BYOD – the good, the bad, the ugly
August 2013 | PROFESSIONAL INSIGHT | INTELLECTUAL PROPERTY
Financier Worldwide Magazine
In case you haven’t heard by now, BYOD – Bring Your Own Device – is the hot issue in workplace management. Twelve months ago, if you asked most people what BYOD was, you might get answers that involved food and a nice bottle of wine. Now, BYOD is sweeping through many workplaces and bringing with it many new questions and issues that employers are having trouble tracking, let alone finding answers for.
In the past, employers were the ones that had access to the best computers and electronics. Instead of buying their own laptops, employees used their work computers for personal use. Sometimes employees used these computers and the employer’s internet for improper purposes, creating all types of potential liability for employers. Employment lawyers scrambled to develop policies governing employee use of company computers and internet. And many employers spent a lot of time and money training their employees on the proper uses of company-owned technology.
The ‘consumerisation’ of the electronics industry has completely changed this dynamic. Employees, as consumers, have access to the best devices – iPads, iPhones, Android phones, tablets, Ultrabooks and all the apps that come with these devices. They want to use these devices for work, especially for employees who travel a lot. They don’t want to carry around one phone for personal use and different one for work. And they want to use tablets, which most employers haven’t bought yet.
This explosion of consumer electronics has coincided with the growth of social media. This perfect storm has resulted in a world where we all live most of our lives on the internet. We shop, bank, date, socialise, rent movies, buy music, etc., all on the internet. And, to do all of this, we want to use our own devices. This is why BYOD is here to stay.
BYOD is growing also because there are some enterprise advantages. . Employers, especially smaller and midsize ones, can save money by making employees pay some technology costs. Many employees are willing to pay for their own devices in exchange for greater choice and flexibility. Thus, smaller companies can use BYOD to help leverage technology, so they can keep lean while competing with their larger competitors. BYOD can increase productivity. The line between work and personal lives is virtually decimated. Employees like having immediate access to their email and work information into work so they can work where they want, how they want, and for as long as they want. Employees embrace this added flexibility because it allows them to better balance their lives.
Yet, BYOD also poses many risks. The biggest one is security. Most data breaches do not result from foreign hackers or anonymous hacktivists. They occur from lost devices. Last year, in New York City alone, over 60,000 smartphones were lost in cabs. Each one of these phones had more computing power than all of NASA did in 1969, the year Neil Armstrong landed on the moon. This does not include tablets and laptops. And the vast majority of those phones were connected, at minimum, to work email accounts and some undoubtedly contained vital company data.
So, because of the security risks shouldn’t you just ban BYOD altogether? You can try, but that is like swimming upstream against a fierce current. A lesson can be learned from Facebook. Many employers tried to ban the use of Facebook at work. As a result, many of these companies lost key younger employees, who use Facebook and social media to communicate with their friends. If they could not do this at work, they decided to work someplace else. Companies learned their lesson. Now, to attract top, young talent, many companies started advertising that they are ‘Facebook friendly’. Rather than swimming against the current, these companies swam with it.
BYOD presents a similar question. Do you ban it altogether? Or do you accept the trend and try to manage it? There is no perfect answer. Each workplace has its own challenges and priorities. A defence contractor, for example, has different issues and priorities than an advertising firm. There is clearly no perfect answer for all employers. Yet, it seems like most companies are deciding to swim with the BYOD wave. A survey by a leading manufacturer found that 95 percent of the companies surveyed allowed some form of BYOD.
The issue is how to manage BYOD. Companies must develop a BYOD strategy that is customised for your workforce and its business priorities. The best way to accomplish this is to act proactively when dealing with BYOD. Every business should adopt a BYOD policy that protects its data while giving employees the freedom of choice they crave. These policies should include several points.
First, employees must promise not to use any company information on personal devices for anything other than personal use. And, if employees are going to use personal devices for work, they must use passwords for the devices.
Second, the military now believes that cyberspace is the fourth battlefield, along with land, sea, and air. In this environment, the use of personal devices at work greatly increases the chance of a potential data breach. To deal with this reality, companies must train their employees to safeguard their devices and the data they store in their devices. Employees should not put any PII or PHI on their personal devices. And, since work email is frequently accessed on personal devices, employees should never use company email to send messages containing PII and PHI. If employees have this information on their devices, they should immediately report any lost device. Failure to report such a situation could lead to significant problems and liability for data on devices owned by an employees’ breach.
Third, employees should consent to the remote wiping of their devices if they are going to use BYOD. Software is available that can remotely delete certain file types from personal devices. This is especially important for lost devices and departing employees.
Fourth, companies should assume that all employees are using personal email accounts and/or cloud storage to store and access company data on a regular basis. This is true (perhaps, especially true) even if there are specific policies prohibiting this. Thus, when an employee leaves, employers must always insist on the return of any and all company information that may be residing on a personal device, stored in a personal cloud account, or located on a home or personal computer. Employers must demand the return and permanent deletion of this information. Failing to do this could complicate their efforts to get this information back at a later date, and it could undermine a lawsuit against the defecting employee for potential theft of confidential information and trade secrets.
Fifth, companies should prohibit specific, vital types of data from being copied to or stored on these devices. Companies must customise protections for confidential information to make sure that it does not fall into the wrong hands, especially through an employee’s use of a personal device.
Sixth, companies must keep abreast of technological developments regarding BYOD. Many software companies are developing security programs to help with BYOD. Some smartphones now have features allowing the user to toggle between personal and business use on the phone. These are going to become more prevalent. Many software developers see BYOD as a huge opportunity and are working feverishly to develop solutions to remedy the problems and challenges that BYOD poses.
BYOD is here to stay. In the personal electronics world, the individual consumer is king. They, not employers, are driving the development of the electronics industry. This trend will not reverse. Employers must learn to adapt, think ahead and be vigilant in protecting their information in a BYOD world.
David J. Walton is vice chair of the Labor & Employment Department at Cozen O’Conner. He can be contacted on +1 (610) 832 7455 or by email: firstname.lastname@example.org.
© Financier Worldwide
David J. Walton