Mobile Device Management: What’s Legal, What’s Not?

Defining a clear and detailed mobile device management policy for your small business is the best way to stay within the bounds of the law

Max Robinson is well aware that all activity on his company-issued cell phone is monitored by management, including emails and text messages. Call it Big Brotherish, but the policy is clear. Company phones are for work purposes only, according to Robinson, who works for Aims Media, a UK-based digital marketing and web design agency.

"We all leave the phones in the office at the end of the day to ensure that we don't use them for anything not related to work," he said.

Establishing this type of clear and detailed mobile device management policy, in writing, is the best way to make sure your company is lawful when controlling, monitoring and accessing information on employee devices like smartphones, laptops, tablets and wearables, say technology and legal experts.

In the absence of broad or sweeping federal laws outlining which information employers are allowed to control, access and read, it is also crucial to make sure employees have read and fully understand the policy. This helps ward off lawsuits, and it makes your case stronger in court if a suit is filed.

"In a lot of cases, there are no laws that outline what is considered personal information and what is not. Federal and state lawmakers are struggling to understand this," said James Goodnow, a director and technology attorney with the Fennemore Craig law firm. "Policies should spell out what happens with personal information, health information, texts, social media and more."

Gray areas

Some states have laws and regulations governing which types of personal data employers can legally read and access on mobile devices, while others don't. Among those that do, rules vary widely from one to the next.

Within certain industries, particularly highly-regulated industries such as healthcare and finance, strict federal and state laws exist on what types of data employees can access, and how, according to Ken Moyle, and in-house lawyer and public policy executive for K6 Partners, a Bellevue, Washington-based company that provides digital business consulting and legal services.

However, while industry laws cover what employers must do to protect their sensitive information, they don't address employee rights. They say what companies are required to access and control, not what they can't.

Most of the experts I spoke to recommend hiring an attorney or consultant who specializes in technology issues to draft a mobile device management [MDM] policy that complies with any applicable state or industry-specific laws, and one that protects the company if an employee sues for invasion of privacy over mobile monitoring. The cost can range from $5,000 to $10,000 for very small businesses up to six figures for large enterprises.

According to Steve Pike, senior director of device and mobility services at CompuCom, most courts will side with the company in an invasion of privacy or similar lawsuit if a clear policy was in place and the employee understood it. "However, that doesn't mean an employee can't sue," he said. "It's up to the judge to decide if there was malice."

"Businesses shouldn't be in gray areas. Employers need to make sure they are specific about everything." – James Goodnow, director and technology attorney with the Fennemore Craig law firm.

When there's no policy in place, or if the policy does not address the employee's specific concern, Goodnow said, courts usually make a determination based on what they believe to be a "reasonable" expectation of privacy.

"Reasonable is a gray area," he said. "Businesses shouldn't be in gray areas. Employers need to make sure they are specific about everything."

BYOD vs. company-owned devices

If legal issues surrounding mobile device management weren't murky enough, they're further complicated by the issue of who owns the device.

Generally, a company has far more leeway to monitor, access and control a device if they provide it to the employee, Pike said. An MDM policy still needs to be in place, and there are still some types of data the employer can't access, including health information from apps like Fitbit of Apple Health. But the employer is better protected overall, he said.

"In that case, there's a clear line in the sand that says, 'You signed up for this,'" Pike said. "We're going to give you this device as long as you behave."

Bring-your-own-device [BYOD] polices get trickier. Detailed policies are even more crucial because the employee has a greater right to privacy, Goodnow said. A company must request permission to access a portion of the device, and they're restricted to accessing only that portion.

Most companies use third-party applications to do this such as VMware AirWatch or Citrix XenMobile. An app installed on the device limits company access to email, document management systems and the like, Goodnow said. The app may allow the company to remotely shut off the device if it is lost or stolen, or if there's a company data breach.

Moyle, the K6 Partners executive, said companies often also require an employee to use stronger password and authentication credentials than they normally would for personal devices.

Despite the increased complexity of BYOD policies, they're increasingly common. Technology research firm Gartner predicts that half of employers will require employees to use their own devices for work by 2017.

MORE: How to Get Mobility Right: Resources for BYOD

This leaves companies large and small looking for resources and advice on how to best craft a BYOD policy that protects their own interests but also respects employees' privacy rights.

Scott L. Vernick, a partner at Fox Rothschild LLP who represents large companies on litigation involving technology, privacy and more, has published a step-by-step guide on how to do so.

Vernick points out in his guide, "How to Draft BYOD Policies: A “Bring Your Own Device” Legal Primer," that failing to have a BYOD policy has proved costly for employers who have lost privacy cases in court.

BYOD polices should clearly explain how the device will be used and maintained, Vernick said, and they should outline procedures for the use of passwords, encryption and reporting of lost or stolen devices. Policies should specify the employee's responsibilities related to the security, retention and protection of company data, he wrote.

Employers should craft policies that are easy to understand and readily accessible to employees, according to Vernick, and they should provide training to explain the policies. Securing the employee's consent to the policy is crucial, too, as is consistent enforcement.