BYOD Policies: A Litigation Perspective
By Andrew Hinkes – July 8, 2013
Bring-your-own-device (BYOD) policies are an emerging solution to a new problem: How can an employer control the movement of company data when employees use their own personal devices instead of company-issued devices? With the growing ubiquity of smart phones and digital appliances, it is more and more common to see employees managing their lives through their personal devices, which are often newer and more user-friendly than company-issued devices. Many employees do not want to carry multiple devices and would rather manage their lives on a single device. Likewise, companies are hesitant to devote increasingly large budgets to keep up with employees’ desire for constantly evolving mobile devices. BYOD policies can provide the solution.
Creating and implementing BYOD policies require joint participation of legal, management, compliance, risk, and information technology (IT), and require planning and forethought. If properly implemented, these policies can allow employees the flexibility of using their own devices to access company resources while allowing employers to maintain control over company data, reduce IT costs, and control overhead expenses. Properly implemented policies can also lessen the expense, time, and confusion inherent in litigation holds and discovery production from mobile devices.
What Is a BYOD Policy, Why Do I Need One, and What Does It Do?
The use of employee-owned personal mobile devices such as smart phones, tablets, and laptops in the workplace is increasingly common. Employee-owned devices are often newer and more user-friendly than employer-issued devices, which, due to lease programs, may be years older (and generations behind) employee-owned devices. Whether it is a “user friendliness” issue or simply that employees do not want to carry multiple devices, employees and employers alike have moved to embrace BYOD.
If your company has not already embraced BYOD, it is in the minority. A Gartner survey found that 70 percent of corporate respondents already have, or are planning to have, BYOD policies in place in the next 12 months. This represents a conceptual shift for employers—IT departments are no longer managing devices; instead, they are managing and protecting employer data.
If properly implemented, a BYOD policy can result in higher morale and workplace satisfaction for employees along with more accessibility. There are, however, significant risks and liability issues that are less manageable when an employee owns the networked device and can use it independently for tasks unrelated to employment. The key consideration in crafting a BYOD policy is the balance between the desire to allow the employee full rein over the employee’s own device and the employer’s need to impose controls to protect company data.
Key Considerations for a BYOD Policy
When crafting a BYOD policy, consider the following:
1. preserving employer confidentiality over sensitive data and trade secrets
2. balancing employer data security with employee right to privacy
3. ownership and cost issues
4. policy synergy
5. training and “employee buy-in”
Preservation of confidentiality over sensitive data and trade secrets is the primary purpose of a BYOD policy. Modern companies deal in information as much as products, and employee use of personal devices may potentially expose company data to espionage or simple loss.
Preservation of confidential information and trade secrets. Companies must take steps to protect their confidential information, including price lists, customer lists, and financial information. Data has become incredibly portable and mobile; every device is a walking hard drive. Thus, limiting the distribution of employer-protected confidential business information is critical. A BYOD policy should establish which employees should have access to what information on their personal devices on a “need to know” basis.
If an employee-owned device holding confidential information is compromised or misused it can pose a significant risk to a business. Lost business data may attract unwanted publicity and can lead to the erosion of customer and employee confidence in the organization’s ability to manage its business. In the era of employer-issued devices, the easy solution was to remotely wipe the device; it is considerably harder to manage lost data events when a remote wipe of the device will also destroy your employee’s personal data on the device.
In certain situations, including those involving concerns for the Health Insurance Portability and Accountability Act, Securities and Exchange Commission, and Sarbanes Oxley, there are regulatory or compliance obligations that require special control and protection for data. Likewise, European data-protection laws impose obligations upon data controllers to keep personal data secure and to take appropriate technical and organizational measures against unauthorized processing or accidental loss or destruction of personal data. For certain European operations, a company may be legally obliged to report data-security breaches to the Data Protection Commissioner. Your BYOD policy should incorporate reporting procedures to comply with regulatory reporting obligations.
BYOD policies should discuss both technical and organizational safeguards dealing with data loss. Mobile device-management software that allows for centralized management across multiple devices can provide the amount of control needed to regulate employee-owned devices. However, as discussed further below, employers should require users to expressly consent to this intrusion into their personal devices.
What safeguards against loss of confidential information and trade secrets exist and are actually implemented can have significant impact in litigation. BYOD safeguards must dovetail and harmonize with company document-retention and -destruction policies; unevenly enforced retention and preservation policies may operate as a waiver of safe-harbor defenses under litigation rules.
Balancing security with right to privacy. A BYOD policy should seek to balance employee personal privacy with the company’s right to control business information on the device. Great care must be taken when accessing, processing, and managing personal and private data of an employee. Embarrassment and potential claims can originate from clumsy handling of employee devices.
