Law360

Authors: John W. Chapas

Type: Articles Published

"Bring Your Own Device" (BYOD) is the use by employees of their own portable computing devices (such as mobile phones or tablets) to access their employer’s system and data. The fast-paced trend of BYOD has caused many organizations of all sizes and industries to wrestle with the issue of whether to permit BYOD or continue with the traditional practice of trying to keep company data flowing only through company devices.

There are good reasons to implement a BYOD policy, such as: Employees are demanding it as many employees have sophisticated devices with advanced functions (often better than what their employer is willing to provide); employees do not want to carry multiple mobile devices (i.e. one personal and one work device); it saves equipment costs due to the reduced need to purchase company devices for employees; and it allows workers to work from (essentially) anywhere.

However, there are risks and costs to implementing BYOD that must be considered, such as the following.

Data and Information Security

In general, the security technology used on personal devices are less robust than the security typically on company resources. Employers also have less control over the security technology used on an employee’s personal device. The less security a device has, the higher the risk of exposure to malware, viruses and security breaches.

Even when a device has superior security technology by current standards, technology changes at a very rapid pace, and individuals are less likely than corporations to keep up with the latest security innovations.

Employees also tend to be less careful about the use of their personal portable device than when using a company device (after all, it is a "personal device"). This relaxed use of the device can lead to additional security risks for employer data on the device.

For example, if an employee loses their personal device, the organization certainly does not want anyone finding the device to have access to confidential company information.

Device Is Not Company Property

A personal portable device is not owned by the organization; it is owned by the employee. However, since the device links to the employer’s system, sensitive information may be accessed and stored on the device. When the employer is subject to a legal hold or discovery request related to information on an employee’s personal device, there are many potential issues including that the employee is unlikely to want to give up control of the device.

This control-of-the-device concern is even more evident when an employee leaves the organization. The employer clearly does not want the now-ex-employee to have sensitive company data on his phone when he is no longer affiliated with the company.

Increased Administration

Additional administration is required to oversee and monitor a BYOD program. The organization must keep track of the different kinds of devices being used to access the employer’s system and block access to terminated employees.

In addition, the information technology department will need to put in extra work to deal with compatibility and interoperability issues due to the use of many different types of personal devices. These concerns are less of an issue with company-issued devices as the organization has more control over uniformity.

An organization that implements BYOD has more risk than an organization that does not implement BYOD — there is no way around that conclusion as currently available technology and resources cannot mitigate all risks associated with BYOD.

However, there are ways to minimize some of the above (and other) BYOD risks. The best ways to mitigate the risks depend on various factors, such as the scope of accessible information, budget, technology and staff.

The level of data security, which can be achieved, and the ability to respond to legal requirements (such as in e-discovery) should be key drivers in evaluating whether to implement a BYOD policy. Trends are toward more and more organizations implementing a BYOD policy, but organizations that do so must have thoroughly analyzed the risks involved.

An organization must have well-written and thorough BYOD policies, BYOD oversight and administration, employee buy-in and the necessary technology solutions to permit BYOD to be implemented with an acceptable level of risk. Organizations that implement BYOD without spending the time and effort necessary to implement these safeguards are opening themselves up to significant risks and potential liability.

Reprinted with permission from Law360.