Skip to content

Risks of the ‘bring your own device’ culture

|Written By Jennifer Brown
Risks of the ‘bring your own device’ culture
Increasing use of personal electronics in the workplace can pose legal risks. Photo: Shutterstock

It used to be a company-issued laptop or BlackBerry were the only devices allowed in the workplace, but increasingly employees want to use the tools they prefer to get the job done.

But rogue mobile phones and tablets can pose legal risks to your organization that include security of data, illegal content, as well as the potential for employees to be “always on.”

“It’s fair to say a lot of companies are starting to take a serious look at this issue,” says Jeff Mitchell, partner at Borden Ladner Gervais LLP in the labour and employment practice. “It’s an issue of retention and recruitment in some cases. There’s a growing feeling that if people are working with devices they really like they will work faster, better, and be happier.”

Companies that embrace the “bring your own device” concept face the challenge of incorporating an employee’s own technology into the technical infrastructure of the enterprise. While organizations can be insured for cyber risk or liability, including data lost from an improperly secured device, it probably doesn’t cover devices owned by employees.

“All the standard cyber risk insurance I’ve seen covers employer-owned equipment and not employee-owned equipment,” says Eric Boehm, a partner at BLG who focuses on technology law. “Unless you’re really on top of it, you may not be covered for those things.”

If you’re considering BYOD at your organization a well-developed policy is the best place to start, says Boehm. Security standards are a key concern. At the top of the list: is the employee device up to date and are the company’s trade secrets and privacy being protected?

A good policy will spell out clear rules on the dividing lines between business and personal use and cover the right for the company to install monitoring software or perform a remote lock or wipe of data that could include personal information.

“There is a co-mingling of company and personal data that can happen and it’s that mix that creates other issues,” says Boehm. “There are no direct laws on this but what you can do is create at least some agreement that spells out, ‘This is what we want to do and this is our expectation.’”

While BlackBerry Enterprise Server provides a built-in feature that can delete all data and disable the device remotely, iPhone and Android devices don’t offer that option, says Roger Yang, chief executive officer of Avema Critical Wireless.

“There is third-party software that does the same thing, which provides the capability to do a remote wipe,” he says.

IT consulting firm Sierra Systems Group based in Vancouver considered a BYOD approach 18 months ago but hasn’t fully implemented it yet, says the company’s general counsel, Robert Piasentin.

“We had a lot of people asking us for specific cellphones saying they didn’t want the Sierra standard issue phone,” says Piasentin. “It all came to a head when our IT department said they didn’t have the resources to support the Samsung Galaxy or iPhones in addition to the BlackBerry or whatever brand of phone people had.”

At first Sierra considered a full BYOD policy that would include laptop hardware and software as well as cellphones with limited support from IT. For now the company has decided to continue providing computers but employees are now required to pay for and manage their own cellphone.

“If people want a phone they are required to get their own with whatever plan they want. I have an iPhone for work but I pay for it and a monthly plan. A year and a half ago I had a lesser phone when it was paid for by the company,” says Piasentin.

The decision has saved the company a lot of money and has allowed the IT team to focus on issues more important to the company rather than supporting individual mobile device issues.

“When we did that, we had a lot of push back but in the end the one argument we used to counter it was, ‘If you weren’t working here would you have a phone?’ Everyone pretty much unanimously said yes, they probably would,” he says.

Long distance calls and roaming plans can be expensed back to Sierra Systems for work-related use. Those who have chosen to have their mobile device connected to the company network must have it enabled to be remotely wiped in the event it is lost.

“That allows us to maintain a certain level of security of the information we have going back and forth with respect to client data,” says Piasentin. “We explained to everyone how it works and generally if your phone is lost it wipes everything including any of your personal information. That’s the risk but we explained it also prevents personal identify theft and we haven’t had any pushback on that so far.”

Currently Sierra Systems supports only company issued laptops but people can use their own tablets.

“We ultimately plan to go to BYOD with laptops as well but we haven’t gone there yet, just because it’s a lot more difficult to implement and we want to make sure we have the resources in place to make it secure,” he says.

In theory, BYOD suggests employees are used to supporting themselves and their devices, so costs should go down. However, for some companies who have BYOD with technical support provided it has proven more costly in terms of software and labour for managing the different devices.

Companies are also starting to look at how they capture time logged while on the road or “off the clock” and make sure it is being reported, or segment only those who are allowed to use devices for work after hours to avoid huge overtime issues. There is also the issue of roaming charges used with personal devices and whether the use was for work or personal need.

“There may be some mission critical people who you say can use a Blackberry or iPhone as much as they want. There may be other groups you say, ‘We don’t want using it outside of business hours unless directed to,’ and that’s probably the biggest challenge,” says Mitchell.

  • RE: Risks of the ‘bring your own device’ culture

    Heather
    If employees are paying for their own devices and data plans, what is the consideration for the contract they enter into with the employer regarding protection of corporate data, remote wiping, etc?

    Also, this article does not make mention of a Waiver and Release which likely should be signed by employees regarding lost personal data due to remote wiping.

SPECIAL REPORTS



Save

PROFESSIONAL DEVELOPMENT