Replace Candy Crush high score with email contacts on a personal iPhone used for work (BYOD), and you have the issue that a federal court in Texas recently tackled.
The answer follows after the jump…
This case presents a set of facts not unlike those which could easily arise in your workplace.
A salesman working for a residential home builder used his personal iPhone for work. This meant that his iPhone was connected to the defendant’s’ Microsoft Exchange Server, allowing the saleman remotely to access the email, contact manager, and calendar.
When the salesman gave his two-weeks’ notice, the company remotely wiped the salesman’s iPhone, restoring it to factory settings and deleting all the data–both personal and work-related–on the iPhone.
So, the salesman subsequently sued his former employer, claiming violations of the Electronic Communications Privacy Act and the Computer Fraud and Abuse Act, among other things.
No violation of the Electronic Communications Privacy Act
The ECPA provides makes it illegal to intentionally accesses electronic information without authorization. However, the court recognized that, in Texas, “information that an individual stores to his hard drive or cell phone is not in electronic storage under the statute.” So, no ECPA claim here.
No violation of the Computer Fraud and Abuse Act either.
Among other things, the CFAA makes it unlawful to cause $5,000 or more in damage to electronically stored information. But, to have a claim, there actually needs to be a “loss.” A “loss” encompasses costs to investigate and respond to an offense, and costs incurred because of a service interruption. Here, the salesman did not meet his burden of proving any any costs he incurred to investigate or respond to the deletion of his data. Similarly, he could not quantify any service interruption. So, so much for the CFAA claim.
Takeaways for you.
I suppose, theoretically, if employee could quantify a $5,000 loss to present a viable CFAA claim. So, let’s talk about way to mitigate against this.
If you are going to allow employees to BYOD, have a BYOD policy. And make sure that policy carefully what information belongs to the employee (practically nothing) and what belongs to the company (just about everything). Also, ensure that employees (and former employees) are aware of the circumstances under which a device may be wiped. Finally, consider partitioning the device to help quarantine company information from personal. Thus, the company would only need to wipe the information on the corporate side of the firewall.