How are you reading this story—on your work phone or computer, or on a personal device that you use for work? If it’s the latter, you’re in the majority. Sixty percent of respondents in a 2014 survey said their companies already had a bring your own device (BYOD) policy in place, and another 14% said their companies were developing one. The year before, Garter researchers predicted that half of employers would actually require their staff to use their own devices for work by this year.
There’s no comprehensive data to tell whether that’s happened, but it at least sounds plausible, and the upsides for companies are easy to see–like not having to buy and service hardware for every single person on staff. Nevertheless, corporate data and cybersecurity concerns are growing along with employees’ penchants for working from their own devices.
That’s led to the worry that, armed with BYOD policies, companies may be able to snoop on employees’ texts, photos, and personal emails or enforce code of conduct violations for not safe for work (NSFW) social media posts. But it turns out they’re much more interested in destroying information than rifling through it.
By and large, it’s employees who’ve unwittingly encouraged BYOD policies in the first place. In drafting them, companies are mainly scrambling to codify a behavior many of us have already adopted.
“Most IT managers have a pretty good handle on the company laptops, desktops, and mobiles,” Robert Siciliano, a security expert at BestCompany.com, explains, “but they are quickly losing control when employees bring [in] their new . . . mobile device and connect it to the corporate network.”
Probably no one sat you down the day you were hired and told you to start checking work emails on your own smartphone, but you’ve been doing it ever since—and putting your employer at risk in the process. “Now the IT guy has to worry if that last app you downloaded will infect other computers on the network,” Siciliano says.
What’s more, “Almost all businesses operate under some form of regulation where fines or penalties are imposed in the event of a data breach: the leak of personally identifiable information like names, addresses, account numbers, and health records.”
But so far, the protections employers are writing into BYOD policies, says Sonya Rosenberg, a labor and employment partner at the Chicago law firm Neal Gerber Eisenberg, “are kind of all over the map”—which for employees, can lead to confusion or worse.
If your company doesn’t have a BYOD agreement “and you just happen to use your own device for work,” Rosenberg explains, “then you certainly, as an employee, would have broader privacy rights.” Asked what those typically consist of, though, Rosenberg laughs. “Honestly, it depends.”
“It’s unlikely an employer would ever want access to your personal info in the normal course,” Mitzi Hill, an Atlanta-based technology attorney with Taylor English Duma LLP, tells Fast Company, and it “might not have a right to page through your photos if you simply make work calls from the road.” Plus, as Rosenberg points out, many “states have laws or are in the process of passing laws that prevent employers from accessing password-protected social media accounts.”
“But if you text, email, send web links, send photos, etc., for work from your personal device,” Hill cautions, “you may be inviting the employer into those more private repositories of information.”
It’s precisely those mixed-used situations that BYOD policies, and the technology that supports them, are meant to address. The most common way companies do that is by installing mobile device management (MDM) software on employees’ devices. And according to a 2014 white paper by the IBM-owned company Fiberlink (which sells an MDM product called MaaS360), any MDM solution worth its salt “should be able to parse what information it can access and what it cannot.”
Still, the situations that might impel your company to scroll through your photos or peek at your emails—let alone punish you for them—are pretty rare. Hill mentions two: when your employer “is subject to a lawsuit in which you could be a witness, or if you and [your] employer get into a dispute.”
But the law is only beginning to grapple with these questions, and in the meantime, usage agreements for company devices, Rosenberg says, usually aren’t written broadly enough to govern conduct on personal gadgets, too. That’s all the more reason, in her view, why BYOD policies are so important: “Otherwise you’re arguing about what an employer can and can’t do. If you have a policy that defines it, everybody knows what’s up.”
So if your employer isn’t using a BYOD policy to look over your selfie-taking shoulder, what might it be doing instead that you may not know about? Well, for one thing, reserving the right to wipe data from that iPhone you bought last year, used for work this week, and left in an Uber last night.
If that’s something many employees find troubling, it’s admittedly something of a nuclear option. The Fiberlink white paper reminds companies that “it’s all about context . . . If time wasters like Angry Birds rub against corporate policies but are not offenses, an immediate wipe is heavy-handed.” Most MDM tools let employers zero in on the data and assets that matter to them. By Fiberlink’s estimate, “some 86% of device wipes are selective; only corporate data is wiped.”
Another thing your employer may want to do under a BYOD agreement is keep tabs on when you log in and out of company accounts. The Fair Labor Standards Act requires employers to accurately track hourly workers’ time on the clock. As Rosenberg explains, “If an employee is still logging in at 12:30 a.m. to answer his boss’s emails, that raises some questions” about overtime pay, for instance, that an MDM solution could identify.
I started by asking how you’re reading this story, but it was only later that it occurred to me how I wrote it: mostly on my personal laptop. That realization didn’t hit me, though, until an email from a source I’d contacted for this story landed in my work inbox. When it did, I was out grabbing lunch, so I read it on my iPhone. Then I went back to scrolling Instagram.