BYOD (Bring Your Own Device) is happening at every company, either officially or unofficially. The onus is on companies to address the issue head on to mitigate the accompanying legal and commercial risks.
That’s the message from Dudley Kneller, a partner at Madgwicks, who specialises in technology law and who was kind enough to dedicate some of his valuable time to speak with us.
He points out that whilst BYOD is receiving a great deal of attention right now, its been happening for quite some time especially with organisations that use a lot of contractors and companies in the tech sector. He counsels against companies adopting a “knee jerk” reaction and imposing overly restrictive conditions on staff members using their own devices.
Organisations seem to be adopting one of two very contrasting approaches to deal with BYOD. The first is a prescriptive approach which is typically seen with companies who are heavily regulated such as those in the financial services sector. These companies adopt fairly strict policies with detailed obligations for users around:
- Device security measures and obligations
- Content security obligations
- Employee and contractor rights and obligations
“Whilst it is important to deal with these issues, the risk of an overly restrictive approach is that it can push the use of BYOD underground” warns Dudley. “Staff may disengage with the organisation when there’s too much red tape. They’ll continue to use their personal smartphones and tablets bypassing the red tape and onerous obligations which can often be imposed”.
The second approach sees companies embracing BYOD and using the trend to their competitive advantage. Companies who adopt a more flexible approach acknowledge that BYOD is not only a good thing for employees and contractors but that when used effectively it can be a good thing for business. According to Dudley, “some organisations see it as a good way of attracting generation Y workers who prefer to use their own devices. It can also offset the upfront and ongoing costs of devices with many employees happy to pay for the privilege of using their own device at work as well as on the weekend and out of hours.”
Of course, there are further benefits, such as reduced maintenance costs, to be gained from embracing BYOD, many of which are discussed in detail in our previous blog post featuring Stuart Driver from Citrix.
But what about the risks? Firstly and from a legal perspective, there is the issue of liability. What happens if a device is stolen or lost? Who’s responsible, the employee or the organization? Is it covered by insurance? Dudley recommends that companies re-visit their insurance policies to ensure they cover employees’ personal devices being used under a BYOD policy.
Then there is the issue of data security. “What if a data breach occurs because an employee hasn’t downloaded the latest security update to their device or hasn’t bothered to set up a password?” Of course, there is also the threat of data being lost due to an employee misplacing a device (e.g. leaving their iPad on a train), but this is not a new risk brought about by BYOD. Lost laptops and briefcases with sensitive papers have long been sources of potential risk.
Additionally it’s worth considering that family members share many of these devices and that confidential data can be disclosed when employees allow their spouses or partners to use their devices.
Lastly an organisation’s BYOD policy must deal with the issue of privacy. “What happens when an employee leaves a firm? Does the firm have the right to wipe personal data such as photos from the device? How do you deal with sensitive company information which is on the device?"
Personal devices will almost inevitably mix personal and business information. “What used to go on behind closed doors at home may now be brought into the work environment”, explains Dudley. This poses some serious questions. What happens when an employee is found to have inappropriate content on their personal tablet that they also use for work purposes? Firms have a duty of care to protect other employees from such material.
In order to deal with the risks and challenges posed by BYOD, organisations must develop pragmatic policies. Effective BYOD policies have three main components:
- Clearly defined security obligations for users. Often the BYOD policy will incorporate some or all the elements of the organisation’s existing acceptable use policy;
- Clearly defined rights and obligations around content and privacy including a right for the organization to “wipe” the device remotely in the event it is lost or stolen or if the user leaves the organisation;
- Minimum requirements around support and maintenance and whether there are requirements to use a particular service provider etc.
Above all else, common sense should prevail. In order for a BYOD policy to be effective, both parties must employ common sense so that a reasonable agreement can be reached. “A collaborative approach which caters to the interests of both parties will always win out” Dudley emphasises.
Nonetheless, some risk will remain regardless of the policies that are in place. “There’s always going to be a rogue element”, Dudley explains. “The aim of any policy should be to strike an effective balance between the rights of users and the risks to the organization. The hope is that most users will do the right thing if they feel they are being given a fair go”.
Dudley Kneller’s firm, Madgwicks, advise s businesses on effectively managing some of the legal risks involved in BYOD. They advise broadly on the legal technology, privacy and workplace relations issues which typically arise with BYOD including helping clients to develop practical policies which address the commercial and legal risks associated with this new trend. Visit their website for more information.