By Eric Crespolini and Robin Hardy, HP Autonomy
In the world of working on-the-go, we have a new acronym to add to the list. 'BYOD' means 'bring your own device' and it can refer to everything from laptops, to the smartphones and tablets that people use in their line of work every day. The concept of working from any location has transformed business and given us free reign to work whenever and from wherever, but it deserves careful attention before it is adopted.
As corporate counsel, it is important that you consider the convenience gains and objectives of BYOD, and then properly understand the risks involved and the best approaches to mitigating those risks. This Top Ten provides some guidance on those benefits and risks.
1. Understand your goal
In some legal organizations, the driving force behind BYOD adoption can be a small group of executives that want the convenience of using their existing device. Others see BYOD as a method of increasing productivity. Further still, it can be seen as a method for reigning in costs saved through the convenience and speed of instant communications. The reason that understanding the goal of BYOD is important is that counsel may have to employ differing policies and implementation methods tailored to meet specific objectives.
2. Establishing a formal BYOD policy
An organization implementing a BYOD program needs to give careful consideration to developing policies that facilitate successful implementation and risk mitigation. To that end it is important to make sure that in addition to simply defining what is and is not permitted that the policy also include and facilitate the following:
Education - The policy must be able to clearly articulate the responsibilities that both the employee and the organization have as part of a BYOD program. This includes explaining the risks that can occur and the responsibilities that all parties have in mitigating those risks.
Consequences - It is important to spell out in the policy the obligations of both the employee and the organization, with respect to legal obligations as well as privacy considerations. It is also critical to explain the risks that non-compliance creates. And, the organization must ensure that the policy does not conflict with other organizational policies and, where applicable, local laws.
Complexity - Make sure that the policy is not unnecessarily complex. It should be narrowly tailored to meet specified business objectives. For instance, the policy should be designed in such a way that it can be reasonably executed by the typical employee.
Flexibility - Design your policy so that it is flexible enough to adapt to a changing technology landscape by providing a framework for addressing situations not previously contemplated.
3. Identify stakeholders in your BYOD policy
Oftentimes counsel is notified of the creation of a BYOD program only after it has been enacted, since it is often viewed primarily from the IT perspective. That said, it is important to bring together all of the potential stakeholders when crafting a BYOD program and corresponding policies. Common stakeholders in the organization will be the business users to whom the program will most directly impact.
For instance, the IT organization responsible for supporting the devices and counsel who need to ensure the program does not interfere with potential preservation obligations or compliance duties. In addition, it is important to understand that business, IT, and Legal departments are often not monolithic groups, and within each there will be differing objectives and concerns that will need to be evaluated. For example, it may be important to understand how any disaster recovery or backup solution will interplay with document retention schemes.
4. Consider employee-related issues
It is important to understand what the net benefit is to both the organization and the employee as part of your BYOD program. After all, it is more difficult to claim the right to capture the data on the personal device of a departing employee if the organization mandated the BYOD policy and did not contribute to the cost of the device and service. Unfortunately, there are no hard and fast rules-and courts are loathed to weigh the sufficiency of the consideration. But here are a few factors to consider:
Does the employee receive remuneration as part of the BYOD program in the form of direct billing, stipend, or reimbursement? Is there an expectation that the employee will be in contact outside of normal working hours and that they will use the device to accomplish this? Is BYOD a mandated rule? For instance, can the employee opt-out and receive a company provided device?
5. Determine which devices you will support
As part of any evaluation of a BYOD program, it is wise to take stock of the variables that your organization can safely manage. Corporate IT, as a rule, thrives on standardization. For instance, most employee computers share a similar build process with consistent software. This standardization provides consistency in performance, support, and execution across the enterprise. With respect to BYOD programs, attempting to support Apple iOS, Android, Windows Mobile, and Blackberry OS devices introduces additional risk because each platform will likely require a different mechanism for protecting the device along with different capabilities in the areas of data segregation, security, remote collection, and backup. While IT may be charged with the implementation of such a program, it falls on counsel to understand the risks that lack of standards can introduce to the organization.
6. Protecting various devices
Any BYOD program should have a well-considered plan for how proposed devices will be protected-both in terms of digital as well as physical security. Each mobile device that has access to an organization's data provides a treasure trove of information for a would-be hacker or thief. Therefore, while organizations often put considerable thought into password polices, that should only be the start of the discussion-not the end of it. Give thought to how devices may be penetrated remotely via Wi-Fi or Bluetooth access. Often people think of settings/software as the first line of defense against a data breach, but in reality the employee is the first line of defense. That is why it is critical that any BYOD program be paired with training that prepares them to protect the organization. This training may be as simple as telling them not to connect to unknown Wi-Fi devices or to disable Wi-Fi/Bluetooth when not needed-or it may be as simple as telling employees not to share their device or give out the password.
7. Decide who owns what and when
While everyone can hope that an employer-employee relationship will last forever, the reality is that BYOD programs do make things more difficult if there is a separation. To that end, it is important to be proactive in evaluating what needs to happen in a breakup and develop a "pre-nup" of sorts to lay out the specific actions that each is obligated to perform.
8. Accessing personal documents & communication
When developing a BYOD policy, it is important to not only specify what the organizations' access rights are with respect to the device, but also any access limitations. The limitations should be specified to ensure the employee is protected when they are using the device for non-business purposes. For example, if the BYOD policy states that the organization has the ability to monitor/record all communications that go through the device, this could potentially be sufficient to constitute a waiver of attorney-client privilege for the employee in their dealings with their counsel.
Beyond the concern your employees may have with their employer having unfettered access to their device, there is the increased chance that you will be exposed to privacy laws. While these laws vary by region, it is important to evaluate how they may impact an organization that has employees in various locations throughout the world.
9. Consider unintended consequences
Organizations often put a tremendous amount of thought into considerations as mundane as when to upgrade to the latest version of a spreadsheet tool. Unfortunately, BYOD programs, by their very nature, bring chaos into this carefully ordered world. For this reason, BYOD programs and corresponding policies need to be developed not in an attempt to eliminate the chaos, but to ring-fence it. One area of consideration impacts device upgrades, while in the IT world often laptops are "refreshed" on some sort of scheduled basis. With mobile devices, upgrades and changes are often not scheduled to the same extent. To accommodate mobile devices, organizations must be prepared to not only to deal with having to support newer devices, but to support multiple changes in a year.
This device-swap process becomes more complicated when an employee is subject to a legal hold. Other swap scenarios might include when the device breaks, is turned in for a credit, or given, for instance, to a family member. And there are consideration such as needing to replace a screen and having to provide the password to the technician testing the device-a scenario that could pose a threat to the organization. As a result, BYOD policies have to be nimble enough to handle situations not contemplated, while providing sufficient specificity so that each party knows their rights and responsibilities.
10. Decide on your direction
While it may sound overly dramatic to position counsel as gatekeepers, it is important to be able to ask the question, "Just because we can implement a BYOD program, does it mean we should?" While counsel must be prepared (often in the face of tremendous momentum), sometimes the organizational risks and costs of a particular business approach are simply too high. However, if a BYOD program is adopted, it is smart to weigh the pros and cons to determine how the strategy could impact your organization, and then take steps accordingly.