I’ve been watching privacy issues here in the US and around the world, particularly as they pertain to BYOD. Let me tell you, 2014 was quite a year for privacy issues and individual rights.
Around the US we had a number of lawsuits by employees against their employers for expecting them to answer their phones and emails 24/7 but not paying them for this out-of-hours work. Then in May, the European Court of Justice ruled against Google forcing Google to respond to demands to erase private information from browser listing – the so called Right to be Forgotten. Then in July, US policing experts were stunned when in a unanimous decision, the Supreme Court ruled that law enforcement may not look though a person’s cell phone or smart device without first obtaining a court order, essentially making a smartphone equivalent to a suspect’s home in terms of requiring a search warrant. And by the end of the year, six new states had joined the existing sixteen states who outlaw the practice of employers demanding access to employees’ social media information.
To me, all this implied a major shift away from business and employer rights toward individual and employee rights, and in doing so further muddying the water around BYOD. Let’s face it; traditional Enterprise Mobility Management (EMM) and Mobile Device Management (MDM) require significant management of their BYOD devices. It might be possible to create environments where personal information is guaranteed to be protected, but I have to believe that the coding would be cumbersome in space, effort and in administering such solutions.
In this article, Fiberlink claimed to have remotely wiped 81,000 devices in the first six months of 2014, with 49% of these being done without human intervention. In a separate report from Fiberlink, they stated that 86% of their BYOD wipes are of corporate data only. This implies that 14% include personal data. My arithmetic may be a little rusty, but this equates to over 11,000 personal data wipes in only six months. I think it goes without saying that many employees would find the deletion of private information reprehensible, but more importantly does it expose employers to criminal or civil liability? And if it does not now, might it do so within a year or two? For example, the new General Data Protection Regulations in Europe extend the scope of the EU data protection law to all foreign companies, including US based companies who process data of EU residents, with potential fines for breaches a gigantic 5% of annual revenues. Might US law follow suit?
I’d already read this blog by my friend Jim Brashear, so I decided to ask him if all these trends suggest a sea-change in how BYOD privacy is perceived by the courts, employees and society in general. He advocated that we call up Phil Lee, an expert on European and US privacy law, based in Palo Alto, California: which we duly did.
What Phil shared with us was, for me, both surprising and concerning, and I immediately felt that business owners need to have this information. Hence I invited Phil and Jim to join me for a live discussion on January 27th so they can share that knowledge.
So please join me on Tuesday January 27th as Phil Lee and Jim Brashear discuss the changing legal perspectives on BYOD. You can sign up here.