BYOD policy: Employee right to social media privacy is paramount

Violations of certain rights can land companies in hotwater.

If your company lets employees bring their own devices for work purposes, you'd better have a formal BYOD policy-one that understands employee privacy rights and employer access rights.

Such policies are often crafted by legal experts for good reason. Violations of certain rights can land companies in hotwater. Management consulting firm Janco Associates has created a 14-page BYOD policy template covering everything from help and support to disaster recovery to access control.

In the privacy section, Janco outlines legal issues.

Janco cites one of the cornerstone legal considerations calledthe Stored Communications Act, or SCA. It deals with the disclosure of stored wire and electronic communication and transaction records retained by third-party Internet service providers, or ISPs.

Essentially, SCA prohibits ISPs from divulging a customer'scontent. Companies attempting to access electronic communicationsstored at an ISP without authorization can be fined or imprisoned.The employee can also seek a civil remedy.

There is a legal precedent favoring employee rights: Pietrylov. Hillstone Restaurant Group in 2009, whereby a couple ofemployees created a MySpace page to complain to registered membersabout the company. Managers allegedly pressured one member, another employee, to give up her log-in ID and password to access the MySpace page.

The two employees that created the MySpace page were outed and fired, yet the court upheld the jury's verdict that Hillstone was liable for violations of the SCA.

One can only imagine similar scenarios playing out on a BYODsmartphone or tablet. These devices access an employee'sFacebook page and other password-protected social networks and personal data residing on servers. With the rise of BYOD,technology and legal experts are now predicting employee lawsuits concerning privacy violations, unpaid overtime and other issues.

Story: BYODLawsuits Loom as Work Gets Personal

The message is, do not try to gain unauthorized access to an employee's private social networks, says Janco. Youshouldn't even ask an employee to provide log-ins and passwords to a private site, because you may have to show that you didn't coerce or threaten the employee to comply.

"The Stored Communications Act is outdated as its author snever contemplated the prevalence of social media and BringYour Own Device [BYOD] computing environment," Janco writes in itspolicy template.

"Companies don't have to stop monitoring because of theStored Communications Act; they just have to be smart about it. If you ask the owner or administrator for access to a private site and they say no, walk away. Recognize the limitations imposed byemployment and privacy laws on your ability to monitor employee sites."

Tom Kaneshige covers Apple, BYOD and Consumerization of IT for CIO.com. Follow Tom on Twitter @kaneshige. Follow everything from CIO.com on Twitter @CIOonline, Facebook, Google + and LinkedIn. Email Tom at tkaneshige@cio.com

Read more about byod in CIO's BYOD Drilldown.

Tags BYODprivacyIT managementlegalpolicysocialconsumerization of ITJanco AssociatesConsumerization of IT | BYOD

Show Comments