What are the legal risks and concerns with BYOD?

What are the legal risks and concerns with BYOD?
Many organizations are currently struggling with Bring Your Own Device policies and procedures. The reasons for these struggles are varied. IT departments are often under funded and may not have the internal technical expertise to handle the numerous devices on the market. Similarly, internal legal and compliance departments may not fully grasp the technological challenges and resulting legal implications raised by BYOD.

Mobile devices are not like other technology - the reason for this is in the name: these devices are "mobile." So, they're easily lost and stolen. According to a July 2012 survey published by Credant Technologies, a data protection solutions provider (acquired by Dell in December 2012), airport travelers "left behind 8,016 mobile devices at seven of the largest airports in the country, including: Chicago O’Hare, Denver International, San Francisco International, Charlotte Douglas, Miami International, Orlando International and Minneapolis/St. Paul." The following types of mobile devices were left behind:
  • Smartphones and tablets: 3,444 (43.0%)
  • Laptops: 3,576 (44.6%)
  • USB drives: 996 (12.4%)

This is particularly problematic for companies, because in February 2012, Javelin Research found that 62 percent of smartphone users do not employ a password on their mobile devices.

What are the legal risks and concerns with BYOD?

There are a number of legal risks and concerns with using a Bring Your Own Device model. These concerns include:

  • Compliance
    • Certain industries, such as healthcare, finance, and insurance are highly regulated. Healthcare companies using BYOD must be particularly careful because of special regulatory risks and challenges raised by HIPAA and state data privacy and security laws.
    • Many companies have internal controls to protect confidential information. As the Credant Technology research illustrates, mobile devices of all types are easily lost. As a result, compliance with internal controls to protect confidential information may be problematic.

  • Breach Notification laws
    • Almost every state has a breach notification law and healthcare organizations must also comply with HIPAA/HITECH (and certain other companies must comply with the FTC). When a mobile device is lost, companies must ascertain what was on the device, and who must be notified. These risks can be mitigated with encryption.
  • Data Destruction and Disposal laws
    • Many states (at least 29 as of October 2013) have laws in place requiring that businesses destroy, dispose, or otherwise make personal information unreadable or undecipherable. These laws often address both paper records and digital devices. Nevada, for example, requires that businesses who "[t]ransfer any personal information through an electronic, nonvoice transmission other than a facsimile to a person outside of the secure system of the [business]" must first "use[] encryption to ensure the security of electronic transmission." NRS  603A.215.
  • Litigation Holds – Where is your data?
    • A company that is reasonably anticipating litigation is required to preserve all forms of relevant information. Preserving data may be problematic when companies are in a BYOD environment.
  • Wage and Hour laws
    • Wage and hour laws are implicated when hourly employees are working what would be considered "overtime". On the one hand, companies want their employees to work whenever and wherever it is most convenience for the employee. On the other hand, failing to comply with wage and hour laws can be very costly.
  • Malpractice issues for doctors
    • Healthcare providers also have special malpractice risks with mobile devices. Doctors, nurses, and others using mobile devices can become easily distracted by texting, social media, and other apps available on mobile devices. This distraction can lead to a medical error because the doctor or nurse can forget to do a specific task or acknowledge that the task has been completed. In a 2011 article, the New York times gave a real-life example:
Scott J. Eldredge, a medical malpractice lawyer in Denver, recently represented a patient who was left partly paralyzed after surgery. The neurosurgeon was distracted during the operation, using a wireless headset to talk on his cellphone, Mr. Eldredge said.

“He was making personal calls,” Mr. Eldredge said, at least 10 of them to family and business associates, according to phone records. His client’s case was settled before a lawsuit was filed so there are no court records, like the name of the patient, doctor or hospital involved. Mr. Eldredge, citing the agreement, declined to provide further details.

Resources and Sources:

November 2016

Blog Home  

Newest Blog Entries
7/23/15 Hospital Settles with OCR for $ 218,400 Over Cloud-Based File Sharing

6/8/15 Two California Privacy Bills to Watch in 2015

3/28/15 When Looking at Security, Consider Every Device

3/9/15 Alabama Board of Optometry Makes Final a Rule on Telemedicine

1/25/15 Indiana Court of Appeals Upholds $1.44 Million Jury Verdict Against Walgreen Co. in a Privacy Breach Case; Denies Rehearing

12/9/14 Malware Leads to a $150,000 OCR Settlement with a Behavioral Health Provider

11/30/14 Can a Board of Medicine Use the State’s Prescription Drug Database in Investigating Physician Actions?

11/29/14 Under the Florida Telemedicine Rule, Can a Physical be Conducted by Telemedicine?

11/19/14 Wearables and the Challenge for Consumer Device Makers

10/28/14 A Few Telemedicine Resources

10/27/14 FCC: The Newest Regulator to Throw its Hat into the Data Privacy and Security Ring

Blog Archives
April 2014 (6)
February 2014 (4)
May 2014 (6)
November 2014 (3)
July 2014 (1)
June 2015 (1)
November 2013 (3)
September 2014 (1)
December 2014 (1)
January 2015 (1)
June 2014 (3)
December 2013 (5)
March 2015 (2)
October 2013 (9)
July 2015 (1)
October 2014 (2)
March 2014 (3)
August 2014 (4)
January 2014 (4)

Blog Labels
Dental (1)
FCC (1)
Financial Services (1)
Mobile Apps (2)
Medical Marijuana (1)
Employment (1)
FAQ (6)
Meaningful Use (4)
EHR (2)
Privacy Litigation (3)
Identity Theft (1)
Security (1)
Healthcare Fraud (1)
Marketing (1)
BYOD (2)
Social Media (2)
Mobile Apps FDA (2)
Data Breach (10)
Big Data (3)
Healthcare Competition (1)
Privacy (4)
Telemedicine (7)