6 Risks Your BYOD Policy Must Address - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

12:34 PM

6 Risks Your BYOD Policy Must Address

Strong company policies are a must for managing legal and other risks of personal devices used in the workplace. Are you addressing all the issues?

Six Ways The iPhone 5 and iOS 6 Amp Up Social Opportunities
Six Ways The iPhone 5 and iOS 6 Amp Up Social Opportunities
(click image for larger view and for slideshow)
The lawyers at Foley & Lardner have a message for IT pros about BYOD: Resistance is futile!

That's not an exact quote but it's pretty close. The firm's IT and outsourcing practice recently conducted a webinar for companies grappling with employee-owned devices on and off their corporate networks and the long list of potential issues the BYOD model can cause.

Naturally, the event focused on the legal and related risks associated with BYOD. But it wasn't doom and gloom. The lawyers highlighted the positive potential outcomes of allowing employees to use their own mobile devices and other hardware at work, such as lower costs, improved employee productivity and satisfaction, and even hiring -- the presentation cited a Unisys report that found 44% of job hunters find an offer more attractive if the employer supports iPads. The bottom line: BYOD is happening whether you like it or not.

"At the end of the day, BYOD is not going anywhere," said Foley & Lardner partner Matthew A. Karlyn. "It's only going to increase."

[ Read Does BYOD Make Sense For SMBs? ]

That said, there are innumerable risks associated with allowing employees to use their personal smartphones, tablets, and other hardware for company business. Just as the head-in-sand strategy would be ill advised, so too would BYOD anarchy. Karlyn and his colleagues stressed the need for a strong, thorough policy that employees can actually understand. To that end, he advised regular education and training initiatives, both in person and online. Finally, he noted that policies must be enforced with meaningful consequences for rule-breakers; otherwise, rules are essentially worthless.

The lawyers noted that policy, training and enforcement specifics will vary by business. Highly regulated industries like healthcare and finance, for example, have an entire other set of concerns related to BYOD. But they highlighted just how complex the BYOD workplace can be -- and how specific your policy must be as a result.

A fundamental idea behind the policy-education-enforcement strategy is that the legal and other risks of BYOD can be reduced if both employer and employee clearly understand those risks and their roles and responsibilities in managing them. Consider these six specific issues that you and your employees might not be adequately addressing.

1. Data Is Discoverable.

Foley & Lardner partner Michael R. Overly began his part of the presentation by noting that BYOD devices might be discoverable in lawsuits. In English: Everything an employee does on her personal iPhone, for example, could be used as evidence in a lawsuit against her employer. Overly said that usually comes as a surprise to senior management when he does corporate training work. "More times than not, those executives are absolutely, positively astonished when we explain that when someone participates in a BYOD program, that device may be subject to discovery in litigation," he said.

Employees who assume they have a right to privacy -- it's "my" device, after all -- might likewise be in for a shock. The personal devices they use at work could be examined not only by their employer but by the other party in the lawsuit. Their social media, photographs, personal email, geo-location information and many other kinds of data could be pored over at length.

"Even though people may understand [the discovery process] in a general sense, [they] do not appreciate just how invasive a review like that can be," Overly said. "Which is why it's so important to make sure that people that elect to participate in a BYOD program understand that type of risk -- that, by participating, you're giving up certain rights."

2. Discovery Can Be Expensive.

If you have a come-one-come-all approach to BYOD -- as in "if we allow one device, we might allow them all" -- this might make you rethink it. Lawyers don't typically work cheap and discovery can get expensive. If employees are using not just one but two or more personal devices for work, you're potentially adding a multiplier to your legal costs in a lawsuit. That's because all of those devices might have to be turned over for discovery. In fact, there doesn't even need to be a lawsuit to incur such costs -- just the threat of one and a requirement for litigation hold. "This is a cost that needs to be built in and understood in connection with deciding whether a BYOD program is appropriate for your business," Overly said.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
1 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
11/26/2012 | 7:58:25 PM
re: 6 Risks Your BYOD Policy Must Address
Well folks. There you have it.

If any business is still up for having a BYOD policy after understanding the legal risks, then they are just plain crazy. Same for the employee who will fork over a good bit of their personal life as part of the, ahem, bargain.

I find it hard to believe that BYOD is more cost effective than an employer provided device when you look at the the total cost of ownership (TCO).

BYOD (short of insuring us IT types a good long career) is ridiculous on many fronts... legal, technical, security, privacy... ad nauseum.
NJ Mike
NJ Mike,
User Rank: Moderator
11/26/2012 | 6:23:11 PM
re: 6 Risks Your BYOD Policy Must Address
My solution to this BYOD problem - tell my employer if they need to be to have a smart phone or a tablet, or a laptop, they can issue me a smart phone, a tablet, or a laptop. I don't like to mix business with personal, so the thought of using my personal phone/computers for work is not something I want to do.
User Rank: Ninja
11/26/2012 | 4:30:22 PM
re: 6 Risks Your BYOD Policy Must Address
"The personal devices they use at work could be examined not only by their employer but by the other party in the lawsuit."

This is why you WIPE all evidence from your phone after every call or every app used. No one spies on my private phone, ipad, or tablet. Its also helpful to have multiple fake name accounts on ALL social media. Learn to beat the busybody nosy types at their own game.
How COVID is Changing Technology Futures
Jessica Davis, Senior Editor, Enterprise Apps,  7/23/2020
10 Ways AI Is Transforming Enterprise Software
Cynthia Harvey, Freelance Journalist, InformationWeek,  7/13/2020
IT Career Paths You May Not Have Considered
Lisa Morgan, Freelance Writer,  6/30/2020
White Papers
Register for InformationWeek Newsletters
2020 State of DevOps Report
2020 State of DevOps Report
Download this report today to learn more about the key tools and technologies being utilized, and how organizations deal with the cultural and process changes that DevOps brings. The report also examines the barriers organizations face, as well as the rewards from DevOps including faster application delivery, higher quality products, and quicker recovery from errors in production.
Current Issue
Special Report: Why Performance Testing is Crucial Today
This special report will help enterprises determine what they should expect from performance testing solutions and how to put them to work most efficiently. Get it today!
Flash Poll