The Bring Your Own Device (BYOD) movement is clearly gaining momentum, partly due to the rise of increasingly easy-to-use smart phones and tablets, and partly due to the decline of corporate cell phone companies, specifically Blackberry. But as employees bring their own devices to work, what are the implications for company and employee alike?
I asked Rich Santalesa, who is Senior Counsel at the InfoLawGroup, LLP, a law firm specializing in privacy, security, technology, media, advertising and intellectual property law about this and he warned there were possible pitfalls that companies and employees should take into consideration when implementing BYOD policies.
Santalesa explained that while on its face at least, there is nothing inherently wrong with BYOD, you have to go into this with your eyes open. “BYOD may in fact work fine for both companies and employees, depending on the uses, so long as both sides understand and agree to the limits and implications of what BYOD means,” he said.
But he adds, “The trouble is the issues may not, at first glance, always be clear cut or readily understood by all parties.” And that’s where problems could arise.
He lists a number of potential issues for the company including potential liability for activities employees conduct through the device (such as on social networks and elsewhere online); cyber risk insurance coverage in the event of data breaches; additional burdens to e-discovery and increased risk of possible data breaches for BYOD when employees fail to reasonably secure the device.
There are also issues for employees specifically about ownership of work product and data on the device. What happens if IT decides to remotely wipe a lost or stolen device that includes personal content as well as company content? Chances are it does. That’s the whole point of BYOD — to carry a single device.
Remote wiping agreements could be a major issue moving forward and one that both companies and employees need to consider. In fact, a recent Wall Street Journal article talked about this very subject.
Santalesa says that it’s crucial that employees understand the implications of any agreement enabling remote device wiping. “As more and more companies, in exchange for allowing BYOD into the enterprise, require employees to sign agreements giving the company the authority to remotely delete all data from an employee’s device many employees may not be fully aware of the ramifications signing such an agreement can result in, namely, the complete loss of their personal data, photos and information stored on the smartphone or other mobile device,” Santalesa explained.
He says the WSJ article shows the need for up-front communication between company and employee about this. “The crucial takeaway from the WSJ story, is that human resources must be front and center, along with legal, in effectively communicating to employees what BYOD actually may mean in terms of their personal devices and data stored on them, as well as what level and extent the company may be allowed to remotely monitor what employee are doing with their own devices. ”
In addition, to these issues, there are broader issues of cyber insurance coverage, which Santalesa alluded to. We will cover this issue in greater detail in a post tomorrow.
For now, it’s worth taking the time to understand that while BYOD offers convenience to employees and cost savings (at least on one level) to the organization, it is not without risks — and you need to understand these risks up front before your company implements a BYOD policy.
Look for Part 2 of this post tomorrow when we discuss the possible impact of BYOD on a company’s Cyber Insurance coverage.