Dorothy, the new IT Director for the Golden Brick Road Company, took one look at the computer security protocols and said, “Hackers, spammers, and scammers, oh my!” A hole she saw was Golden Brick’s BYOD (Bring Your Own Device) practice. Golden Brick cut costs by ceasing to provide smartphones to its employees. Golden Brick instead allowed employees to use their personal devices to access company email, cloud storage accounts, etc.
Dorothy thought it would be a good idea for Golden Brick to wipe those devices when an employee left the company or if the employee’s device was lost or stolen. She went to Golden Brick’s in-house attorney, the Wicked Witch of the West, and the CEO, the Wizard, with her suggestion. The Wicked Witch and the Wizard agreed that it was a good idea. Dorothy had a remote wipe program automatically upload onto the employees’ devices as they accessed the company’s systems.
The Wizard instructed the Wicked Witch to draft a BYOD policy. It was the end of day and the Wicked Witch had to rush out to get to the Flying Monkeys’ soccer game. She planned to write the policy the next day. Unfortunately, it rained at the soccer game and the Wicked Witch was no more. No one drafted a BYOD policy.
The Scarecrow, a Golden Brick employee, used his smartphone to access the company systems. A week after the Wicked Witch’s passing, the Scarecrow told Dorothy over lunch that he thought he lost his smartphone. Dorothy remotely wiped the Scarecrow’s smartphone. Fortunately (or not), the Scarecrow found the smartphone between his couch cushions. Everything on it was gone, from personal files to company data. The Scarecrow denied that he gave anyone permission to access his smartphone in that way. He hired a lawyer and sued Golden Brick.
What is an employer to do? It is becoming more frequent for employers to allow employees to use their personal devices to access the employer’s systems. This may improve efficiency and cut costs while creating a potential security hole and a legal headache. The use of personal devices raises questions of what rights the employer may have to access or wipe the personal device. A BYOD policy may help. A well-written policy in place should outline for both employer and employee the rights and expectations either have when an employee uses a personal device to access the employer’s systems.
Will the Scarecrow win his lawsuit over the remote wiping of his smartphone? Will Dorothy get her Ruby Slippers Bonus? Will the Wizard hire an attorney who is not water-soluble? A written policy could have helped answer one of those questions.
This post provides general information only and is not intended to create an attorney-client relationship or to be legal advice about a specific situation. Laws change and your situation may be different. You should consult with a licensed attorney for legal advice specific to your circumstances.