iStock mobile security

If your BYOD user policies are too strict, then you might be running afoul of the law.

In a case last year in the US, the NLRB made the unprecedented argument that an at-will employment policy could "chill an employee's ability to communicate with others about wages, hours and working conditions or to engage in otherwise protected activity."

Heather Egan Sussman, a lawyer at McDermott Will & Emery, says she has seen at least three reports issued by the General Counsel over the last few years concerning cases where prosecuted companies wrote overly broad policies or policies that went too far. While these reports were mostly directed towards social media, they can apply toward BYOD polices as well.

The General Counsel's focus on confidentiality policies is causing companies to re-think their BYOD policies, says Sussman, "out of fear of prosecution."

BYOD policies get down to detail

It's an odd reversal of sorts. The first iterations of BYOD user policies erred on the side of simplicity and vagueness, merely suggesting user behavior instead of providing hard-and-fast rules. They consisted of generalisations about what companies and employees can and cannot do. These BYOD policies were practically useless when called upon for ediscovery or when employees raised privacy concerns.

Then the lawyers got involved. They helped companies draft lengthy documents covering all sorts of scenarios, including legal cases for ediscovery. BYOD policies ballooned to a dozen pages. These policies weighed heavily in favor of a company's right to monitor, access, review and disclose company or other data on BYOD mobile phones and tablets, and gave short shrift to an employee's expectation of privacy.

Now the pendulum is swinging back.

The General Counsel appears to be toughening up on corporate policies that attempt to control an employee's use of the internet, BYOD or social media. There's concern that companies are exceeding the scope of the their authorisation and potentially violating the National Labor Relations Act. While the General Counsel is not the deciding body, Sussman says, its reports can guide companies in drafting lawful BYOD policies that steer clear of prosecution.

Nevertheless, Sussman says she believes the General Counsel is acting a bit heavy-handed in saying what is and isn't permissible. "I think companies should have more latitude to set reasonable and fair rules with their employees, rules designed to protect against the many risks from BYOD and social media," she says.

BYOD, a company's right to protect and disclose data, and an employee's expectations of privacy are all colliding and creating a very sticky problem. Emotions run high when a conflict between employee and employer arises and when a company needs to look into an employee-owned smartphone or tablet.

When employers and employees make claims against each other, Sussman says, it often comes out in discovery that the employer has obtained copies of personal emails and other information from a device used as part of BYOD programme.

"Where we see it play out is when the employer wants to introduce a piece of evidence, and the question is whether or not the employer had the right and authority to collect that information in the first place or exceeded their authority," she says.

BYOD adds twist to discovery

Geoffrey Vance, another attorney at McDermott Will & Emery who heads up the discovery group, says he has cases where a company is being sued by a customer claiming damages from the company's product. The company needs to collect work-related data on smartphone and tablets that relates to the litigation.

Moreover, judges assume companies have the capability to preserve and collect all information created in connection with work that relates to litigation, Vance says. They won't be happy to hear that such information exists but the company doesn't have access or authority to it, because there wasn't employee consent written into the BYOD policy. "That's a real tension," he says.

Containerisation technology that separates business and personal apps and data on a single device, such as Samsung's Knox expected to be released later this year, can be a helpful starting point in not only ediscovery and meeting obligations in litigation but also asset control. The problem, of course, is that data has a way of getting tossed over the virtual wall.

Many employees will sign anything

On the other side of the argument, BYOD puts employees in a tough spot. Many feel pressured to waive their expectations of privacy when presented with a draconian policy, in order to not make waves in a tough job market. They see the General Counsel's actions a welcomed relief.

"The company wants them to use their own devices, and employees need to use them for their jobs. If the employee says no, they might not get hired or maybe even get fired," especially in situations where BYOD is mandatory, says attorney Paul Starkman, who heads the labour employment group at law firm Pedersen & Houpt in Chicago.

"A lot of employees feel they don't have a choice and will sign anything that's put in front of them and take their chances down the road."

The big hurdle in the discovery phase is, did the employee have a reasonable expectation of privacy in the communication or action? Or is the action of the employer justified? Starkman and Sussman agree that employers shouldn't pull passwords off a BYOD phones and tablets and start snooping inside personal email accounts and social networks.

Employees can further protect themselves even on corporate email by writing in the subject line of an email something to the effect of "privileged and confidential" or "not business related." This shows that the employee is seeking to protect the personal nature of the communication, Sussman says, "and may very well be respected by the court."

However, Sussman says that companies can make clear on a BYOD policy that it has access to personal information on the network and can leverage this to the extent that it's relevant to the case and potentially contradicts the statement made by a witness. "It's important and helpful to getting to the truth," Sussman says.

"We often see state courts coming out on both sides," Sussman says.

BYOD and polices still evolving

It's too early to tell how BYOD policies and the law will play out; BYOD is simply too new of a technology trend. As BYOD matures and companies become more sophisticated about the acceptable terms in a policy, Sussman predicts BYOD policies will shrink.

Already, Sussman's clients are looking for ways to streamline the BYOD policy. They want to know how to communicate the key points: improving the security of the organization and minimizing the risk of loss or theft, while establishing the rules of the road for employees -- that is, what's expected of them in a BYOD world.

"I think there's also the potential to have new clauses entered in, such as arbitration waivers and class claims," Sussman says. "It's an opportunity for an employer to have an agreement between the company and the employee that establishes, if this relationship breaks down, how are we going to resolve disputes?"