You searched for:
The Cookie Jar
Mobile – BYO device
Gone are the days when employees would turn off their PCs at the end of the working day and shut themselves off from work-related communications until the following morning. The era of the 24/7 employee has arrived, with tablets, smart phones and other portable devices allowing us to stay connected at any time of day and wherever we may find ourselves.
 
24/7 they may be, but this new generation of worker may be less flexible when it comes to their means of remote working. These employees want to use a device which is convenient, familiar and suited to their way of working. And so the trend of BYOD or “bring your own device” has evolved. Of course, in reality, BYOD is not an entirely new concept - individuals have been using their own devices for years as a means of flexible working and increasing their own productivity. But with the constant development of smart technology and many individuals owning two, or even more personal devices, BYOD usage has grown exponentially and is no longer something employers can simply choose to ignore.
 
So, should every employer be embracing BYOD?
 
BYOD presents a number of benefits for employers, in particular:
  • Reduced costs: If employees are using their own devices, their employers don’t have to provide them with one.
     
  • Happy employees: Employees benefit from the convenience and ease of only having to carry one device, the comfort of using a device with which they are familiar and the flexibility of remote working.
     
  • Productive employees: Happy employees often make for more efficient and productive employees. An employee using its own device is more likely to be contactable outside of working hours and may be more amenable to working remotely if using its own device.
24/7 happy, productive workers and a reduced IT spend, so where’s the catch?
 
Unfortunately it’s not all plain sailing when it comes to embracing BYOD. Loss of the employer’s control over the devices used by its employees raises a number of questions over practical matters, such as where the device is kept, who is responsible for securing it, who may access it and who owns the content stored on it. These questions inevitably lead to concerns over security of devices, confidentiality of private company information and issues of legal compliance, particularly in the area of data protection and privacy.
 
Hands off my device...
 
Personal devices used for business purposes will inevitably contain confidential company data and may also contain company personal data, for example relating to the company’s customers. But of course this is not all these personal devices will contain. Consider the situation where an employer requests access to an employee’s personal tablet device – the same device where the employee stores their photos, personal emails, personal contacts etc. It is easy to see that the employee may be reluctant to oblige.
 
An employer may therefore find itself in the sticky situation of being unable to access data that it is legally required to be able to access. For example, the employer may be prevented from responding to a data subject access request under the Data Protection Act 1998 (DPA), or may be prohibited from fully complying with a disclosure process in the course of litigation.
 
Employers are also likely to find that their ability to monitor the use or misuse of their data, or to track the location of a device holding such data, will be limited by the operation of BYOD. Employers must comply with the DPA in respect of any monitoring activities they conduct and must be open with its employees about the scope of such monitoring, which in any event must remain within proportionate boundaries. In particular, employers must be mindful that their employees have legitimate expectations of keeping their personal lives private and therefore should focus any monitoring on the times of day when employees are most likely to be (or are required to be) working.
 
Similarly, whilst recording the geo-location of devices may provide a security benefit to employers, it may not be justifiable to be keeping tabs on an employee’s whereabouts, particularly outside working hours. This may also lead to tricky issues where an employee takes a device abroad – any monitoring or tracking of that device may become subject to the laws of a foreign jurisdiction, leading to potential compliance issues for the employer.
 
Finders keepers...
 
We all know the drill. A quick “post hard-day-at-work” drink leads to several more and before you can say “data breach”, an otherwise conscientious employee wakes up unsure of how he got home and even less certain about the whereabouts of his smart phone.
 
The DPA requires “data controllers” (typically a company that collects and stores personal data about its customers and employees) to take appropriate security measures to protect personal data from accidental loss, destruction or damage and to prevent it from being unlawfully “processed”. The average person might use a four digit PIN code on its personal device, but this is unlikely to present an insurmountable hurdle for its “finder”. It is certainly arguable that one would expect a greater level of protection for sensitive company information, or indeed for personal employee or customer data.
 
Using a personal device presents numerous security risks, for example, use of the device on an unsecured WIFI network on a train or in an airport is likely to make its content more easily accessible to hackers. There is also the possibility that family, friends or other third parties may have access to the device, enabling them to view and even disclose (whether or not intentionally) confidential company information. If this information gets into the wrong hands, the repercussions for the company could be substantial, including potential breaches of the DPA, public disclosure of trade secrets and general reputational damage.
 
