How to craft the best BYOD policy
- 01 May, 2013 17:31
If your company is involved in litigation, then your personal smartphone used for work-even merely for receiving corporate email-can be seized and searched for evidence during the discovery phase, according to an NBC News report. This is just one of many unforeseen consequences of Bring Your Own Device, or BYOD, a technology trend sweeping corporate America today.
Even worse, most companies have the right to search your BYOD smartphone anyway. That's because you likely signed your privacy rights away in a multipage user policy chock full of legalese. Did you read the fine print? Probably not.
"I can't tell you the number of times we get an issue where a company needs to reach in and wipe a device or look at a device, and the employee is shocked to learn that this is permitted under the company policies," says Matt Karlyn, partner in the technology transactions practice group at Boston law firm Cooley LLP.
Karlyn believes BYOD boils down to a well-drafted and comprehensive policy that spells out the rights for both companies and employees. Such a policy covers a company's right to monitor, access, review and disclose company or other data on a mobile device, and the employee's expectations of privacy with respect to that device.
CIO.com sat down with Karlyn to discuss the keys to a good BYOD policy, one that can provide companies and employees with some measure of security as BYOD barrels ahead.
Can a personal smartphone be seized and searched if a company is involved in litigation?
Personal devices may be subject to search and review in the event of litigation that involves an employer or other similar legitimate reason, which can include any business information on the phone. It's just like any other evidence or document or computer that could be confiscated and looked at for evidence. That's litigation procedure.
Infographic: BYOD's Dirty Little Secret
Yet I can even tell by your question that most people find this surprising. Where's the policy that makes it clear that the company has these rights with respect to these devices?
Today's mobile device management software allows for searching and wiping only business data. Could a search include personal data, too?
I was reading recently about a company that put into practice where they would only access business content on a personal device that's used for business purposes. They defined business content as email and business-related documents. They specifically excluded photographs, the assumption being that photographs would be only personal in nature.
They came to find out that there were a lot of photographs of white boards. People had taken pictures of white boards that contained all kinds of business information. It dawned on the [company] in the article that you can't make assumptions about what's business and what's personal.
Matt Karlyn, Cooley LLP
It's fascinating, because people are using all of these components on smart devices for both business and personal purposes, such as photography and who knows what else. Suddenly, you can't wipe only the obvious business-related things like email.
The lines have become more blurred, as these devices become more sophisticated. This has given rise to the need for companies that implement BYOD programs to have a lot of flexibility, in order to ensure that they can access information that belongs to the company.
Do BYOD policies give companies this flexibility?
From a corporate perspective, if you're going to implement a BYOD program, it's simply imperative that you have a well-drafted and precise policy to govern both the company's rights and employee's rights. The message to employees is, read every policy carefully and make sure you understand it.
Before BYOD, you were issued a bunch of devices owned by the business. The company would have an IT policy that says you have no expectation of privacy with respect to these devices. Not only are you not supposed to use them for personal use, it's prohibited. You can suffer consequences, including termination. I used to do IT polices where even the phone wasn't for personal use.
Fast forward several years, and we're flipping the whole thing on its head. Now you can go buy your own device and use it for whatever you want-it's your family iPad-and for work. Companies are getting themselves into a little bit of hot water when putting these programs in place.
It becomes a challenge in cases such as litigation or when a device is lost or stolen and needs to be wiped. If a policy doesn't spell out the process and procedures when these events happen, and we know they're going to happen frequently, then it's a huge disservice both to the company and employee.
People complain that BYOD policies heavily favor the company and give employee rights short shrift. What do you think?
I think that's true. Companies are drafting the policies. As a natural outgrowth, they're heavy on the company's rights to accessing devices. As I said earlier, I think there should be a balance between company rights and employee rights. It's something that these policies can do a bit better at.
Sounds like BYOD policies can get large and complex. What does a good BYOD policy look like?
They're not generally large documents. In fact, I'm sitting here with a couple of them in front of me. One is three pages, the other nine pages.
A BYOD policy goes through general rules about personal mobile device usage.
It clearly articulates what the company's rights are with respect to monitoring, accessing and reviewing all the data stored on, processed or used by the particular device. It goes through the employee's obligations with respect to keeping the device secure, password requirements, all the things you'd expect to see in a general IT policy. It talks about what happens if you're terminated or decide to leave the company.
Some key logistics might be included in the policy. A lot of companies are offering to subsidize the cost of mobile devices over, say, a couple of years. If you leave the company during that timeframe, and the company has already reimbursed you, then perhaps you might have a financial obligation to the company. That's a new concept.
Also, there might be some descriptive terms with respect to what you can't do on your device. For example, if you're going to use this device for business, then you must comport to company policies and standards for keeping information confidential.
It's a document that both the employee and company sign. So hopefully an employee isn't surprised when litigation or something happens where the company is required to wipe or access the device.
What are some of the mistakes you've seen with BYOD policies?
Not only do you have to draft the policy and make sure it has all the critical elements, people have to be aware of it, train on it, communicate on it. Whatever the consequences of failing to comply, you have to enforce them across the board with respect to employees signed up to the program. If you're not going to do those things, then why have a policy?
In the actual terms and conditions, the biggest red flag is the one-page, isn't-this-policy-great kind of policy that says, "Here are some things to be aware of." But it doesn't get into the obligations and rights for both the company and program participant. You also have to make sure that participants comply with other corporate policies-that they're attached and baked into the BYOD program.
The really big mistake is that employees are shocked, because they weren't aware there was a policy that said a company could do something. It's the critical awareness factor: make sure that they know what the elements of the program are and then train and take them through a discussion, through the literature, through examples of what could go wrong.
What's the potential fallout from these mistakes?
People become surprised and not happy, if they have to turn over devices that contain their personal information. They also might not get their devices back for a while. If employees continue to be shocked and their information subject to search, I certainly can see employees trying to pursue rights maybe through litigation.
I saw a discussion online where somebody said, "If your device is going to get confiscated, just make sure you have the ability to wipe the thing clean." I don't agree with it, I think it's horrible. There are employees who are taking a self-help approach to protect their information on that device. It's a really interesting outgrowth and huge risk of BYOD, isn't it?
Then there's so many places for data to be stored. Keeping custody of it is very difficult. It's creating a whole world of complications for companies that need to ensure they have access to their information. At the end of the day, the email doesn't belong to [the employee].
Information and data security are really big challenges for BYOD. To the extent that a policy can alleviate some of those challenges, a company should really take the time and make sure there's a policy in place.
Some companies have a BYOD mandate, meaning a person must acquire a smartphone and sign the policy as a term of employment. Do you think BYOD mandates are the future?
If I had a crystal ball, I think it's heading toward mandates. We've already seen this happen with lots of companies in industries where it wasn't really expected. In the law firm sector, for instance, it's beginning to take hold.
By becoming mandatory, this certainly begs the question: Don't we have to do a much better job making sure that we craft a program where the use of a device for business reasons can co-exist with the use of a device for personal reasons?
We have to ensure that all of the interests of the company, with respect to the security of its information and data, and all of the interests of the employee, with respect to the security and confidentiality of their personal usage, can live and breathe together in the same environment.
Can we craft a program where the mandatory nature of these programs isn't so unappealing to some people? I certainly think we can do that, and reflect that in a policy.
Tom Kaneshige covers Apple, BYOD and Consumerization of IT for CIO.com. Follow Tom on Twitter @kaneshige. Follow everything from CIO.com on Twitter @CIOonline, Facebook, Google + and LinkedIn. Email Tom at firstname.lastname@example.org
Read more about byod in CIO's BYOD Drilldown.