Note: this article was previously posted on Norse’s DarkMatters.
One of my favorite sayings about cyber risk is “an ounce of prevention is cheaper than the very first day of litigation.” A recent case provides a nice example of exactly what I mean. In this case, an effective BYOD policy could have saved this company tens of thousands of dollars, at least.
When Can a Company Remotely Wipe an Employee’s Device?
Consider this question: When is it lawful for your company to remotely wipe an employee’s (or former employee’s) device that was connected to your company’s network and contains its proprietary data?
It depends. If your company has a binding agreement with the owner of the device, such as an effective BYOD (bring your own device) policy, then it should provide the answer. If not, the only way to find the answer is through costly and time-consuming litigation.
The dispute in Rajaee v. Design Tech Homes, Ltd. illustrates this point nicely. In that case, the employee claimed that he had to have constant access to his email in order to do his job. His employer did not provide him with a mobile device so he used his own personal iPhone 4 to do his job.
His iPhone was connected to his employer’s network server to allow him to remotely access the email, contact manager, and calendar provided by the employer. The employer and employee later disagreed over who connected the device to the network or whether it was authorized.
The employee resigned his employment and, a few days later, his former employer’s network administrator remotely wiped his iPhone, restoring it to factory settings and deleting all the data –- both work-related and personal –- from the iPhone.
The employee then sued his former employer, claiming that the employer’s actions caused him to lose more than 600 business contacts collected during his career, family contacts, family photos, business records, irreplaceable business and personal photos, and videos, and numerous passwords.
He asserted claims for violation of the Computer Fraud and Abuse Act, Electronic Communications Privacy Act, and various claims under Texas state law.
The lawsuit was filed in August 2013. Due in large part to fine lawyering by my friend Pierre Grosdidier and his colleagues, who represented the employer, they were able to get the case dismissed in November 2014. While this was a “win” for the employer, that win came at a significant cost.
An Ounce of Prevention …
Litigation is not only costly, but it is also very time-consuming for management. It results in lost opportunities to further companies’ business objectives because finite resources must be devoted to the battle instead of to the company’s business. Of litigation, it is often said that the only ones who ever really win are the lawyers representing the parties. That it is usually true.
In the Rajaee case, the employer was represented by a very well-respected “big” law firm that did an excellent job for their client. But, good lawyers come at a price and I am quite certain the lawyers in this case were not working for free. This case was litigated for about 14 months.
There were 43 entries on the court’s docket which shows there was quite a bit of activity considering only the documents filed with the court. That does not include the discovery that was conducted (which is not filed and does not appear on the docket) but motions listed on the docket show there were discovery disputes and the parties were active in discovery.
What all of this means is money — lots of money that the employer paid in legal fees to get this win. Probably many tens of thousands of dollars in fees. From a practicing lawyer’s perspective, that is great because the clients get the win and so do we lawyers!
But the truth is, good lawyers do not want to see their clients waste money so we look at situations such as this and ask, “could this have been avoided?” This helps us in advising our clients on how to avoid such situations in the future.
In this case, were we to have the benefit of 20/20 hindsight and be able to go back in time to advise companies such as this, before the underlying situation arose, yes there was a much better way to go. First and foremost, the company would have listened when told “an ounce of prevention is cheaper than the very first day of litigation.”
Then, it would have acted on this advice by taking the following steps:
- There would have been a conversation between the company’s management, appropriate IT and security leaders, and legal counsel to discuss the company’s position on BYOD.
- The conversation would have considered if the workforce would even be allowed to use their own devices.
- If the answer was “no, BYOD will not be permitted” then appropriate policies and procedures would have been adopted and documented.
- If the answer was “yes,” then the discussion would have continued to address more specifics on how the company would manage BYOD and the many risks associated with it, which are numerous. Focusing only on the particular issues in Rajaee, the discussion would have resulted in the creation and adoption of a BYOD Policy (or another similar policy) that addressed a key issue as a condition precedent to authorizing and permitting use of the device: By connecting the device to the company network or using it for company business, the user would expressly agree that he or she authorized, and would permit, the company to access the device and securely remove its data at any time company deemed necessary, either during the relationship, or after. And, if the user did not make the device available within a certain period of time after demand, the user authorized company to remotely wipe the entire device and restore it to its factory settings in order to ensure that its data was securely removed from the device.
- For either answer, yes or no, the company would have implemented and adequately trained its workforce on the policies and procedures to ensure they were aware of, understood, and agreed to abide by the policies and procedures.
- Finally, the company would have documented the implementation, training, and worker’s agreement in a manner that could be clearly be shown to a court should a dispute ever arise that involved such issues.
What is the Takeaway?
The lesson here is that all business must now understand that they are operating in the digital world and in that world there are many risks that one would not ordinarily expect. That is why it is important for companies to proactively prepare for and take steps to minimize the risks of doing business in the digital world.
The Rajaee case focuses on just one of the many risks that need to be addressed.
The above steps are a bit overly simplified but illustrate the process of how to address this issue. The company most likely would have paid less money to its lawyers to address the BYOD issue beforehand than what it would have to pay them to prepare and engage on the very first day of a lawsuit similar toRajaee.
As you think about that, I will leave you with one more old saying, “A smart man learns from his mistakes. A wise one learns from the mistakes of others.”
Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud and data privacy law. He is a Cybersecurity & Data Protection Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.