So is it really worth the risk?
 
Many employers take the view that the risks outweigh the benefits and continue to issue their employees with company-owned devices for work-use only. Some may consider that the potential cost savings of BYOD are countered with the additional cost of implementing sufficient security measures to ensure that company information is protected. The reality is that regardless of a company’s on BYOD, certain individuals will do it anyway. So in the age of the flexible, 24/7 employee, all employers should be looking at how to manage the risks associated with BYOD.
 
Security, storage and sandboxes...
 
As a minimum, employers should require all devices used for business purposes to be protected by a regularly-changed password. Encryption and anti-virus software can be loaded on to devices for additional security, although this may slow down the device to a level that is not acceptable to the employee. Remote tracking, locking and wiping technology is available, but these come with their own risks and problems, for example issues relating to monitoring as mentioned above and the potential for wiping irreplaceable personal content belonging to the employee.
 
Company data can be backed up to avoid problems associated with data loss, however again this isn’t a problem-free solution. Security of cloud-based storage systems can be problematic as these can potentially be accessed from any device by multiple users. Backing-up of data can also be a costly process and presents data protection implications of its own. For example, the DPA places limits on the duration of storing personal data once it is no longer being used. There is also a risk that backing-up content stored on personal devices could inadvertently lead to the backing up of an employee’s personal content, which again presents data protection implications.
 
One option for employers is to create a corporate “sandbox”, which is essentially a separate, contained “box” within a device, where all company-related data can be stored. This has the advantage that the employer is able to secure, access, delete etc. its content without touching the personal content of the employee. Of course, the success of such an approach will largely depend on how obstructive the sandbox is to the employee’s use of its device, how easy it is to use and of course the employee’s ability to ensure that all company data, and only company data, is kept within the sandbox.
 
The proof is in the policy...
 
Regardless of an individual employer’s stance towards BYOD, they should ensure that it is clearly set out in an employee policy. Simply ignoring the issue will not make it go away.
 
Guidance prepared by the Information Commissioner’s Office makes it clear that a policy should be implemented to inform employees about their rights and responsibilities when using a personal device for work purposes and that such policies should be regularly reviewed and updated.
 
A good BYOD policy should cover:
  • What the device may be used for and what it may not, including the types of company data that may or may not be accessed and stored on a personal device.
     
  • Security obligations including use of PINs and passwords, updating of anti-virus software, requirements for storage and safekeeping of the device and a process for reporting the device lost or stolen.
     
  • Limits on the employee’s ability to download to the device and/or guidance about the risks of downloading untrusted or unverified applications or content.
     
  • Clarification of who owns the device and the different types of data stored on it. As data controllers, employers must ensure that all processing of personal data that is under their control remains in compliance with the DPA.
     
  • A clear right for the company to access the device in certain circumstances (including, where necessary, the disclosure of employee passwords), for example, in relation to compliance with the company’s legal obligations or in respect of investigating a complaint made against the employee.
     
  • An explanation of how, when and in what circumstances monitoring of the device, its use and the content its stores, may occur.
     
  • Reservation of the employer’s right to remotely lock or wipe the device in certain circumstances (and an explanation of what data may be locked or wiped), for example where the device is lost or stolen.
     
  • Detailed procedures for what happens on termination of employment.
Whilst a policy may not eliminate all of the risks that BYOD presents, it enables employers and employees to be clear on their respective rights and obligations and provides a means by which employers can seek to ensure security of company data and compliance with its data protection responsibilities. Employers should also offer training to employees on the use of BYOD and compliance with the BYOD policy.
 
Summary: to BYOD or not to BYOD?
 
Like it or not, BYOD and the age of the 24/7 worker are here to stay. Whether employers choose to embrace BYOD with open arms, or to ban it all together, the one thing that they must avoid is BYODenial. Employers should ensure that all employees are clearly informed of their BYOD rights and obligations through the implementation of an explicit and regularly updated policy and appropriate training. Employers should also ensure that sufficient security measures are in place to protect employee devices and the content contained within them and must remain mindful at all times of their compliance obligations under the DPA.