- ABA Groups
- Resources for Lawyers
- About Us
Orrie Dinstein is Chief Privacy Leader and Senior IT & IP counsel at GE Capital. The views expressed are his own. He can be reached at firstname.lastname@example.org.
Many companies are becoming familiar with a new term: BYOD (bring your own device), the buzz term for the use of personal devices in the workplace. As companies learn more about the meaning of BYOD, they either decide to embrace it or try to avoid it. This article will explore the drivers behind the BYOD phenomenon and suggest practical ways to survive a BYOD program without PTSD (posttraumatic stress disorder).
BYOD is part of a new trend commonly called “consumerization of IT.” Other elements of this trend include social media and cloud computing. How do these tie together?
Not long ago, a new employee who joined a large company would be met by an IT department member who would hand her a company laptop (likely a Dell, Lenovo, or other non-Mac computer), and possibly a mobile device (usually a BlackBerry), and introduce her to the corporate systems. These days, new employees increasingly rebel against this world. They come in with their MacBook or a tablet computer (like an iPad or a Galaxy) and their own smartphone (iPhone or Android), and they want to use online social media and cloud-based tools and apps to do their job. In other words, they don’t really need much from the company’s IT department, except that they want all of their devices connected to the company infrastructure. All of this makes up one key element in the origin of BYOD.
BYOD is also coming in from the top. CEOs are discovering and embracing the convenience of Apple and Android products and demanding that these devices get connected to the corporate network. That quickly cascades to the CEO’s direct reports. Somewhere along the way, the company realizes that these devices increase productivity and make employees happier. The company probably also begins to hope that if BYOD really works, the company can get out of the hardware business and stop deploying computers and phones.
These forces result in both bottom-up and top-down pressure to get BYOD implemented, and companies are finding it harder to resist these forces. So what is there to worry about? Why shouldn’t the company simply let BYOD in the door? Unfortunately, that path has many land mines, not all of them on the legal side. Below are a few of the main ones.
The first issue is ownership of the device, which has major implications for privacy laws and the rights in the data in the device and could create significant problems for companies when in litigation or conducting an investigation. If the company does not own the device, the company will have a hard time getting access to it when access is needed.
Next is the question of ownership of the data plan, which will have privacy ramifications affecting the company’s ability to access the data.
Ownership land mines also include an operational element—as employees use personal phones for work purposes, the challenge will be how to deal with work-related costs and how to reimburse employees for charges related to their phone, roaming, or data use in excess of their data plan. A simple program can quickly turn into an administrative nightmare of reviewing the monthly phone bills of all of the company’s employees.
Related to these issues is the security concern. Mobile devices involve hardware, software, carriers and apps, none of which is managed or controlled by a company, and that makes it very hard to ensure security for company data. In fact, many smartphone owners refuse to even have a password on their device.
Companies are unlikely to have built an internal skill set to provide technical support for Apple or Android devices, but is it prudent to let employees go to an external support place like Apple’s Genius Bar? If the device is connected to the company’s infrastructure, then the company’s data could be exposed, and that is a problem. If the device is synced to the cloud, company data will go outside the company’s control, which is not recommended. Even the use of Siri can cause problems, because all communications with Siri stay in the Apple cloud. (It was reported that IBM as part of its BYOD program disabled Siri on all Apple devices.)
Yet another area of potential trouble is the app store and the risk of employees unintentionally downloading malicious programs or intentionally “jail breaking” their device (in order to run non-Apple apps/software), which typically undermines the underlying security and controls for the device.
Another area of concern for companies is the parting of ways between the company and the employee (who either quits or is terminated) or between the employee and the device (namely a lost or stolen device). How can the company protect its data on the device? Unlike BlackBerry devices, Apple and Android phones do not have a native remote wiping feature. This means that when the device is gone, the data is gone and exposed; even if employees are forced to use a password, it may not protect the data against a sophisticated attacker. Where companies can remotely wipe the device, they face the dilemma of whether to wipe only the company data or the entire device, the latter of which carries the risk of harming the user if the data is not properly backed up.
Given these and so many other issues, BYOD is not as easy to do as may appear at first blush. So how can companies address these issues? The answer lies in two different sets of tools—one technological and one legal.
On the technology side, the key is to provide a clear separation between company data and personal data. Approaches vary:
Each solution has pros and cons in terms of the security and the user experience, but all of them are better than allowing unrestricted access to company data on a personal device.
A proper BYOD implementation uses contractual tools. This means that users will be required to sign an end-user agreement that will address many of the concerns mentioned above. This agreement will define the user’s rights and obligations, can grant the company rights vis-à-vis the device or the data on it, address the handling of charges and costs, deal with the process for troubleshooting technical issues, and address how to handle a data loss.
But this contractual solution also carries with it a lot of complications, especially for a multinational corporation. Companies need to determine what the law allows in each jurisdiction in which they operate.
In addition, companies will need to deal with unions (called works councils in European jurisdictions) where they exist and ensure that they agree with the terms of the agreement. Where a company doesn’t have a union, it still would be wise to determine if the terms of the agreement are fair, or else the agreement might not be upheld by a court or could hurt morale and undermine the otherwise positive effects of a BYOD program.
Even with a well-drafted end-user agreement, companies should recognize that BYOD raises thorny issues that have no simple answer. For example:
BYOD is a trend that is increasingly hard to resist or avoid in the corporate world, but dealing with it successfully requires a very careful strategy involving a mix of technology and legal tools, while remaining vigilant and prepared for the many pitfalls and tough decisions to be made along the way. This means that companies should ensure that BYOD is tackled at a senior level with members of the IT, Information Security, Legal, Compliance, and HR teams taking the lead in devising the right approach. No one has all of the right answers, and the technology is also still far from perfect, but with enough planning and thought, there’s no reason why a company can’t survive BYOD without a bout of PTSD.