BYOD raises legal issues

For the London Free Press - April 30, 2012 - Read this on Canoe BYOD, or bring your own device, is a hot topic. It refers to the trend for employees wanting to use their own smartphones or tablets for work purposes, rather than the ones their employer provides.

Why would an employee want to use his or her own device? It might be a better or more familiar device than their employer provides. Or they might not want to carry two phones. Or their employer might not provide phones or tablets at all.

BYOD can cause headaches for IT departments. It's much harder to deal with many different types and configurations of devices in the workplace than one specific device or configuration approved by and owned by the employer.

This is a trend that can't be stopped, and can have advantages to the employer. BYOD raises legal issues that need to be considered as well.

For example, employers usually have technology use policies that allow them to look at whatever an employee does on his work computer or device, even if the employee uses it for some personal use.

The goal is to be able to monitor and deal with improper employee behaviour, such as wasting excessive amounts of time surfing the net, or violating privacy, confidentiality, laws or corporate policies.

But those policies usually justify monitoring based on the notion that the equipment is owned by the employer. Those policies should be expanded to try to include BYOD devices.

It's unclear to some extent how effective that will be if the issue gets into court, as there are issues of personal privacy connected with employer monitoring of a personal device. But there should at least be an attempt to address the situation and provide a plausible argument for monitoring in certain situations.

Another issue is how to ensure the privacy and security of employer data on a BYOD device. Businesses must keep personal information secure, and need to keep other information secure for various confidentiality and business reasons.

That is easier to do on a smartphone, for example, that the IT department has configured and locked down to require password access, or to encrypt sensitive information, or to allow it to remote lock or wipe the device if it's lost or stolen.

That becomes more of a challenge when dealing with BYOD. Technology use and security policies should be looked at in light of this. Should, for example, users be only allowed to use a BYOD device if it has a screen lock?

Another approach is to set up systems so that as much as possible remains in the cloud or company-controlled servers, with proper access security. That way, if a device is lost or stolen, the data is not on the device itself.

Access must be simple and easy, though. Otherwise employees will just ignore corporate policy, and will resort to faster and easier ways to get what they want on the device, such as dragging files into Dropbox, or e-mailing them to a personal email account.