Employees are increasingly using (and demanding to use) their personal devices to store and process their employer's data, and connect to their networks. This "Bring Your Own Device" trend is in full swing, whether companies like it or not. Some organizations believe that BYOD will allow them to avoid significant hardware, software and IT support costs. Even if cost-savings is not the goal, most companies believe that processing of company data on employee personal devices is inevitable and unavoidable.Unfortunately, BYOD raises significant data security and privacy concerns, which can lead to potential legal and liability risk. This blogpost identifies and explores some of the key privacy and security legal concerns associated with BYOD, including "reasonable" BYOD security, BYOD privacy implications, and security and privacy issues related to BYOD incident response and investigations.
Tanya Forsheit recently appeared on Fox to discuss the Supreme Court's evaluation of GPS surveillance under the Fourth Amendment in US v. Jones. The case raises important issues regarding technology, aggregation of data, and privacy expectations with respect to location information.
Does "segregation" of records from another organization's records in a cloud that prevents "intermingling" preserve an organization's reasonable expectation of privacy vis-a-vis the government under the Fourth Amendment? One recent case, although not about a cloud of any shape or form, suggests that it might. In In re SK Foods Inc., No. 2:09-cv-02938, the United States District Court for the Eastern District of California stayed the Bankruptcy Court's order that would have allowed the Trustee to continue to possess and review information relating to third party non-debtors pending appeal. Why? There was evidence suggesting that, despite residing on shared computer servers, the data of the third parties had not been "intermingled" with the debtor's data, the servers belonged to a third party, the debtor could not access the third party records without authorization, and the third parties demanded return of their records once the Trustee intervened. Read on for a detailed review of the District Court's order and consideration of its implications for the cloud.