BYOD lawsuits loom as work gets personal

The BYOD romance has suddenly turned sour.

Like most tragic love stories, the "Bring Your Own Device" affair has come to an abrupt end, a bitter breakup looms, and lawyers are circling.

In the early days of BYOD, say, last year, employees- especially Millennials-fell madly in love with the idea of using their own iPhones, Android smartphones and newfangled tablets for work. They could finally ditch corporate-issued BlackBerrys. BYOD ushered in a new era of consumer tech in the enterprise, one that promised employees and employers will live happily ever after.

But the BYOD romance has suddenly turned sour.

Employees are questioning the intrusion of corporate eyes on their personal devices. Did IT turn their beloved smartphone into a spy that tracks their whereabouts? Employees are beginning to sense companies taking advantage of BYOD by intruding on personal time to get free work time.

Now they're thinking about suing.

"I anticipate a bunch of little [lawsuits], then something big will happen that'll be a class action and become headline news," says CEO John Marshall at AirWatch, an enterprise mobile device management (MDM) vendor with 6,500 customers, including Lowe's, United Airlines and Best Buy.

It has already started. A lawsuit currently winding its way in a federal court in Chicago claims that the city owes some 200 police officers millions of dollars in overtime back pay because officers were pressured into answering work-related calls and emails over department-issued BlackBerrys during off-hours.

While this particular case doesn't involve BYOD, there's no question BYOD blurs the line even more between work life and personal life.

If a CIO has hourly employees with BYOD smartphones, she might want to leverage MDM to control email delivery to those devices. That is, an employer can set a business rule that won't allow delivery of corporate email to a subset of users during off-hours. Or a CIO can address this issue in the BYOD terms-of-use agreement.

Related Story: BYOD Privacy: Are You Being Watched?

This is just the tip of the iceberg.

While not dispensing legal advice, Marshall offers up another legal nightmare scenario: Lacking MDM tools to block out what can and cannot be seen on a BYOD smartphone, a help desk technician notices that an employee's device has a lot of personal apps about a health problem-and mentions his concern to the employee in the cafeteria.

"The employee can say, 'How in the world did you know that?'" Marshall says. "All of a sudden, something that's very benign and innocuous turns into something that's blown out of proportion."

Again, a comprehensive BYOD terms-of-use agreement, along with transparency about the capabilities and limitations of the technology, will help ward off such scenarios. The IT staff also needs to be educated about their role in a BYOD environment, says Marshall.

However, this doesn't mean problems won't crop up.

Part of the problem is that BYOD often puts business unit managers who aren't well-versed in technical user agreements in a leadership position with mobile apps. They're likely to give the green-light to rogue mobile apps that violate such agreements.

For instance, employees are chiefly concerned about privacy and especially location-based services with BYOD, and so many user agreements stipulate that apps will not collect location-based information. But then someone wants to be helpful and builds a map app for the corporate campus that allows employees to schedule conference rooms and find safety information, such as where to go if there's a tornado.

"Maybe there's also a button on there that says where you are in the campus," Marshall says. "All of a sudden people wake up and realize that every single device using that app is collecting location-based information-that's an issue."

Sound far-fetched? "These are really plausible scenarios," Marshall adds. "There's so much copy and paste and reuse of all these components that these things can happen very innocently."

AirWatch CEO John Marshall

Then there's the dreaded remote wipe, which can land a company in some legal hot water.

Just last year, CIOs said they felt comfortable with BYOD because they held security's holy grail: remote wipe, a scorched-earth capability for wiping all data on a mobile device. (For more on this, check out BYOD Troubleshoot: Security and Cost Savings.)

But employees weren't happy with the idea that the company can wipe personal data on their personal device. Some employees refused to participate in the BYOD program for this reason. Others waited days or weeks before reporting a lost or stolen device so that IT wouldn't wipe it. In late 2010, NPR told the story of a woman's BYOD iPhone mistakenly wiped by her employer, resulting in lost contacts and photos.

MDM software advanced quickly and seemed to come up with a fix. Now companies can wipe only corporate apps from a BYOD smartphone or tablet, leaving personal apps untouched. In fact, AirWatch won't even allow a full device wipe anymore for legal reasons.

While this helps tremendously, it doesn't completely solve the problem.

Let's say a company buys the popular productivity app, Evernote, for employees to put on their BYOD smartphones. Since the company paid for the app, the company can remove it at any time. The note-taking app collects company data but also might store personal data, too. An employee can use Evernote to create a shopping list, recipes, vacation plans, or perhaps something more critical to their job.

Guess what happens to this personal data when the employee leaves the company? The app, along with all the data, is wiped from the device and account. If the BYOD terms-of-use agreement regarding Evernote wasn't spelled out clearly, who is liable for the lost data?

Slideshow: 9 iPhone-iPad Apps That Invade Your Privacy, and 1 That Doesn't

The bloom is off the BYOD rose, and so companies had better add protections against employee lawsuits in the BYOD terms-of-use agreement and leverage MDM to ensure the agreement is followed.

Truth is, employees tend to get a bit emotional when their privacy is being violated or their location is being tracked via a mobile device that they personally own. They don't like their personal data to be wiped, either. When these things happen, companies can expect the wrath of a scorned employee.

"That's where it gets tricky," Marshall says.

Tom Kaneshige covers Apple, BYOD and Consumerization of IT for Follow Tom on Twitter @kaneshige. Follow everything from on Twitter @CIOonline, Facebook, Google + and LinkedIn. Email Tom at

Read more about byod in CIO's BYOD Drilldown.

Join the CSO newsletter!

Error: Please check your email address.

Tags United AirlinesConsumerization of IT | BYODAirWatchiPhoneIT managementCIOprivacyconsumerization of ITBYODBlackberryLowe'sconsumer electronicssecuritysmartphoneslawsuitsBest Buy

More about AirWatch AustraliaAirWatch AustraliaAppleEvernoteFacebookGoogleUnited Airlines

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tom Kaneshige

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts