By Michael Bandemer and Robert Hichens, Huron Legal
The Gartner Group predicted Bring Your Own Device (BYOD) would be a top technology trend for 2013 with mobile devices surpassing PCs as the most common web access tool, and it appears they were right. The BYOD movement is characterized by the duality of competing forces. On one hand, it has provided companies with immediate business value and benefits. At the same time, it has also brought with it a host of legal and administrative risks, especially with respect to litigation, investigations and e-discovery requests. Smartphones, tablets, and laptops have blurred the lines between work and personal life. No matter where employees are, they can conduct business. As they do so, they take steps to create, manipulate, share, and delete data that may lead to liability for their employers. To avoid liability, organizations must first become aware of the risks and then take preventative measures to mitigate them. The following top ten considerations serve as a quick reference guide when navigating the topic of BYOD:
1. Embrace BYOD.
In today's fast-paced business environment, companies are increasingly permitting their employees to use their own devices, such as smart phones and tablets, to access email and calendars and to perform business functions. The BYOD movement has transformed employee work habits. According to a recent survey by Cisco, 42 percent of employees own a personal mobile device used for work purposes. BYOD is proliferating. People are bringing and using personal devices for work regardless of the policy, so it is time for recalcitrant organizations to get with the program and embrace that BYOD is here to stay, like it or not.
2. Understand the benefits of BYOD for the business.
There are, in fact, reasons for organizations to like BYOD. From a business value perspective, the effects of BYOD have been increasingly positive. Companies save money by not having to purchase and support new equipment. They also realize the benefits of a more flexible and productive workforce. The Cisco study estimates that the annual benefits from BYOD range from US $300 to $1,300 per employee, depending on the employee's job role.
To understand the specific BYOD benefits for your organization and as a precursor to managing BYOD, it is a good idea to consult with a sampling of key employees and management from the business units to ensure that the organization understands how employees actually use their devices for work purposes. Brainstorming with the business units may highlight some additional and unexpected benefits of a BYOD program at the company.
3. Develop (and continuously update) a BYOD Policy.
The first step in customizing BYOD for the company is to develop a companywide BYOD policy. The executive management team, including the legal, IT, security, and finance departments, should have input and representation in the creation of the policy.
Every organization will address the issue differently based on a variety of factors, including the nature of the workforce, the organization's litigation profile, applicable regulatory requirements, internal IT resources, and, of course, the nature of the data being produced. In general, the BYOD policy should clearly articulate the company's rights with respect to monitoring and accessing all the data stored on employees' mobile devices. It should address, in specific terms, an employee's obligations regarding device security, password requirements, and procedures for lost or stolen devices. Organizations should also include in the policy specific language about approved and non-approved business usage. For example, a company might allow the use of personal devices for emailing but prohibit their use for recording meetings. Develop reasonable restrictions. Advise users that, under the policy, they may be required to disclose passwords to websites and applications. The policy should also restrict the use of company data to legitimate company purposes.
Keep the company BYOD policy up-to-date by monitoring changing laws and regulations, and staying current with the pace at which new devices and applications hit the market. As you are drafting the policy, seek out templates for guidance. One helpful starting point is the White House's BYOD toolkit, which includes several sample policies.
4. Ask Yourself, Are BYODers Created Equal?
Equal isn't always good. A company needs to consider and develop its mobility use cases. Mobile workers come in all shapes and sizes, from road warriors to work-at-home employees to visitors and contractors. They may access a variety of applications and content, some of which may be sensitive. Some mobile devices may be fully trusted, such as company-owned laptops, tablets and smartphones, and these devices may be given broader access to data and content, while devices owned by employees or visitors' smartphones, tablets and laptops may have more limited access. Set up specific policies that describe the access that's appropriate for the different devices, employee types, employee job levels, job functions, etc. It is these very discussions and decisions that necessitate the business units' representation and engagement throughout the process.
5. BYOD = MDMS.
Use Mobile Device Management Software (MDMS). The primary challenge for companies today is the need to manage the risks associated with mobile access to data while securing company-issued and BYOD mobile devices. The intent of MDMS is to optimize the use and security of mobile devices while minimizing cost and downtime. MDMS secures, monitors, manages, and supports mobile devices across the enterprise. This software typically includes wireless distribution of applications, data and configurations to devices owned by the company and/or its employees.
For example, lost and stolen phones and tablets are unavoidable. By controlling and protecting the data and configuration settings, MDMS software will give your company the ability to remotely lock the device or wipe data in the event of theft or loss of a device or termination of an employee.
