BYOD (bring your own device) is a buzz word amongst company IT departments and policy makers. BYOD is an employee-purchased and owned device (i.e., laptop, smartphone, tablet) that is connected to a corporate information network system or otherwise used to conduct company business. A recent Cisco study found that 90% of full-time American workers use their personal smartphones for work purposes. In this cyber age where privacy and cyber security are major concerns for employers and employees alike, BYOD is a proverbial minefield for those unaware of the legal, security and privacy risks.
Emerging BYOD Legal Risks
In this world of telecommuting and start-ups, many companies allow employees to use their own laptops and smartphones. Companies have thereby ended the Apple v. Android, Mac v. PC debates, a win-win for employees and their employees. This all might sound great for both employers and employees, but as with any new invention, the risks of BYOD policies have not yet been resolved. Nor have we seen any BYOD policies take center stage of a publicized legal dispute. We have, however, seen disputes arise over storing company data on personal devices. In Barrette Outdoor Living, Inc. v. Michigan Resin Representatives, the Court ordered an employee to pay $35,000 in sanctions for failing to preserve his cellular phone and deleting 270,000 company files from his personal laptop. Even when using a personal device, employees may have a duty to maintain corporate information if their employer goes to trial. Employees may face personal legal liability for actions taken while using their BYOD device.
Understanding BYOD Security Risks
When employees have access to company networks and data through their personal devices, the company becomes increasingly vulnerable to security and legal risks. Companies that allow broad access face the risk of employees to deleting company data and are susceptible to the carelessness of employees and third-party users. These users can be anyone from a child using a parent’s phone to office visitors connecting to the company wi-fi. When BYODs and third-party devices bypass security features normally applied to corporate devices, they are vulnerable to malware—a costly risk, particularly in regard to Android devices. Additionally, BYODs that bypass network security elevate the risk of non-compliance with data privacy laws and regulatory requirements.
Mitigating Security Risks & Maintaining Employee Privacy
The most effective mitigation strategy will couple emerging tools with a BYOD policy to protect company assets and security, examples of which include:
- Developing a BYOD policy that addresses ownership, password requirements, employee privacy, liability, limitations on access/use, search parameters and what situations trigger which reactions.
- Selectively publishing company data to new mobile apps; users get the data they need, and the company has greater control over data security.
- Requiring device encryption.
- Installing software to track which documents employees download.
- Installing technology to wipe only corporate settings, data and apps to protect business assets while leaving personal data and settings intact.
- Exploring geo-fencing to protect company information and prevent data breach by disabling device features such as the camera within company space.
Use and implementation of these tools will depend on company needs but should be considered to mitigate legal, security and privacy risks.
To see more from me on this issue visit: http://techpageone.dell.com/technology/byod-policies-tangle-hr-legal/