Recent Texas Case on BYOD Holds Important Lessons for Employers and Employees Alike
A recent Texas case holds several simple but important lessons for implementing BYOD (mobile) policies for employers and employees alike. In Rajaee v Design Tech Homes et al., (Dist. Court, SD Texas, 2014), Saman Rajaee sued his employer, Design Tech Homes, for remote wiping personal data from his iPhone shortly after Rajaee gave notice of resignation. Rajaee cited violations of both federal and state law. Although the case was dismissed in federal court, the state court claims are still pending.
Two key lessons for employers:
- Implement an enterprise mobility management (EMM) solution that allows separation of personal data from business data (including selective wipe as a feature of its mobile device management capability).
- Implement and educate employees on your BYOD policy (including remote wipe).
Two key lessons for employees:
- Know and understand your employer BYOD policies.
- Backup your personal data!!!
So What Happened?
In January 2012, Design Tech hired Rajaee in sales and marketing. Because Rajaee needed constant access to email, his personal iPhone was registered with Design Tech’s Microsoft Exchange Server. In February 2013, Rajaee gave two weeks’ notice of resignation. A few days later, Design Tech reset Rajaee’s iPhone—effectively wiping out all his business and personal data. The wiped personal data allegedly included “more than 600 business contacts collected during the course of his career, family contacts (many of which are located overseas and some are related to family business), family photos, business records, irreplaceable business and personal photos and videos and numerous passwords.” The opinion in this case does not identify exactly how the company had set up their mobile infrastructure but it is likely that they were using ActiveSync as their method of device wipe. The challenge with ActiveSync is that it cannot protect personal data. It can only do a complete device wipe, not a selective wipe of just the company data on the phone.1
District Court Dismisses Federal Claims
Rajaee alleged that Design Tech had violated the Electronic Communications Privacy Act ("ECPA") and Computer Fraud and Abuse Act ("CFAA"). The US District Court for the Southern District of Texas ruled against Rajaee on both counts. The court held that Rajaee’s personal data on his iPhone was not protected under the ECPA. It also held that Rajaee had not offered “evidence sufficient to raise a genuine issue of material fact that he sustained $5,000 in cognizable ‘loss’ under the CFAA.” For more on the case, here’s a link to the opinion: Rajaee v Design Tech Homes, et. al.
State Claims Not Dismissed
Because the court had dismissed the federal claims, it declined to exert jurisdiction over the state claims for misappropriation of confidential information, violation of the Texas Theft Liability Act, negligence, and conversion. However, the court noted that these were serious violations of state law. The outcome of the remaining claims remains to be seen but, needless to say, the case could have significant impact for Texas employers.
The EMM Difference—Using a Scalpel Instead of a Machete
It probably goes without saying---but had Design Tech employed an enterprise mobility management solution that separated personal data from business data, there would have been no deletion of personal data and, therefore, no case. MobileIron’s EMM platform, for example, provides administrators with the ability to selectively wipe corporate data from a personal mobile device while leaving personal data untouched. Personal data like photos is not even accessible to the enterprise administrator.
More importantly, however, sophisticated EMM solutions enable administrators to enforce security and control at the source rather than at the end point. The data on the mobile device becomes less important than the data accessible by the device. For example, the administrator can use the EMM solution to limit mobile device access to enterprise resources based on an employee’s function or department and to minimize the risk of company data ending up in a personal app.
Two Advantages of a Sound BYOD Policy
The first advantage of a sound policy is that it forces IT administrators, HR, and legal to work together to understand the implications of BYOD. Good policies don’t just happen, however. They require a well-designed mobile strategy, coordination, and care. But the payoff is that, under a sound policy, an IT administrator won’t arbitrarily reset an employee’s device, effectively wiping out all data—both personal and business.
The second advantage of a sound policy is that it sets employees expectations regarding privacy and security of personal data. As a protective measure, had Rajaee known that Design Tech’s policy was to remote wipe his device, he might have prepared himself by preparing a proper backup for personal data (see below). More importantly, however, a sound BYOD policy can help employees understand that, with proper EMM management, their personal data will remain private even while their company data is being secured. Such an understanding can make a big difference in closing the BYOD Trust Gap between employee and employer.
Employees should also regularly backup personal data as a matter of preserving it against any form of unexpected loss (not just an unanticipated employer wipe). Perhaps, when Rajaee got his iPhone, he decided not to use iCloud backup. The fact that Rajaee’s personal data was lost due to his employer’s actions may be relevant to this case but Rajaee could just as easily have lost his personal data had his mobile phone been lost or stolen. Had Rajaee adequately backed up his personal data, the data wipe would have been an annoyance rather than a catastrophe.
1 Interestingly, the court notes that neither Rajaee nor Design Tech’s network administrator could recall or determine how Rajee’s iPhone was connected to the network in the first place. Rajaee claims that he lacked the technical knowledge to connect to the network but Design Tech’s administrator denies having enrolled the device.