The "Bring your own device" conundrum for organizations and investigators: An examination of the policy and legal concerns in light of investigatory challenges

Authors

Carla J. Utter, University of Maryland University College
Alan Rea, Western Michigan University; University of Maryland University CollegeFollow

Prior Publisher

The Association of Digital Forensics, Security and Law (ADFSL)

Abstract

In recent years, with the expansion of technology and the desire to downsize costs within the corporate culture, the technology trend has steered towards the integration of personally owned mobile devices (i.e. smartphones) within the corporate and enterprise environment. The movement, known as “Bring Your Own Device” (hereinafter referred to as “BYOD”), seeks to minimize or eliminate the need for two separate and distinct mobile devices for one employee. While taken at face value this trend seems favorable, the corporate policy and legal implications of the implementation of BYOD are further complicated by significant investigatory issues that far outweigh the potential benefits of integrating a BYOD policy. In this paper we first set a context for the BYOD conundrum, then examine associated corporate policies, highlight the limitations to the digital investigator’s reach regarding digital evidence and review the investigatory challenges presented to the involved parties (such as the forensic examiner) from a BYOD environment. We conclude by offering recommendations such as implementing finely crafted policies and procedures (such as incident response), utilizing Mobile Device Management and other software, corporate owned devices, and enforcing signed agreements.

References

Apple, Inc. (2014). Apple Configurator Help. Retrieved 07 07, 2014, from Apple Configurator Help: http://help.apple.com/configurator/mac/1.5/#cadf1802aed

Apple, Inc. (2014). Legal Process Guidelines: U.S. Law Enforcement. Retrieved January 2015 from https://www.apple.com/privacy/docs/legal-process-guidelines-us.pdf

Barnes, N. M. (2013, 09 26). BYOD: balancing privacy concerns against employer security needs. Retrieved 06 10, 2014, from LEXOLOGY: http://www.lexology.com/library/detail.aspx?g=1109490a-6895-40f0-a7a3-afc714316165

BlackBag Training Team. (2012, 02 23). iPhone Forensics: iPhone and iPad Forensics in a BYOD Enterprise Environment. Retrieved 06 10, 2014, from BlackBag Technologies: https://www.blackbagtech.com/blog/2012/02/23/iphone-forensics-iphone-and-ipad-forensics-in-a-byod-enterprise-environment-2

DiMarco, C. (2013). Who's Afraid of the Big Bad BYOD? Insidecounsel, 62-64.

Gatewood, B. (2012). The Nuts and Bolts of Making BYOD Work. Information Management Journal, 26-30.

Haney, C. (2013, 11 05). Spoilation of Electronic Data Results in Severe Sanctions. Retrieved 06 23, 2014, from American Bar Association Litigation News.: http://apps.americanbar.org/litigation/litigationnews/top_stories/110513-spoliation-electronic-data.html

Heaton, B. (2013, 10 7). The Legal Implications of BYOD. Retrieved 06 10, 2014, from Government Technology: http://www.govtech.com/The-Legal-Implications-of-BYOD.html

Hinkes, A. (2014). BYOD Policies: A Litigation Perspective. Retrieved 06 10, 2014, from ABA Section of Litigation: Section Annual Conference: http://www.americanbar.org/content/dam/aba/administrative/litigation/materials/2014_sac/2014_sac/byod_policies.authcheckdam.pdf

Hunter, B. (2014, 07 01). Forensic Analyst/Instructor. BlackBag Technologies. (C. Montroy, Interviewer)

Intel Corporation. (n.d.). Moore's Law and Intel Innovation. Retrieved 06 13, 2014, from Intel.com: http://www.intel.com/content/www/us/en/history/museum-gordon-moore-law.html

Konvisser, J. B. (2013, 08 08). Personal Email Privacy in a BYOD Environment-a View From The Bench. Retrieved 06 11, 2014, from Lexology: http://www.lexology.com/library/detail.aspx?g=3fac96b7-b1f2-43af-a83b-0520bc4a613c

Manes, G. W. (2013, 03 027). Avansic Whitepaper: Bring Your Own Device. Retrieved 06 10, 2014, from Avansic: http://www.avansic.com/News/Story/217/

McGrath, S. (2014). Create A Mobile Device Policy Your Employees Can Trust. Computer Weekly, 25.

Mears, B. (2014, 06 25). Supreme Court: Police need warrant to search cell phones. Retrieved 06 26, 2014, from CNN.com: http://www.cnn.com/2014/06/25/justice/supreme-court-cell-phones/index.html?iref=allsearch

Montana, J. (2005). Who Owns Business Data on Personally Owned Computers? The Information Management Journal, 36-42.

Nelson, B. P. (2010). Guide to Computer Forensics and Investigations. Boston: Course Technology.

Romer, S. A. (2013, 09 04). Federal court Applies Stored Communications Act protection to Employee Social Media Pages. Retrieved 06 11, 2014, from Lexology: http://www.lexology.com/library/detail.aspx?g=155e106e-2bf9-4822-925f-7aa8c6aaa835

Schweik, C. (1995). Electronic Mail, Privacy, and the Public Sector: Guidelines for Public Employees and Organizations. Employee Responsibilities and Rights Journal, 275-293.

Spinello, R. (2011). Cyberethics: Morality and Law in Cyberspace. Sudbury: Jones and Bartlett.

Recommended Citation

Utter, Carla J. and Rea, Alan (2015) "The "Bring your own device" conundrum for organizations and investigators: An examination of the policy and legal concerns in light of investigatory challenges," Journal of Digital Forensics, Security and Law: Vol. 10 , Article 4.
DOI: https://doi.org/10.15394/jdfsl.2015.1202
Available at: https://commons.erau.edu/jdfsl/vol10/iss2/4