Bring-your-own-device (BYOD) technologies have emerged as a popular and cost-effective means of providing mobility and flexibility to employees.
Consistent with most emerging technologies, however, there are a number of legal issues which are often not considered but which may have unintended impacts on an organisation’s risk profile. Organisations need to consider the potential legal issues associated with BYOD technologies whether or not they have a formal BYOD program in place.
CIOs are well aware that employees have always worked out ways (and will continue to work out ways) of connecting their personal devices to work systems, which quite often involves circumventing internal security protocols. This inadvertently exposes an organisation to a potentially uncontrolled level of risk without it even being aware.
At the outset, it is important to keep in mind that BYOD programs do not, in themselves, present any new legal issues. Many of the legal challenges that are associated with BYOD technologies have existed since the adoption of mobile computing. What’s new is the fact that the potential for issues to arise has increased dramatically given the widespread adoption of BYOD technologies.
While it is impossible to entirely remove any legal risk associated with BYOD programs (the very concept of allowing external devices to connect to, and interact with, a carefully managed IT system carries with it inherent dangers), there are a number of measures that organisations can adopt to limit their exposure.
Importance of policy
The most important element of any BYOD strategy in relation to minimising legal risk is to have a detailed policy that sets out the terms of the program. The purpose of the policy is to provide clarity around how the BYOD program will operate, as well as to act as the platform to allocate risk between the organisation, its employees and third parties.
The BYOD policy will generally be one element in an organisation’s broader policy framework, and will sit alongside the organisation’s employment policy, as well as the organisation’s existing ‘acceptable use’ policies.
The policy needs to cover things like the type of devices that can be used by employees, access rights, support arrangements, tracking and monitoring and remote wiping. Much of the policy will not, in fact, directly address legal issues. Having a clear policy will, however, assist in reducing legal exposure.
Employees should be required to actively accept the terms of the policy prior to being entitled to connect any external device to the organisation’s IT system.
A key benefit of adopting a BYOD program is the significant capex savings of not having to supply employees with devices for work purposes. Accordingly, in order to ensure that any savings are not outweighed by ongoing operational costs, organisations need to carefully consider how they intend to apportion liability between themselves and their employees in a number of important areas.
For example, who will take responsibility for lost or stolen devices, and who will be responsible for malware or virus attacks associated with an employee’s device? There is no fixed answers to these questions under the law, and these are precisely the type of tricky operational issues that should be addressed in the policy.
Support of devices is also an issue that should be covered by the policy, and is one of the most problematic areas because of the often wildly different expectations between an employee and an organisation.
For example, most employers will want to limit the support that they provide to simply connect a personal device to the organisation’s network, whereas an employee may expect that ongoing support of the device will be at the expense of the employer. Again, the position that prevails in this circumstance will be largely dependent on what is set out in the policy.
Licensing and insurance
One of the most common pitfalls of organisations implementing BYOD programs is failing to ensure that the scope of existing software licences are sufficiently broad to cover the intended breadth of the program.
Software licences often place restrictions on the type of devices from which software can be accessed and used, and it is not uncommon for the licence to limit access and use to devices owned by the organisation. This type of limitation could prevent an employee from accessing the relevant software from a personal device.
Accordingly, prior to determining which elements of the broader IT system will be made available, the organisation should carefully review the scope of its existing software licences.
Another licensing issue that needs to be taken into account is employees’ rights to use applications and software that they have downloaded on their device outside of work, for work purposes. It is quite possible that the scope of their licence is only for personal non-commercial use.
This poses a risk because it may expose the organisation to a claim by a third party that the organisation has encouraged a breach of licence. The BYOD policy should make it clear that employees are not authorised to utilise software purchased or otherwise downloaded for personal use, for organisational purposes.
An organisation’s appetite for risk is generally linked to the scope of its insurance coverage. Certain aspects of a BYOD program may fall outside the scope of traditional insurance policies, and it is important for the organisation to clearly understand whether its policies will cover work conducted on devices that are not directly owned or leased by the organisation.
This will be particularly important in the context of professional indemnity insurance, and will require a close examination of the definitions in the policy, as well as the extent of coverage.
One of the biggest inhibitors to organisations implementing BYOD programs is the perceived lack of data security. Two topics generally colour the legal framework in the context of data security; these are confidential information and litigation obligations, both of which are concerns for any mobility based system.
The loss of a device that holds sensitive corporate information presents the greatest confidentiality risk. It is important to keep in mind that particular information might be considered to be confidential even if it is not marked as such. Information may be protected at common law if it has the necessary quality of confidence about it, and it is communicated in circumstances of confidence.
A lost device may not only expose the organisation’s sensitive information, but may also potentially breach confidentiality obligations that the organisation owes to third parties.
A technical solution which significantly reduces the level of risk is to implement a ‘sandbox’ approach in which any organisational information is isolated and stored in a particular segment of the device that can be remotely wiped in the event that the device is lost or stolen, or the employee leaves the organisation.
Of course, any remote wipe functionality which is not carefully administered may also inadvertently wipe personal data of an employee – it is important to highlight this risk in the BYOD policy to avoid claims for lost holiday photos arising down the track!
Certain information should potentially never be sent to or accessed by a BYO device. This is no different from any mobile device but frankly, in certain circumstances – for example, access to particularly sensitive types of documentation or travelling to certain countries – it may be that BYO devices and mobile devices generally should simply not be used.
Organisations should also be aware of the possibility of their sensitive information being stored offshore in the event that employees utilise services such as iCloud or Dropbox to backup elements of their device. Information could end up being stored in a country that is less secure than Australia or which is subject to broad governmental access rights (like the [ital]US Patriot Act[ital]). Whether this is a real concern for an organisation will obviously depend on the nature of the sensitivity of the relevant information.
When developing and implementing a BYOD strategy, organisations need to remember that the information stored on BYO devices may have to be discovered (ie provided to the court and the other side) if the business becomes involved in litigation. An organisation cannot object to producing particular information on the basis that it also contains personal information of an employee.
If data becomes mixed, the cost associated with sorting through that data (and removing personal information) may be prohibitive. This highlights the importance of adopting procedures to separate work and personal data at the outset, and ensuring that only work data is backed up.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.