6. Communicate the Meaning of Life and BYOD.
Once a BYOD policy is developed, it must be communicated and explained to the employees so they are aware of the risks and legal implications of BYOD. The policy must clearly state the employees' responsibilities. In the world of mobile devices, employees have to accept more responsibility for protecting sensitive information on their devices than they did in the days of desktop PCs. Communication and education are the keys. Clearly outlining the risks and users' responsibilities for protecting themselves and the organization against security breaches is essential. Have employees sign a BYOD policy to positively acknowledge their understanding of the key elements of the program and the consequences for failing to abide by the policy. Employees should also realize and acknowledge that personal data on their devices may be subject to company review in the event of an investigation and/or litigation.
7. Prioritize BYOD Security.
Make data security a top priority. Employees move intellectual property outside the company in all directions, and never remove it. According to Symantec, 62% of employees say it is acceptable to transfer work documents to personal computers, tablets, smartphones or online file sharing applications. 50% of employees who left or lost their jobs in the last 12 months kept confidential corporate data, and 40% plan to use it in their new jobs. It is not uncommon for employees to attribute ownership of intellectual property to the person who created it rather than to the company.
There is much at stake with BYOD from a security perspective. Gartner suggests that devices owned by employees will be compromised by malware at more than double the rate of corporate-owned devices through 2014. Other risks to corporate security stem from loss or theft of the device. Data governance software company Varonis recently surveyed organizations' BYOD habits and found that 50% of the Varonis survey respondents were aware of an incident where a device was lost; 22% acknowledged that the loss created a security issue for their organization. As such, companies should also take measures to encrypt their most sensitive data.
8. Trust but Verify BYOD.
"Trust but verify" was a Russian proverb often used by President Reagan in discussions between the United States and Soviet Union. The phrase can be used today to describe a method for narrowing the "trust gap" between companies and their employees regarding the use of mobile devices. For example, a company might periodically audit the use of data on mobile devices by developing a plan to conduct specific and random samples of employees' use of personal devices under the BYOD policy. The company's BYOD policies should be enforced and monitored consistently and continuously. For data that is sensitive, confidential, or otherwise valuable, companies should manage and control where it resides and limit those who have access to it. This is particularly important when the data is governed by federal statutes that penalize companies for not securing protected data, such as HIPAA related data.
9. Consider B-Y-O-D beyond U-S-A.
For companies headquartered outside of the United States or for those with business units or employees outside of the United States, certain specific BYOD considerations may have to be addressed. Many countries have data privacy protection laws more stringent that those in the U.S., which may impact companies' ability to access or search data on employees' mobile devices. For example, a company may be required to obtain employee permission and acknowledgement to prior to managing or searching employee-related data stored on a BYOD device. That is a consideration that should be addressed in the BYOD policy. It's a potentially complex topic and one that should be addressed with local counsel and data privacy protection experts in the respective countries.
10. Bear in Mind BYOD and E-Discovery.
There are potential e-discovery pitfalls to consider with respect to BYOD. Many employees incorrectly believe that their own data on their personal devices is immune from employer intervention. But personal data stored on these devices may be compromised in the event of a security breach that requires remote deletion of the device's data or collection in document review as part of discovery. Furthermore, if employees use their personal devices for illegal purposes, such as to harass other employees or to view child pornography, these devices and their data (potentially including company data) may be subject to discovery.
BYOD devices pose a number of discovery issues including spoliation, for example, where unknowing employees might delete text messages about a merger in favor of photos, music, or other mobile device content. Spoliation can lead to sanctions if there was a duty to preserve the data. On the opposite end of the spectrum, a BYOD employee may store work documents on a device or in a personal cloud, even though they should have been deleted under the organization's records retention policy. The company could be required to produce these files in future litigation.
Conclusion
BYOD is no different that BYOB... You need to develop a plan that works best for you and you need to manage your consumption. BYOD can be very complex, so the best approach is to start simple and take measured steps as your company's implementation of BYOD matures.
References:
- "Bracing for the E-Discovery Dangers of BYOD ", Samuel, CMSWire.com, Ajith Samuel. "Bring Your Own . . . Disaster?", Huron Legal GC Focus, Volume 1 Issue 19. "BYOD is here and you can't stop it.", Gartner.com. "Can BYOD Bury the Hatchet Between IT and Business?", Kaneshige, Tom, CIO.com. "Seven Considerations for a BYOD Policy ", ShoreTel.com. "Symantec Study Shows Employees Steal Corporate Data and Don't Believe It's Wrong ", Symantec.com. "BYOD is here and you can't stop it.", Gartner.com.
