BYOD (Bring Your Own Device) describes the trend of companies allowing their employees to use their own personal devices to access their company’s network, create and/or store business information. Companies like the cost benefits and flexibility; employees like working using their tools of choice. The impact of BYOD on compliance, corporate risk and litigation is, however, a top concern. In-house counsel are now grappling with securing company information, as well as the challenges that BYOD brings in the event of litigation or regulatory action.
Corporate security – Protecting your company data
In house legal and compliance teams are concerned about the security of corporate data outside of the corporate network. Extra care is needed in a BYOD environment.
Employees may be more casual about guarding company information on their personal devices. Employees connecting to the Internet over an unsecured connection may unwittingly expose companies to risk. Improper disposal of a personal device may also present risk. Loss or breach of certain types of data, such as information protected by HIPAA, for example, can create liability and expense for the company. Valuable business information on personal devices not backed up to company networks may be irrevocably lost if the device is too.
Despite the corporate concern, companies are only just beginning to grapple with the security risks posed. For example, a recent Gartner survey revealed that 68 percent of corporate respondents were very/extremely concerned when thinking about securing enterprise data on employee mobile devices, yet only 45 percent had a formal BYOD policy. In another survey, 80 percent of corporations were not regularly educating their employees on security and privacy risks related to BYOD, and 58 percent lacked policies on employee-owned mobile devices. For companies just exploring this risk, the good news is there are some technical and policy based options available to mitigate the risks.
Special challenges for electronic discovery
Additional concerns arise about the ability to appropriately identify, preserve and collect data in response to litigation or regulatory actions where company data resides on a personal device. It may be difficult for practical reasons for corporate counsel to preserve or collect it. Parties can request data within an opposing party’s possession, custody or control, but is data stored on an employee owned mobile device “controlled”? This is an evolving area, but prudence suggests that companies proceed under the assumption that their data may be viewed as within the corporation’s control on an employee device.
Assuming the company can get access to the device, the mix of employee information (including what may be sensitive personal data) on that employee owned device creates its own set of potential issues that must be considered in the collection process. IT and other workers accessing mobile devices may gain access to legally protected personal information in the course of collection. Depending on the jurisdiction, employee data may be protected under any of number of complex privacy and computer trespass laws. Corporations accessing or deleting employee data without employee consent may be at heightened risk. Policies and procedures for obtaining employee consent to access and to removal of any personal data to enforce security policies, as a condition of using their personal devices, may be a good practice. Any collection effort undertaken by the company should be as narrowly tailored as possible to target the business data. Providing employees with notice of collections and any data deletion, whenever possible, should also be considered. Public policy concerns may also come into play.
Counsel needs to carefully consider their litigation response in jurisdictions with strong data privacy regulations. They should ensure that internal counsel and external counsel are sufficiently aware of the potential existence of unique data on BYOD devices when preserving and collecting data.
Finally, assuming that the device is available and access issues have been dealt with, counsel should be prepared for a more complex (and potentially more costly) execution process than they may be accustomed to on collection due to the multiplicity of hardware, software and applications in a BYOD environment.
5 practical tips
Companies using or considering BYOD should be proactive about handling their data in the BYOD environment and should consider ways to mitigate risk to navigate the process.
1. Know Thyself! Because you want a policy and process that will help support and manage BYOD within your organization, start by taking stock of your organization and your needs:
- Should everyone have access to BYOD? How will it be restricted?
- What’s the cultural environment of your company, and how much will monitoring and control of their devices create morale issues? How will that be positively managed?
- Who will ‘own’ the BYOD Policy in your organization? What stakeholders need to be brought in to develop it and make it work?
- What other policies should be examined in light of the BYOD, i.e. HR, electronic use policy, employee termination procedures, corporate monitoring of Internet use and communications.
- How will you work BYOD into your litigation holds policies?
2. Craft an effective BYOD policy: A well-crafted BYOD policy will aim at number of issues. The policy should clearly define the rights and duties of both employer and employee. Importantly, corporate BYOD policies should be clear on what access the corporation will have, and establish clear and unambiguous consent from the employee to access to their data, and to the potential loss of their data ( for example, in a forced ‘wipe’), in a signed use policy. The standards for what constitutes acceptable use, devices, and networks should be set out. The policy should also clarify how corporate data will be kept separate from personal data wherever possible.
3. Use available technology to help support the policy: Corporate IT in a BYOD environment should consider using available technology to help drive compliance. Mobile Device Management applications (MDM) and HTML5 technology, for example, can allow corporate IT to remotely install software, update security or remotely wipe in the event of loss or theft. Investigate split use software, encryption, and secured password protocols. A robust BYOD program should condition allowing the installation of such software on any device an employee wishes to use for company business.
4. Back up mobile data ahead of time: Support the regular business practice of backing up mobile work data onto the corporate network. Consider incorporating this into your appropriate polices. This is particularly important as regards key executives and decision makers. The backup process will greatly reduce the risk of lost data stored on mobile devices and may simplify the collection process should a dispute arise.
5. Vigilantly support the BYOD policy through training and monitoring of compliance with the policies: BYOD is a rapidly evolving area of technology and law. The policy will need to be reviewed regularly, at least annually, to assure corporate compliance with evolving data privacy laws. Employee training will also need to be refreshed regularly to bolster compliance and to keep pace with evolving law.