BYOD: Has Your Company Addressed Its Privacy and Data Security Risks?

By Cameron G. Shilling

(co-authored by: Colleen Karpinsky Cone, VP Talent & Culture, DYN)

As published in ACC Docket (October 2015)

Bring your own device, or BYOD, presents significant privacy and data security risks to companies. To reduce these risks, businesses should implement appropriate written data security and information use policies and procedures, before a disaster occurs.

BYOD appeals to both companies and their employees. Employees prefer to select the type of mobile device they want to use for business and personal purposes. Companies use BYOD to avoid some or all the costs of purchasing and supporting mobile devices for employees, and to simplify the processes when hiring employees and when employees depart.

When an employee uses a personal device to perform work and access the data systems of the company, valuable business information accumulates on the device. The presence of that data on the device is a security risk if the device is lost, stolen, or compromised, and privacy concerns can arise if the company needs to access the device to recover its data. These issues should be properly addressed in written data security and information use policies.

Several state and federal laws require companies to implement security measures to safeguard sensitive information. The Massachusetts and California data security laws and the Health Insurance Portability and Accountability Act, or HIPAA, are good examples. These laws require encryption of ‘data in motion’, such as data transported on mobile devices, laptops, and USB drives, and data transmitted electronically by email and in other ways. BYOD companies often do not encrypt data in motion on employee-owned mobile devices, and devastating data breaches have resulted from the loss, theft, and compromise of such devices.

Mobile device management, or MDM, is currently a good technology solution for encryption of business data on personal devices. MDM is not only generally commercially available and technologically viable, it also provides companies with other benefits, such as the ability to monitor an employee’s remote business activities, and to remotely erase company data from lost and stolen devices and from the devices of departing employees.

Encryption technology also is readily available for laptops and business email systems; dual authentication virtual private networks, or VPNs, provide employees with encrypted access to company systems from offsite; and secure portals and similar technologies can be implemented for the encrypted transmission of large amounts of data. In short, encrypting sensitive data on personal mobile devices and during data transmission, like email, is no longer optional under data security laws.

Privacy concerns with personal devices present equally serious issues. The company data that accumulates on such devices mixes with personal data of the employee. Because the employee owns the device, the company does not have unfettered access to its data on the device, particularly for disgruntled and departed employees, and even cooperative employees can have legitimate concerns about handing over their personal devices to corporate officials. Also, the company has little (if any) control over apps that employees download to their personal mobile devices, and malicious apps pose threats to company data on the device and can provide access through the device to company servers and other data stores.

In addition to these difficult personnel issues, recovering business data from a personal mobile device can be a legal minefield. An unauthorized interception of an electronic communication, such as an email or text sent to a personal email account or cellphone number connected to the device, can violate the federal Electronic Privacy Communications Act. Likewise, unauthorized access to stored electronic communications, such as an employee’s Facebook, LinkedIn, or other social media account, can violate the Stored Communications Act.

Beyond those two federal statutes, an employee also may assert a common law claim that the company’s intrusion into the employee’s personal device violates the employee’s legitimate expectation of privacy. In 2014, the U.S. Supreme Court recognized in Riley v. California that, as a society, we have developed a strong sense that the data on our personal mobile devices is private. The Court explained its reasoning as follows:

Modern cell phones are not just another technological convenience. With all they contain and all they may reveal, they hold for many Americans ‘the privacies of life’ …. The fact that technology now allows an individual to carry such information in his hand does not make the information any less worthy of the protection for which the Founders fought.

Sound information use policies and technology practices are the best solutions to avoid data privacy problems. A company should clearly notify its employees in its information use policy that the company owns its business data, and that employees cannot have any expectation of privacy with respect to their possession or use of it. A company also should notify its employees that the company has a right to access employee-owned devices to recover business data, and the company should establish parameters in its policy for doing so. And, company IT personnel need to be properly trained to avoid intentional and inadvertent violations of the federal statutes mentioned above when accessing personal devices.

