With practically all the people you know walking around with more computing power in their pockets than could have been mustered by an army of lab-coated technicians a few decades ago, it’s not surprising that Bring Your Own Device (BYOD) is the now thing. What is surprising, though, is how some companies, software publishers, other vendors, and corporate employees themselves seem to be treating the implications of this change.
Gartner, the IT research and advisory company, defines BYOD as "an alternative strategy allowing employees, business partners and other users to utilize a personally selected and purchased client device to execute enterprise applications and access data." There are variations in which devices are personally selected but purchased by the company (for example, COPE: Corporate Owned, Personally Enabled), but most of the BYOD world is just what you think it is: people using their own smartphones, tablets, laptops — even game consoles, smart TVs, or other smart devices with internet access — to perform two functions that have been protected by high walls since the beginning of the Information Age: execute enterprise applications and access data. This article discusses some of the unintended (or unanticipated) consequences of companies adopting a BYOD strategy.
EXECUTING ENTERPRISE APPS: THERE’S AN AGREEMENT FOR THAT
If flying cars ever take off, the existing rules of the road will probably have to be revised. George Jetson encountered (and obeyed) floating stoplights on his way to work, but real highways in the sky will probably lack that kind of similarity to their terrestrial models.
Like Jetson’s commute, the high-flying world of BYOD is now operating mostly under terrestrial rules, and that can be a problem. Software licensing agreements drafted before BYOD contain definitions and terms that get stretched out of shape when draped across the new paradigm (What’s a user? A device? Access?). If enterprise applications are licensed per device, as is often the case, what are the licensing implications when a user accesses enterprise applications on six different devices?
Some software publishers require different kinds of licenses for work performed on corporate premises and remotely. Some make a distinction between a "qualified device" and a "qualified third-party device." Some want to know if the device is accessing a virtual desktop infrastructure. Many users, purchasing agents, and technology implementers may have trouble finding their way through this licensing jungle without a guide, but here even the guides can get lost.
As publishers struggle to find ways to get their fair revenue from the consumerization of IT, they will notice that BYOD almost inevitably results in certain situations that make a software audit a rewarding activity (for them, not their customers). Software audits are increasing rapidly. Any questions about the adequacy of corporate licenses become a lot harder to answer when employees access corporate email or office productivity suite on tablets, smartphones, and laptops — the laptop on which employees often click acceptance to individual licenses for productivity tools for which the company already has agreements in place with potentially conflicting provisions.
ACCESSING DATA: FILE THAT CONFIDENTIAL MEMO NEXT TO THE VACATION PICTURES
The tug-of-war between convenient data access and prudent security has been going on for a long time, even on standard company-owned devices. Adding BYOD to the convenient access side of the rope might send the prudent security team tumbling to defeat.
That smartphone in your pocket (or sitting on the counter at Starbucks tempting fleet-footed thieves while you fumble for your credit card) probably offers easy access to your work email and thousands of attached files on your Microsoft Exchange server. It and the other devices you use on your home network and elsewhere may store work files the same way they store personal pictures, home movies, and other files. Should you ever be subjected to e-discovery, all of those files — not just the text or instant messages in which you discussed the merger and should have been a little more discreet, but also Aunt Pauline’s recipe for zucchini bread — will be an open book. And you may have to give up the device itself for a while so that it can be examined or imaged.
But wait, you would certainly protest — that’s my zucchini bread recipe. Well, yes and no. True, it’s on a device you bought and paid for and for which you pay the monthly connection fee. But since you also use your device for corporate matters, it is no longer a simple matter to determine which rights are yours and which ones belong to your employer. Does your company policy require that you identify company documents or personal documents so that the appropriate ones are subject to e-discovery’s preservation and retention obligations? How will those company documents be transferred from your device to the company’s computers if there is a need to produce those documents? But unlike Aunt Pauline’s yummy zucchini bread recipe, the company’s need to preserve those documents on your device isn’t necessarily a slam-dunk: it is not clear that your employer has a duty to preserve or collect information from your personal accounts and devices even where the device has access to business e-communication channels. That duty may hinge on whether a court believes the company has "possession, custody, or control" over the device or account (i.e., does it have a legal right to it or the practical ability to obtain it?).
Your employer frequently has a policy stating that it has the right to track this device because it is used for business purposes. If that fleet-footed thief makes away with the device, your employer typically has the right to wipe it and erase all the files remotely, including that wedding video you’ve been meaning to offload to your PC but never did. What are your record retention requirements? What happens if you buy a new phone, and exchange your old one for it? Or if your phone breaks and you can’t afford to buy a new one until next payday, and you need it to do your job today? What do you have to do if you find a new job, or get fired, or retire, and the IT asset management team wants to retire your device along with you?
BUILD YOUR OWN DESTINY: WHAT YOU CAN DO NOW
If you are involved in writing, administering, or using information technology agreements in any way, congratulations. You are working in a time of transition and new possibilities. You have the opportunity to solve an interesting problem: how can software and other IT agreements be updated to reflect the new reality of workers no longer tethered exclusively to company-owned equipment?
The new solution you or others arrive at will probably have these elements:
• It will find a way to compensate software publishers fairly for the new ways their intellectual property is being used.
• It will inoculate companies against under-licensing risks incurred because their workers have so many device options at home and on the move.
• It will align software licenses to both actual and intended usage (considering the way the software is hosted on a server or virtualized server that may be in your data center or a cloud along with the end user license or access grant).
• It will make it easy for companies to develop revised policies on data security.
• It will be able to accommodate new technologies when they come along.
The first step? Dig out your existing software, maintenance, and other license agreements and read them carefully. As you do, be mindful of the fact that, even if your company has not instituted a BYOD policy, some people are probably already accessing company servers with non-company-owned devices. Pay attention to provisions in your existing agreements that restrict access from off-premise locations, or that define users or devices in a way contrary to the operational definition you would give it knowing what you know now, or that seem inappropriate to the technology world as we use it today.
After all, that’s a powerful computer in your pocket, and it isn’t going away.
Susan Ross, senior counsel at Fulbright & Jaworski, was assisted by Diane Carco, president of Swingtide Inc. Email Ross at firstname.lastname@example.org.