By Elizabeth Johnson
Originally published in Business North Carolina’s Law Journal, May 2012 issue
With 87% of employees confirming they use personal electronic devices for work, designing a workable “bring-your-own-device” program is probably overdue. BYOD is a tricky issue; 48% of companies claim they would never authorize employees to use personal devices for work, but 57% acknowledge that employees do it anyway. The wave of mobile devices has already flooded your offices. It’s time to figure out what to do about it.
Talent recruitment and cost concerns
Almost half of college students and young employees say they would accept lower pay in exchange for flexibility on device choice, social media and mobility, indicating it will be difficult to compete for new talent without adopting a BYOD policy. Your business may be able to save on device purchases and information technology support, but all that savings could be wiped away if a lost personal device results in a reportable security breach (average response cost is over $5 million) or if sanctions result because contents of the device are considered discoverable in litigation but cannot be produced.
Productivity and social media
Let’s be realistic: Your employees already use Facebook during work time, and blocking the site won’t help since we’ve already established that they use personal devices at work. Think of BYOD as a means to retrieve some of those lost hours. Seventy-two percent of employees regularly check their emails from personal devices outside normal business hours, and 42% check even when out sick.
If you enable BYOD, social media use may go up, but temper your zeal to prohibit or monitor that use. In recent years, employers have been repeatedly dinged by the National Labor Relations Board for overly broad social-media policies, were found liable for accessing employees’ social-media communication in unauthorized ways, and scaled back reviews of social-network sites due to Fair Credit Reporting Act liability. Employers should revisit their social-media policies to make sure they are not already running afoul of this rapidly evolving list of pitfalls.
Information security and compliance
Here are a few examples of the potential impact of BYOD on security and compliance:
- Device loss or theft could result in a security breach that must be reported to regulators and affected individuals if personal information is involved and potentially to business partners if confidential information is involved. Loss of access credentials can jeopardize enterprise security.
- Almost three-quarters of Americans report they have no malware protection on their mobile devices. You can almost hear data slithering off the devices.
- Access controls are nonexistent or may be purposely defeated by employees who share their devices with their households.
- Transmission security will be ad hoc or nonexistent if not provided by the enterprise. For health-care companies, financial institutions and other highly regulated industries, compliance challenges arise, such as encryption, access controls, authentication and password management.
Most of these controls are required even for less regulated industries, especially given the increased risks posed by BYOD.
Privacy concerns
Like it or not, employees have some privacy rights not impacted by your dusty old electronic-communications policy that undoubtedly warns they have no expectation of privacy when using your equipment. Although you can revise the scope for BYOD, your employee owns the device and is clearly entitled to make personal use of it. Similarly, that device essentially tracks their whereabouts 24/7 and reflects all manner of activities, such as websites visited, items purchased, books read, games played, photos taken, apps used and calls and messages sent and received. Your business needs to decide the extent to which it needs to know such information and plan accordingly.
e-Discovery and departing employees
Inevitably, if employees store work-related information locally, device retrieval may be necessary in legal discovery or when an employee leaves the company. For litigation, strict protocols providing for immediate preservation before employees modify or delete files are crucial. BYOD will add expense and delay to discovery and to the employee-departure process.
Get back in control
Having considered a variety of issues raised by an increasingly mobile workforce, let’s consider solutions that will put you back in control.
Security framework
Perhaps the greatest perils posed by BYOD are the security risks. There are several options to mitigate those risks, but some are better than others.
- Good – device-level security. At minimum, require device-level security such as strong passwords, up-to-date malware protection, encryption, time-outs following inactivity and remote-wiping capabilities.
- Better – mobile-device management. MDM essentially provides employees with a secure tether to the office from which they access resources remotely using an application on the device. MDM solutions improve upon simple reliance on device-level security by minimizing the risk of data loss and preserving data integrity and access control with containerized solutions.
- Best – virtual-desktop infrastructure. With VDI, applications and data are stored centrally, unlike MDM where some data and apps live locally on the device. Maintaining secure access credentials and effective user authentication are paramount, but the device itself contains no work-related data to be lost or breached.
To determine which approach or mix of approaches is best, consider inventorying your business units, their activities and their use or proposed use of mobile devices. Units that need regular access to sensitive business or personal information and travel or work from home may warrant a more cautious approach.
Policy document
No matter how you address security, a written policy is needed to establish privacy boundaries and set security expectations. You also should review existing security policies to ensure you have not set contradictory requirements. Your social-media policy likely also deserves an update once BYOD is in place. Training and reminders are useful to help employees remember the requirements and risk and will help your organization establish legal compliance.
Terms of use
When your organization does not own user devices, strong and effective terms of use are necessary to preserve your rights. Key terms include the employee’s agreement to adhere to security requirements, immediately report potential breaches, submit to compliance audits and allow the employer to wipe the device without prior notice if the device poses a security threat to the organization.
These suggestions only temper the risks posed by BYOD. Ensuring that your organization is prepared to deal with worst-case scenarios, particularly security breaches, is still necessary. With careful planning and implementation, the gains inherent in BYOD should outweigh the risks.
Elizabeth Johnson’s practice in the Raleigh office of Poyner Spruill focuses on privacy, information security and records management. Her comprehensive, practical approach to privacy law is reflected by the diversity of her clients, which hail from a variety of industries including health care, financial services, insurance, retail, telecommunications, utility, technology, consumer goods and client services. She received her law degree from Duke University.
Plan. Protect. Prosper.
Protus3 specializes in security system design, security consulting, corporate investigations and other investigative services. Partner with Protus3 and we will examine each situation to identify threats and develop solutions for your best outcome.