BYOD is not likely to subside – if anything, its prevalence will increase. Companies that foster this practice should address the privacy and data security concerns of BYOD, by implementing appropriate written data security and information use policies and by adopting sound technology practices, like MDM and encryption.

What Does It Really Take To Be Data Security Compliant?

By Cameron G. Shilling

As published in NH Bar News (12/20/2016)

Most businesses know (or should know by now) that they must comply with state and federal data security laws and regulations. But business leaders often are unaware of what it really takes to do so. That is understandable. Data security seems complex, and technology consultants and vendors rarely try to demystify it for their customers.

Data security is just like any other legal or business risk management issue. The risk is managed through a process of collaboration between business leaders, information technology professionals, and qualified legal counsel. The process involves the following steps:

  1. Perform a risk assessment of the business’ physical, technological and administrative systems using the requirements and standards of applicable laws.
  2. Generate a report that identifies areas of non-compliance and risk, including a prioritization and chronological plan for remediation.
  3. Remediate vulnerabilities that can feasibly and financially be fixed within a reasonable amount of time.
  4. Create a written data security plan tailored to the procedures of the business.
  5. Train employees about data security compliance generally and the business’ procedures under the written data security plan.
  6. Perform periodic reassessments, including sub-assessments if new or different physical, technological or administrative systems are adopted.

Step 1 – the risk assessment – involves identifying the information a business has that is legally protected, for example, under state data security laws or under federal laws or regulations such as HIPAA, the Gramm-Leach-Bliley Act, or SEC or FCC regulations. The information is then mapped through its lifecycle (e.g., from receipt and creation, through use and transmission, to disposal and destruction), and areas of non-compliance or risk are identified using the legal requirements and standards of applicable laws and regulations.

This is a highly collaborative process between the leaders of the business, competent IT professionals (inside or outside the business, or both), and legal counsel experienced with this area of the law and qualified to understand technological and physical security matters.

Step 2 – the report – flows naturally from the areas of non-compliance and risk identified in the assessment. Priority is assigned to items that are relatively easy to remedy, do not comply with applicable law or entail significant risk, and a timeline is created for addressing the issues.

Step 3 – the remediation – is the process of identifying and implementing solutions to the vulnerabilities identified during the assessment and in the report. Remediating vulnerabilities often depends on the availability of technological or physical systems, and budgetary constraints of the business. It is common for a business to need 12-18 months to properly address all of the vulnerabilities identified in an initial data security risk assessment.

Step 4 – the written plan – is a policy created from the information gathered during the risk assessment and the remedies implemented or anticipated for the vulnerabilities. A plan created in the absence of a comprehensive risk assessment is a pure shot in the dark, and does not comply with state or federal law or accepted practice. No two data security plans are the same because no two businesses are the same, and there is no competent boilerplate form.

Step 5 – the training – is an integral component of data security compliance. Employees handle protected data on a daily basis, and thus need to be taught about data security generally as well as the business’ specific procedures as set out in the written plan. Likewise, properly trained employees know better how to avoid breaches, how to recognize an actual or potential breach, and how to properly respond in such circumstances.

Step 6 – the reassessment – is required and natural for any business committed to data security. Reassessments are used to address vulnerabilities from new or different technology, physical or administrative systems or external threats. Also, as a business that becomes data security aware, it frequently identifies previously unknown vulnerabilities and adopts remedies that enhance security beyond the measures implemented after the initial risk assessment and report.

Data security is not something that can or should be overlooked simply because a business does not understand how to become compliant. Just like any other risk management issue, security is accomplished through an established process of business leaders, IT professionals, and qualified counsel working collaboratively to implement an established process under applicable law.

