Have Your Cake and Eat it Too - How a Proper Plan Can Help Your Company Benefit from a BYOD Workplace (Authored by Faruki Summer Associate Tammy H. Winkler at twinkler@ficlaw.com)

Bring Your Own Device (BYOD) is a movement that allows employees to use their own mobile devices for both work-related and personal use.  Today, more than ninety percent of employees use their own smartphones for getting their work done, and the global BYOD market is projected to reach USD 350 billion by 2022.  BYOD presents companies with a plethora of new risks and challenges.  Companies must be prepared to face unwanted regulatory scrutiny and potential legal liabilities whenever their employees use personal devices for work-related tasks.  A comprehensive BYOD policy takes into account the concerns of both the employer and its employees;  appropriate BYOD plans, therefore, must consider the type of business and the data that needs protection.  Following are five things to keep in mind as you assess whether a BYOD policy is right for your company.

1.     Increased Productivity and Higher Morale

BYOD policies may increase productivity by allowing employees to use devices on the job that they are already familiar with.  The portable nature of mobile devices also gives workers flexibility for when and where they can perform their work-related tasks.  Allowing employees to use their own devices can also decrease equipment costs for employers since they can forego purchasing laptops, tablets, and smartphones for their employees.  These benefits combine to create higher morale, greater productivity among employees, and increased profits for employers.

2.     Employee vs. Employer Rights

Monitoring privately-owned devices creates a delicate balancing act for companies.  Excessive monitoring may invade employee privacy;  whether the invasion is real or perceived has its own consequences to explore.  Workers may be concerned their employers have inappropriate access to personal contacts, photographs, finances, health data, and other information.  Conversely, insufficient monitoring increases a company's susceptibility to breach and data loss.  An effective BYOD policy maximizes security while protecting employee privacy.  For strategies on how to balance these interests, and identify and minimize the legal risks involved with BYOD plans, check out this article.

3.     Security Issues[1]

The possibility of a security breach is one of the biggest risks in allowing employees to use their personal devices to access enterprise service and data.  There are several potential sources of a security breach on a personal device to be aware of.[2]  Fortunately, there are a variety of solutions that can help minimize threats to security and support a safer BYOD program.

Many companies use enterprise mobility management (EMM) solutions, such as mobile device management (MDM) and mobile application management (MAM) to manage the risk of BYOD programs.[3]  These programs "provide an environment that isolates the enterprise applications and data from the rest of the device."[4]  Strong authentication is required to access work-related materials, which in turn are "encrypted to protect the organization's sensitive data and applications."[5]  In the event of a lost device or employee termination, the protected environment can be remotely wiped to remove only the enterprise data, while keeping the employee's personal information and apps intact.

There is no "one-size-fits-all" approach when it comes to security.  Understanding the security risks involved with BYOD policies, as well as the necessary financial and overhead measures needed to help alleviate those risks, can help you determine whether your business is capable of supporting a BYOD policy.

4.     Spillage

The threat of "spillage," or information seeping out of the confines of the company's protected network, is one specific security challenge that limits the amount of control an employer has over its networks.  Think of information security like a hidden treasure chest, and sensitive information as the jewels locked inside.  Until recently, companies only needed to focus their efforts on enhancing the protection of the treasure chest through hacker-resistant firewalls and intrusion-detection programs.  Now, each mobile device can serve as a clue on the treasure map that provides closer access to the treasure.  The lock on the treasure chest no longer suffices.  Therefore, every clue (e.g. tablet, phone, or laptop) must be as strong as the lock itself.

No matter how stringent its policies, a company can never ensure that only pre-approved and authorized persons have access to their employees' devices.  For example, if an employee takes his tablet to a repair shop, he will have to give the device password to the technician, and in many instances leave the device in the store overnight or ship it to a remote location.  How should your company handle such situations?

Employees who use third-party apps may also be inadvertently sharing sensitive information with unauthorized parties merely by using common device features.  For example, many people use Siri® to send emails, make phone calls, create calendar appointments, and surf the web.  The Apple® company stores everything a person tells Siri® for up to two years in the cloud.  Additionally, employees who connect their devices to unsecured Wi-Fi hotspots, lose their devices, or share them, raise the risk of unauthorized disclosure or destruction of business data, especially if their devices are not password protected or do not have automatic lock code functions.  All of these scenarios increase the risk of harm to company networks.  Several methods are available to help protect your company's material while still accounting for the practicalities of use and repair.[6]

5.     E-Discovery

During the course of a lawsuit or investigation, a company may be required to identify, collect, and produce electronically stored information (ESI) to be used as evidence.  This form of document production is known as electronic discovery (e-discovery).  E-discovery has the potential to be very complex due to the "sheer volume of electronic data produced and stored" on devices.[7]  ESI can include anything from emails and documents to voicemail, social media posts, and audio and video files.  Unlike hardcopy evidence, electronic documents "often contain metadata such as time-date stamps, author and recipient information, and file properties" that must be preserved throughout the course of litigation.[8]  Identifying and producing ESI is difficult enough when the company only needs to focus on office equipment such as servers and PCs, but can get exponentially more complicated when data is scattered across employees' personal mobile devices.  The complexity and financial stress that e-discovery may produce, especially for a small or medium-sized business, must be considered when determining whether a BYOD policy is feasible.

Conclusion

Allowing employees to use their own devices at work is a favorable option for many companies;  but, the benefits must be considered against the drawbacks.  A BYOD policy may increase employee productivity and morale and decrease equipment costs, but can also introduce additional security and liability concerns.  Proper planning and documentation of the scope of the BYOD policy can minimize threats to security, as well as legal liability, and improve operations for both employers and employees.

 

[1] Security issues pertain to businesses of all sizes, but can be particularly challenging for small and medium-sized businesses (SMBs).  For some BYOD concerns that SMBs should be specifically aware of, click here.

[2] Claire Meyer, "Bring Your Own Risk with BYOD," Security (Apr. 1, 2016).

[3] Id.

[4] Id.

[5] Id.

[6] Henry Z. Horbaczewski & Ronald I. Raether, "Know the Privacy and Security Issues Before Inviting  Employee-Owned Devices to the Party," ACC Docket, at 74 (Apr. 2012).

[7] "The Basics: What is e-Discovery?," Complete Discovery Source (2017)

[8] Id.

About The Author

Faruki | Updates