I saw that there was a recent case in Ohio, Lazette v. Kulmatycki, where a company was found in violation of the Stored Communications Act, or SCA, because it didn't adequately tell employees how it monitors communications on BYOD devices. What sort of BYOD monitoring details should we include (or not include) in our policy?
Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
The case is quite interesting for IT administrators because it actually does not involve a BYOD device. Rather, it covers personal use of a company-owned device.
In this case, Sandi Lazette sued her previous employer, Verizon Wireless, after discovering that her former supervisor used the cached credentials on her company-owned BlackBerry to access her Gmail account after the end of her employment with the firm. Lazette believed that she had removed her personal email account from the device before turning it in, but she had not actually done so. She alleged that her supervisor used the device to access her account over the next 18 months, reading her email and sharing it with others.
In June, the court overruled a motion by Verizon to dismiss the case outright, clearing the way for it to proceed to trial. This does not yet mean that Verizon has been found guilty of violating the Stored Communications Act, but it certainly does serve as a warning to IT administrators in firms that allow the personal use of mobile devices.
It is clear that, any legal claims notwithstanding, having knowledge of someone's username and password does not provide the right to use that information to access an account. Firms worried about the potential for similar litigation by their employees should consider adopting a standard process used to clear account information from mobile devices before reassigning them to other employees. The most straightforward way to achieve this would be to systematically wipe all of devices' contents before transferring their ownership.
Dig deeper on Information Security Laws, Investigations and Ethics
Related Q&A from Mike Chapple, Enterprise Compliance
Should companies obtain U.S. security clearance to join the Enhanced Cybersecurity Services program? Mike Chapple offers his perspective.continue reading
Does a Web application security assessment termed 'compliance ready' seem too good to be true? Learn its role in an enterprise compliance program.continue reading
Learn how hiring the right PCI DSS-compliant service providers, especially payment services providers, can reduce your compliance burden.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.