Employers Liable Under Stored Communication Act for Accessing Employee Facebook and Gmail Accounts

By Cameron G. Shilling (originally published 9/25/2013)

Employers frequently access and review data created or stored by employees on company-owned electronic devices, such as computers, laptops, tablets (iPad), and cellphones (iPhone, Droid and Blackberry).  Well-crafted technology and social media policies specifically authorize employers to do so.  But, if not careful, employers can step over the line between permissible conduct and conduct that violates the federal Stored Communications Act (SCA).  The line between permitted and unlawful conduct is not always apparent,so employers need to be aware of the SCA and seek counsel before accessing or reviewing an employee’s electronic communications.Company-owned electronic devices are treasure troves of evidence of employee misconduct, particularly where employees use the devices to access personal email (Gmail, Yahoo!, etc.) or social media (Facebook, Google+, Twitter, Flickr, etc.).  Employers feel justifiably entitled to access and review data created and stored on such devices, particularly where employees are instructed that the company owns the devices and has the right to monitor the data, and that employees have no right to privacy.  As a general rule, the law supports employers here.

But the SCA imposes some limits on employers.  And, as few recent cases demonstrate, it is all too easy for employers to step over the line and violate the federal law.

In Deborah Ehling v. Monmouth-Ocean Hospital Service Corp., the employer terminated the employee based (in part) on posts she made on Facebook.  The court underwent a rigorous analysis to determine that the SCA protects Facebook posts, as long as the posts are limited to friends and not on the person’s public Facebook pages.  As the court explained,

“when it comes to privacy protection, the critical inquiry is whether Facebook users took steps to limit access to the information on their Facebook walls” and the “privacy protection provided by the SCA does not depend on the number of Facebook friend that a user has.”

Although the employee’s Facebook posts were protected, the employer did not violated the SCA because it received the posts through a person authorized to access them: one of the employee’s co-workers, who was her Facebook friend, gave them to the employer.  However, as this court and others have recognized, an employer violates the SCA if it obtains an employee’s private Facebook posts by other means, such as (1) using a password retrieved from the hard drive of the employee’s company-owned electronic device or from a keystroke logger installed on the device, (2) accessing the account by using the employee’s company-owned device where the password populates automatically, (3) creating a fictitious person on Facebook to friend the employee, and (4) pressuring co-workers to divulge the employee’s Facebook posts.  In those circumstances, access to the Facebook posts would not be authorized under the SCA.

In another case, Sandi Lazette v. Verizon Wireless, the employee returned her company-owned Blackberry to her employer, but did not properly disconnect her Gmail account from it before doing so.  Over the next 18 months, her supervisor read 48,000 emails sent to that account, some of which were quite personal.  The court in that case (like many other courts) found that email stored in webmail accounts (like Gmail) is protected by the SCA, at least while the email resides unread on the servers of the service provider.

The employer made several unsuccessful arguments to avoid liability.  For example, the court rejected the argument that the supervisor was accessing only the company-owned Blackberry, recognizing that he was actually using that device to access an account on the Gmail servers.  However, an employer does not violate the SCA if it recovers an employee’s personal emails that are stored on a company-owned device, such as when the data is in a backup file or recovered from the “residual” space of a hard drive.  The court also rejected the employer’s argument that the employee had impliedly consented to the employer’s review of her Gmail by not properly disconnecting the account.  While consent need not be explicit, the court recognized that,

“Negligence is … not the same as approval, much less authorization.  There is a difference between someone who fails to leave the door locked when going out and one who leaves it open knowing someone will be stopping by.”

Technology presents legitimate opportunities for employers to monitor their employees.  It also presents potential pitfalls, some of which are not apparent.  Employers should continue to harvest valuable information from company-owned electronic devices, but also need to become aware of the SCA and seek counsel before accessing or reviewing employee electronic communications.

McLane Recognized as “Thought Leader” in Data Privacy

By Cameron G. Shilling (originally published 10/3/2011)

The leader of McLane’s Privacy and Data Security Group, Cam Shilling, has been identified and interviewed as a “Thought Leader” with respect to Data Privacy by Beagle Research Group, LLC.  You can read the interview at
Beagle Research Group, LLC is a market research and consulting firm focusing on front office business processes and white collar productivity.  The company is led by Denis Pombriant, who is a well-known analyst and thought leader in the CRM space.  Denis writes for CRM Magazine, Destination CRM, Search CRM, and CRM Buyer, conducts research in emerging areas of front office technology and business, and consults regularly to many of the leading companies in CRM.