I saw that there was a recent case in Ohio, Lazette v. Kulmatycki, where a company was found in violation of the Stored Communications Act, or SCA, because it didn't adequately tell employees how it monitors communications on BYOD devices. What sort of BYOD monitoring details should we include (or not include) in our policy?
Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
The case is quite interesting for IT administrators because it actually does not involve a BYOD device. Rather, it covers personal use of a company-owned device.
In this case, Sandi Lazette sued her previous employer, Verizon Wireless, after discovering that her former supervisor used the cached credentials on her company-owned BlackBerry to access her Gmail account after the end of her employment with the firm. Lazette believed that she had removed her personal email account from the device before turning it in, but she had not actually done so. She alleged that her supervisor used the device to access her account over the next 18 months, reading her email and sharing it with others.
In June, the court overruled a motion by Verizon to dismiss the case outright, clearing the way for it to proceed to trial. This does not yet mean that Verizon has been found guilty of violating the Stored Communications Act, but it certainly does serve as a warning to IT administrators in firms that allow the personal use of mobile devices.
It is clear that, any legal claims notwithstanding, having knowledge of someone's username and password does not provide the right to use that information to access an account. Firms worried about the potential for similar litigation by their employees should consider adopting a standard process used to clear account information from mobile devices before reassigning them to other employees. The most straightforward way to achieve this would be to systematically wipe all of devices' contents before transferring their ownership.
Dig deeper on Information Security Laws, Investigations and Ethics
Related Q&A from Mike Chapple, Enterprise Compliance
Social media compliance is not typically considered a big issue for companies, but expert Mike Chapple explains why it should be.continue reading
Metadata tagging is not just for security. Expert Mike Chapple explains how tagging tools can be used to achieve PCI DSS compliance.continue reading
Before using the HIPAA-compliant cloud services from Google, there are some things companies need to know, according to expert Mike Chapple.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.