6 Risks Your BYOD Policy Must Address
Strong company policies are a must for managing legal and other risks of personal devices used in the workplace. Are you addressing all the issues?
That's not an exact quote but it's pretty close. The firm's IT and outsourcing practice recently conducted a webinar for companies grappling with employee-owned devices on and off their corporate networks and the long list of potential issues the BYOD model can cause.
More SMB Insights
- Supporting your BYOD Program with Mobile Enterprise Services
- SMB Server Guide: Meeting Email, Virtualization, and Business Application Challenges
- Become a social business in the cloud: IBM SmartCloud for Social Business collaboration services
- Cricket Communications Turns to Splunk
- Managing Mobile Security in Small And Midsize Businesses
- Best Practices: 5 Security Tools Every Small Business Must Have
Naturally, the event focused on the legal and related risks associated with BYOD. But it wasn't doom and gloom. The lawyers highlighted the positive potential outcomes of allowing employees to use their own mobile devices and other hardware at work, such as lower costs, improved employee productivity and satisfaction, and even hiring -- the presentation cited a Unisys report that found 44% of job hunters find an offer more attractive if the employer supports iPads. The bottom line: BYOD is happening whether you like it or not.
"At the end of the day, BYOD is not going anywhere," said Foley & Lardner partner Matthew A. Karlyn. "It's only going to increase."
[ Read Does BYOD Make Sense For SMBs? ]
That said, there are innumerable risks associated with allowing employees to use their personal smartphones, tablets, and other hardware for company business. Just as the head-in-sand strategy would be ill advised, so too would BYOD anarchy. Karlyn and his colleagues stressed the need for a strong, thorough policy that employees can actually understand. To that end, he advised regular education and training initiatives, both in person and online. Finally, he noted that policies must be enforced with meaningful consequences for rule-breakers; otherwise, rules are essentially worthless.
The lawyers noted that policy, training and enforcement specifics will vary by business. Highly regulated industries like healthcare and finance, for example, have an entire other set of concerns related to BYOD. But they highlighted just how complex the BYOD workplace can be -- and how specific your policy must be as a result.
A fundamental idea behind the policy-education-enforcement strategy is that the legal and other risks of BYOD can be reduced if both employer and employee clearly understand those risks and their roles and responsibilities in managing them. Consider these six specific issues that you and your employees might not be adequately addressing.
1. Data Is Discoverable.
Foley & Lardner partner Michael R. Overly began his part of the presentation by noting that BYOD devices might be discoverable in lawsuits. In English: Everything an employee does on her personal iPhone, for example, could be used as evidence in a lawsuit against her employer. Overly said that usually comes as a surprise to senior management when he does corporate training work. "More times than not, those executives are absolutely, positively astonished when we explain that when someone participates in a BYOD program, that device may be subject to discovery in litigation," he said.
Employees who assume they have a right to privacy -- it's "my" device, after all -- might likewise be in for a shock. The personal devices they use at work could be examined not only by their employer but by the other party in the lawsuit. Their social media, photographs, personal email, geo-location information and many other kinds of data could be pored over at length.
"Even though people may understand [the discovery process] in a general sense, [they] do not appreciate just how invasive a review like that can be," Overly said. "Which is why it's so important to make sure that people that elect to participate in a BYOD program understand that type of risk -- that, by participating, you're giving up certain rights."
2. Discovery Can Be Expensive.
If you have a come-one-come-all approach to BYOD -- as in "if we allow one device, we might allow them all" -- this might make you rethink it. Lawyers don't typically work cheap and discovery can get expensive. If employees are using not just one but two or more personal devices for work, you're potentially adding a multiplier to your legal costs in a lawsuit. That's because all of those devices might have to be turned over for discovery. In fact, there doesn't even need to be a lawsuit to incur such costs -- just the threat of one and a requirement for litigation hold. "This is a cost that needs to be built in and understood in connection with deciding whether a BYOD program is appropriate for your business," Overly said.