BYOD can put companies in legal bind: analyst

Things such as remote wiping a former employee's personal device that was connected to a corporate network can land companies in legal hot water, according to Tech Research Asia principal analyst Tim Dillon.

The growing trend of the bring-your-own-device (BYOD) model has the potential to put companies in legal strife, and some big organisations have already been burned by it, according to Tech Research Asia principal analyst Tim Dillon.

Dillon is very critical of BYOD, and claims that it can be a waste of money , though he does acknowledge that it's more of a case-by-case scenario as to whether that kind of arrangement will be effective in a business.

But one of the things that companies that have a BYOD program in place should be wary of is the legalities associated with staff using personal devices in a corporate environment, he said.

"The legality of where, when, and how we use these devices is not keeping up," Dillon said at the Informa BYOD: 2012 conference in Sydney. "Compliance, legality, and policy are lagging in where we are going."

One example of how companies can get tied up in legal dramas through BYOD is remote wiping devices. Many mobile device-management offerings facilitate the remote wipe of mobile devices in case of loss or theft. But what was designed to protect valuable company information can also backfire on the company itself, according to Dillon.

He recounted an incident where a large software vendor with a BYOD program and an extensive BYOD policy was sued after remotely wiping a former employee's personal device.

"The employee sued, and won a lot of money in that settlement," Dillon said, because even if an employee signs an agreement that allows the company to remote wipe their phone, the company can still be vulnerable to a lawsuit.

"Certainly, in some judgments handed down by Australian courts, they are more in favour of the individual rather than the corporate environment," Dillon said.

Then there is the issue of e-discovery, which encompasses electronic documents. A company could be asked by a court to surrender certain documents during a case. But if it has remotely wiped the documents because they were on the phone of a former employee, there will be a hole in the e-discovery process that can potentially be exploited, he said.

The Tech Research Asia analyst is a big proponent of the choose-your-own-device (CYOD) model, rather than BYOD. But Dematic CIO Allan Davis doesn't believe that CYOD will fend off these legal woes. He was presenting with Dillon at the BYOD: 2012 conference.

"With CYOD, you have an opportunity to apply some policies and make it a little more robust, but the whole question of having a device that's going to contain private and personal information is going to be a huge challenge to deal with," Davis said. "Each organisation has to review and define the information that is critical, and to make sure they can decide what can leave the four walls of the company."