Blog: Personal Data Security and the “BYOD” Problem: Who is Truly at Risk?

Blog Posts 0 Comments

By: Jill Smaniotto, Associate Manuscripts Editor

“Bring your own device” policies are undeniably on the rise in the realm of business IT.  According a recent survey, roughly two-fifths of U.S. consumers working for large enterprises use their personally-owned devices—i.e. smartphones, tablets, or desktops—for at least some aspect of their work.[1]  Generally, concern surrounding the practice of BYOD has been in regard to the risk to misappropriation of corporate data (i.e., that of the employer’s customers).  However, a recent case has shed light on another area for concern: the risk to employee data when the employer/employee relationship sours.

“Bring your own device” or “BYOD” is a phrase that has become widely adopted to refer to the practice of employees bringing their own personal computing devices to the workplace for use on the corporate network.[2]  In recent years, a shift in IT culture has taken place: the consumerization of IT.[3]  Essentially, there has been a shift from a IT-department-driven culture to one in which consumers are getting the newest, latest technologies ahead of their corporate counterparts.[4]  In turn, these consumers are finding their own personal devices are better suited for their work than those provided by employers.[5]

This use of personal devices to handle corporate data on secure corporate networks is occurring regardless of whether employees have employer consent to do so.[6]  In fact, a survey conducted by ZDNet indicated that only one-quarter of all enterprise employees surveyed are required by employers to bring their own device, suggesting that the remaining three-quarters were doing so without their employer’s consent.[7]  This raises several concerns for data security, as corporate entities are generally not in control of the data accessed via personal devices where employees are using personal devices without the consent of the employer.

Similarly, small and midsized business are embracing the use of BYOD policies at a rapid pace, while failing to address security risks at the same pace.[8]  The cost-saving benefits of operating under BYOD policies is also to blame for the lack of security solutions in place in small, low-capital companies.[9]

Despite the risks, software companies are beginning to encourage the adoption of BYOD policies by offering services to put in place security solutions.[10]  By employing one of these “solutions,” companies can set safeguards for their customers’ data, while allowing the company and the employees to reap the benefits of BYOD.  For example, IBM emphasizes that BYOD increases employee productivity and satisfaction as employees are more comfortable with their own devices.[11]  Additionally, BYOD programs may result in minimal savings for the company, as it shifts the cost to the employee/user.[12]

While the focus is primarily on the risk to company/consumer data, there has been little addressing the risk BYOD poses for the employee/user’s data.  Last week, the U.S. District Court for the Southern District of Texas decided a case addressing that very risk.[13]  In Rajaee v. Design Tech Homes, Ltd., plaintiff Saman Rajaee asserted a claim for loss under Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030.[14]  Rajaee was formerly employed by the defendant, Design Tech Homes, in a position that required he have constant access to email in order to address customer questions and concerns.[15]  Design Tech did not provide Rajaee with a cell phone or smart device.[16]  Instead, Rajaee used his own personal iPhone to conduct his work for Design Tech via a remote access connection to Design Tech’s Microsoft Exchange Server.[17]  Roughly one year after he began working for Design Tech, Rajaee notified Design Tech that he would be resigning in two weeks, and Design Tech immediately terminated Rajaee’s employment.  Shortly thereafter, Design Tech’s network administrator remotely wiped Rajaee’s iPhone, deleting all work-related and personal data.[18]

Rajaee filed suit against Design Tech under the CFAA, alleging that company’s indiscriminate wiping of his iPhone caused him to lose “more than 600 business contacts collected during the course of his career, family contacts (many of which were overseas and some related to family business), family photos, business records, irreplaceable business and personal photos and videos and numerous passwords.”[19]

Under the CFAA, “loss” is defined as “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.”[20]

Here, the Court held that while Rajaee did assert losses as a result of the defendant’s actions, he did not assert cognizable loss under the CFAA. The Court notes that Rajaee’s assertions of monetary values corresponding to his “losses” are not supported by any evidence, and he failed to produce any evidence relating to his response to the data’s deletion or damages suffered as the result of an “interruption of service.”[21]  Accordingly, the Court granted Design Tech’s motion for summary judgment and dismissed Rajaee’s claim under the CFAA.[22]

The Court’s ruling in Rajaee is troubling in that at this stage, it appears as though there is little recourse for employees who suffer due to their employers’ choices to implement BYOD policies.  Where individuals run the risk of losing personal photographs, messages, and contact information, that risk is further exacerbated by the very nature of such personal data, making it nearly impossible to quantify loss.  It seems as though participation in BYOD programs by employers is on a track to become relatively low-risk, while all of the risk rests with the employee/user, who may be completely beholden to the whims of the employer.

 

[1] Zack Whittaker, Bring-Your-Own-Device Gains Traction in the U.S. – Even if Enterprises Aren’t Ready Yet, ZDNet (Oct. 21, 2014), http://www.zdnet.com/bring-your-own-device-gains-traction-in-the-u-s-even-if-enterprises-arent-ready-yet-7000034925/.

[2] Vangie Beal, What is Bring Your Own Device (BYOD)?, Webopedia (last visited Nov. 16, 2014), http://www.webopedia.com/TERM/B/BYOD.html.

[3] Tony Bradley, Pros and Cons of Bringing Your Own Device to Work, PCWorld (Dec. 20, 2011, 10:42 PM), http://www.pcworld.com/article/246760/pros_and_cons_of_byod_bring_your_own_device_.html.

 [4] Id.

[5] See Whittaker, supra note 1.

[6] Id.

[7] Id

[8] Pedro Hernandez, Small Biz Mobile Security Lags Behind BYOD Adoption, SmallBusinessComputing.com (Nov. 13, 2014), http://www.smallbusinesscomputing.com/News/Security/small-biz-mobile-security-lags-behind-byod-adoption.html.

[9] Id.

[10] See BYOD: Bring Your Own Device: Why and How You Should Adopt BYOD, IBM (last visited Nov. 16, 2014), http://www.ibm.com/mobilefirst/us/en/bring-your-own-device/byod.html; BYOD – Bring Your Own Device, MobileIron (last visited Nov. 16, 2014), https://www.mobileiron.com/en/solutions/byod; BYOD Smart Solution, Cisco (last visited Nov. 16, 2014), http://www.cisco.com/web/solutions/trends/byod_smart_solution/index.html.

[11] IBM, supra note 10.

[12] Id. 

[13] BYOD-Covered Employee Cannot Prove CFAA Loss After Company Remotely Wiped Phone, 19 Electronic Com. & L. Rep. Online (BNA) (Nov. 13, 2014).

[14] Rajaee v. Design Tech Homes, Ltd., No. H-13-2517, 2014 U.S. Dist. LEXIS 159180, at *3 (S.D. Tex. Nov. 11, 2014).

[15] Id. at *1.

[16] Id. at * 1-2.

[17] Id. at *2.

[18] Id. at *3.

[19] Rajaee, 2014 U.S. Dist. LEXIS 159180, at *3.

[20] Id. at *8-9 (citing 18 U.S.C. § 1030(e)(11)).

[21] Id. at *9-10.

[22] Id. at *11-12.