Bring your own device: Bringing solutions or problems?

The concept of “bring your own device” (BYOD) has been gaining ground over recent months and is now a key agenda item for many businesses considering whether to embrace the trend of allowing employees to use their own equipment for work. However, there is more to the debate than the potential cost savings—or flexibility—that BYOD can offer, and senior managers with responsibilities for IT, security, compliance and HR, in particular, will need to consider their options carefully. BYOD raises difficult data security and privacy issues including confidentiality, data ownership and access rights.

This article looks at the issues from a legal perspective and offers some practical, commercial guidance on how to handle BYOD.

BYOD could be considered the natural progression of technology in the workplace and enhanced employee benefits. Employees used to company mobile phones, Blackberries and laptops are routinely working in their own time and dividing their attention between company equipment and their own—newer and more powerful—smartphones and tablet devices. Many would prefer to have just one device, for work and personal use, whereas others are happy to keep the two separate.

The consumerisation trend has been aided by improved technology, broadband connectivity, cloud-based services and the availability of free or inexpensive applications, giving users more capabilities than ever before. The challenge for businesses is to harness these capabilities and the enthusiasm of employees to achieve the best results.

The first question is whether BYOD is an option for the company and its employees. This depends on the industry, location and size of the business, as well as the information used, the type of data and potential harm. Companies should conduct a risk assessment to consider all of the issues before implementing any new program. For example:

Heavily regulated legal and financial organisations may conclude that BYOD is not for them, but other, more progressive organisations—perhaps in media or PR—may embrace it.

Personal ownership of the device is central to the BYOD concept, but as the company pays for the device and the individual uses it for work, there is an obvious tension over rights to information, confidentiality and privacy.

The company will be concerned to protect its trade secrets, confidential information and network security on any personal device used by an employee. In turn, employees want to use social networking and visit any website free from company rules, store all their personal photos and maintain a level of privacy for their personal lives without intrusion or fears that their data will be deleted.

These are some of the biggest challenges for BYOD, but company policies and training can help. To be enforceable, companies need to set the standards and explain their justification for the rules from the beginning. Employees may have a reasonable expectation of privacy on devices they own, but companies can reserve the right to monitor usage and access information held on the device, in certain circumstances; for example, to investigate suspected fraud or a complaint of bullying and harassment. Companies are also required to access e-mails and documents held on mobile devices for compliance and litigation purposes and must preserve such evidence for disclosure. Courts will not look favourably on companies that do not have control over their own data and employees, regardless of who owns the device used to store it.

Policies are important, but companies must be consistent and make sure they work in practice and in harmony with other policies and procedures, such as the acceptable use policy, the IT security policy and human resource policies on equal opportunities and anti-bullying and harassment. Many companies address these issues by adopting a separate BYOD, or personal device usage policy (PDUP), cross-referenced to other policies with appropriate updates.

Companies also need to consider the range of devices and the technology to be used. New devices are being created all the time, as are software packages and applications. Employees who can choose their own device for work will learn that device and may be tempted to install software or access risky websites, without considering the potential harm to the company. Since their device will be a portal to the company network, the company has an obvious interest in controlling downloads, data usage and “modding,” or reconfiguring the manufacturer’s settings, which can impact security.

As a minimum, the company should implement mandatory security controls, such as encryption and strong passwords, and train employees to routinely save and backup data in the “sandbox,” a secure area for company information. Mobile device management (MDM) software can help a company manage remote access to the device for software updates, testing and, if necessary, to wipe company information from a device, should it be lost or stolen. However, even if the device has dual functionality allowing the employee to separate company and personal information, there are risks that personal information may be lost, and whilst music and e-books can be downloaded again, personal photos and family videos may be irreplaceable.

For these reasons, the company must set out clear guidelines and minimum terms for employees, requiring them to consent to these measures. If a company does offer BYOD, it should retain control at every stage and make it clear to all users that BYOD is a privilege not a right.