Organizations have recognized that mobile devices are crucial to their own success, and many have incurred significant expense purchasing and securing such devices, and equipping their workforce. Nonetheless, employees are increasingly using (or demanding to use) personal devices to store and process their employer’s data, and connect to their networks. The reasons for this vary from avoiding the need to carry and manage multiple devices, to the desire to use the most up-to-date devices that exist, to increased efficiency.
This trend has been named as BYOD (Bring Your Own Device). Some organizations believe that BYOD will allow them to avoid significant hardware, software and IT support costs. Even if cost-savings is not the goal, most companies believe that processing of company data on employee personal devices is inevitable and unavoidable. Unfortunately, BYOD raises significant data security and privacy concerns, which can lead to potential legal and liability risk. Many companies are having to play catch-up to control these risks.
The very nature of BYOD highlights the employee privacy challenges at issue. Employees and contractors of organizations will be using the same devices they use for work to engage in personal computing that involves a host of private activities and content, including web surfing history, personal emails, photos, chat histories, personally identifiable information, music, movies, software, user names and passwords and financial account numbers. We have already seen significant legal activity relating to an employee’s expectation of privacy when using a company-issued device for personal reasons.
All too often companies considering a BYOD policy find that their employees are already using their personal devices for work purposes and to store sensitive information. This makes it more difficult to manage these issues in a deliberate manner and set up policies that address the security, privacy and legal risks associated with BYOD. Nonetheless, the complex legal implications of BYOD must be carefully considered using a multi-disciplinary approach (e.g. legal, security, privacy, IT, risk management, etc.) that takes the company’s existing infrastructure and risk tolerance into account. The end result should be a Personal Device Use Policy that addresses the various risks and strikes a balance that works for the organization. Also key, because of the personal nature of the devices in this context, is informing, educating and training employees concerning the privacy, security and incident response implications of using their own device for work purposes. Working through these issues can help to reduce the legal and liability risk that companies may face.