . and much more.  These forces rightfully wish to access the mountains of relevant data stored in social networks.

On the other side of the rift are the forces of privacy.

As a consequence of this deepening rift, those people who wear the hat of "investigator" face emerging risk and responsibility.  An example of the risk is Pietrylo v. Hillstone Restaurant Group, 2009 WL 3128420 (D.N.J. 2009).  Management at a restaurant believed, with reason, that it needed to investigate allegations of workplace-misbehavior recorded in a forum on Myspace.  Management obtained, through certain employee cooperation, access to the content of the forum and then terminated some employees based on what they posted in the forum.  But the court found that by looking at the content of the forum management violated the privacy of employees; the court awarded damages in favor of employees.


Prudent Investigator

For investigators, coping with privacy risk and responsibility is not easy.  But I have a recommendation.  Prudence dictates that all investigators explicitly consider privacy when seeking data through technology, such as social media.  What does that mean in practice?

The investigator needs evidence that she thoughtfully weighed privacy concerns as she designed and executed her investigation.  This evidence can be provided in a “privacy impact assessment.”  A privacy impact assessment is a written statement, stored in the investigator’s file, showing rational deliberation about the effect of the investigation on the privacy of the target of the investigation, as well as on the privacy of bystanders.

A persuasive privacy impact assessment will articulate the justification for the investigation and evaluate alternative methods for getting the needed information. It will assess methods for minimizing the impositions on privacy, while pursuing the legitimate goals of the investigation.  It will display a conscious weighing of factors, so as to balance need against cost.

Demonstrate Serious Contemplation

A privacy impact assessment need not necessarily be a lengthy document.  For less substantial investigations, it might be only a paragraph.

But it needs to be thorough enough to demonstrate that the investigator diligently contemplated the facts and methods of the case.  It might specify, for example, steps to limit the quantity of data collected, the number of people who have access to the investigation file, and the length of time data is stored before it is destroyed.

The impact assessment will be more persuasive if the investigator consults a colleague or superior in the course of drafting it.

No Perfect Solution

A competent impact assessment will not guarantee that law will determine that the investigator complied with privacy interests.  But it can be powerful evidence that the investigator performed responsibly in the presence of conflicting interests.

I would be honored to hear your comments on this idea.



Mr. Wright teaches the law of data security and investigations at the SANS Institute.



Related:  Complying with the Internet's tsunami of laws
0 comments
Subscribe to: Posts (Atom)