High-level virtual private network security was used to protect the network and, for some time, only certain types of phones approved by the organization were allowed access. For the most part technology tools and a small set of rules were able to hold the fort.
Technology changes exponentially, organizations change logarithmically
With employers wanting to achieve capital expense savings and efficiencies, and employees wanting to exercise their personal preferences and lifestyle choices, our new reality is employees currently use a vast spectrum of personal computing devices to create, access, and store their employer’s data and connect to their networks.
Today’s personal devices such as smartphones, tablets, and smartpens are capable of being used as computers, gaming devices, e-readers, cameras, video recorders, cell phones, Internet browsers, modems, etc. Businesses have given way to this tidal wave of innovation by allowing employees to bring their own devices and connect them to corporate networks.
As members of legal departments I believe we are as guilty as anyone in society (and arguably more so) of falling prey to a kind of technological somnambulism where, enamoured by the marvels of today’s digital technology, we have not thought deeply enough (and I count myself in this group) about the long-term implications of how its use is materially impacting corporate behaviour (i.e. decision-making, allocation, and mitigation of risk, etc.).
Updating the IT policy and going beyond
Current IT policies should be updated to address the challenges raised by the use of personal devices currently available on the market. If the skillset does not exist in your legal department, it should be developed, recruited, or outsourced. Policies regarding data retention, ethics, human resources, and other matters should be reviewed to determine whether they are impacted and also updated.
A best practice approach in my opinion, however, requires in-house counsel go far beyond updating these policies and provide deliberate and informed guidance regarding how decisions on the use of IT features can significantly impact legal rights and obligations.
Personal devices can be wiped (including remotely) to remove business information. This proves handy in the case of a departing employee, however it raises issues with regard to the ability of employers to limit wiping or bricking so it only affects business information. Employees should be asked to sign a waiver releasing the employer in the event that personal information is inadvertently deleted.
In the event that a personal device is lost, some employers may require that GPS tracking features be enabled. This raises complex legal issues however regarding monitoring the whereabouts of employees, and requires the employee’s explicit consent.
There are two sides to automatic backup. It prevents the loss of business information, but it may also allow a departing employee to blackmail an employer if information is deliberately retained and is prejudicial to the employer’s interests. BYOD devices are difficult to integrate within a document retention (and destruction) policy.
Personal devices can be used as mobile Wi-Fi hotspots for other devices. When used in this mode however they allow users who are tethered to the enabled device (which could be a corporate visitor for example) to gain access to files on the hotspot-enabled device.
Jailbreaking or rooting a device involves circumventing its protection measures to allow root access and running of alternative software. IT policies should absolutely prohibit the use of personal devices which have been tampered with in this manner, and devices should be audited for compliance if possible.
Jailbreaking bypasses the device’s security mechanisms, allowing any form of app to be installed on the device. This could open a portal for a rogue app to be installed and used to gain access through your corporate firewall. That device could be the Achilles heel of your organization.
A “sandbox” for corporate information can be created on a personal device to isolate it from personal data (e.g. Blackberry Balance). It has become increasingly difficult however to identify what is personal and business information at a high level. For example, photos on a BYOD device may not all be personal. Valuable information can be stored in a photo taken of a whiteboard.
Personal devices not under the control of the employer pose a risk to the preservation of trade secrets. E-mail clients such as Apple Mail and Outlook store local copies of server-based e-mail so they are not secret as such. Personal devices are often accessed by family and friends. Theoretically some of the most valuable IP owned by your client may no longer qualify as a trade secret.
Software licence agreements often restrict access either on a per-user, device, location, or other basis. Time should be spent carefully reviewing their terms to ensure inbound software can be used on BYOD devices. Surprisingly, it is not uncommon that licenses are limited to the devices owned by the organization.
Insurance policies should be reviewed to determine whether coverage dovetails with your IT policy in terms of allocation of risk between the organization and the individual. Will coverage be denied if a personal device is stolen or subject to a virus attack? Are BYOD devices and claims arising from the use of BYOD devices covered? They may not be. Add to this that personal devices are regularly sold, traded, retired, and disposed of and I would venture an alarmingly high percentage of them contain business information.
The above are merely a few examples of tools and features which come into play under a BYOD IT policy. It behooves in-house counsel to become familiar with available technology solutions, the manner in which they impact the allocation of risk between organizations and individuals, and the risks they pose to businesses.