Most BYOD policies will include a certain degree of monitoring on the devices to regulate access to company data. To comply with data-protection requirements, organizations should set out clearly what information on the employee-owned device might be monitored and/or accessed. A company should be able to demonstrate that its employees have given fully informed and unambiguous consent to the company to reach data on their personal devices.
Particular focus should be placed upon any security or access software to be installed on their devices. The employee should be trained to ensure he or she understands how the management software operates, and so that there is no doubt about the nature of the consent given to its use. Employees should also be informed of their right to revoke their consent at a later date if so desired.
Ownership and cost issues. A BYOD policy typically includes some financial incentive to the employee to agree to and abide by a BYOD policy. This could involve funding employee data plans, insuring the device for loss or theft, or subsidizing the purchase price of the employee device. The policy, however, should make clear that the company is not liable for whatever the employee does with the device, even if the company subsidizes the purchase or use of the employee-owned device. The BYOD policy should clearly set out how the business and personal uses of the device will be differentiated and paid for. Tax advice may be needed to deal with “benefit in kind” issues associated with BYOD.
BYOD policies need to clearly articulate policies and procedures in case of employee loss of the device containing company data. What happens when an employee wants to sell his or her device? Or loses the device? Does the organization have the right to buy the device from the employee upon termination of employment? Does the company have the right to demand the device be provided to the company for data scrub before sale? How can you enforce a policy of wiping a device before it is sold or retired by a user?
It is important for the company to make sure that its BYOD policy anticipates the life cycle of the device. It should answer these questions clearly and should include appropriate provision for contingencies that might arise.
Policy synergy. Your company’s BYOD policy should integrate with other critical company policies. For example, a company cannot maintain different retention periods or retention and destruction practices on mobile devices. Other policies that must incorporate the BYOD policy include litigation-hold policies and procedures, information-security policies, acceptable Internet use policies, social-media policies, and harassment/discrimination policies. These policies together will establish standard-of-care and/or retention standards that are critical in litigation. Notifying and training employees on these policies is essential.
Training and employee buy-in. Without training of employees and obtaining express employee consent, your BYOD policy will not make it off the ground. Employees should be provided a copy of the policy, receive training on the policy, and sign express authorizations to allow for monitoring and/or remote wipe or disablement of their devices.
The BYOD policy must be clear, must be maintained in written form, and must be enforced.
Terms to Include in a BYOD Policy
A BYOD policy should include some or all of the following:
- definition of acceptable use, addressing the purposes for which the device and data may be used for business, technologies that may be used on the device, network access, and any other restrictions
- security measures that the organization will take to protect business and private data on the device
- when monitoring of the device can occur and the procedures that are in place for accessing an employee's device
- informed employee consent allowing the employer to access, back up, audit, and monitor the device and the different types of data on the device
- the device- and data-loss policy, dealing with what happens if the device is lost or is compromised in some way, and the related obligations of the employee
- ownership of the device and the contract with the mobile-phone operator
- management of the device, data, and business software on the device upon termination of the employment relationship
Litigation Risks of Implementing BYOD
BYOD policies are intended to clarify ownership issues and protect both the company/employer and the employee. However, even the most artfully drafted, properly implemented policy still creates risk to the company.
Allowing employees to possess company data in any circumstance exposes company data to theft or misappropriation. Likewise, decreased security over the device increases the likelihood of accidental or intentional theft, or hacking, and makes intentional acts of theft by employees easier.
If a device is lost and/or hacked and data is compromised, failure to adhere to company minimum standards could give rise to an argument that the company did not adequately secure data. Any litigation on this basis may turn on the expectation of privacy when using company-issued devices. In Quon v. City of Ontario, decided by the U.S. Supreme Court in 2012, the issue presented was whether an employee had a reasonable expectation of privacy for private messages sent and received on a city-owned texting device while the employee was off duty and whether a search of that data was reasonable. The Court held that the policies in place governed the employee’s rights to the extent that those stated policies were enforced.
BYOD policies may complicate discovery in litigation, as companies may find it more difficult or expensive to sequester personal versus company data during e-discovery. Surrendering personal data is a touchy subject, and it may be difficult to practically accomplish an image of a mobile device without capturing some employee personal data along with company data. Clear policies can help reduce the likelihood of unnecessary exposure of personal data in discovery.
BYOD implementation complicates company incident response because it is harder to obtain physical access to a device, especially if the adverse party is the employee with the personal device. Remotely wiping a device is less complicated for a company-issued device than for a personal device.
Personal device use may also invite malicious payload invasions (i.e., viruses, worms, or malware) that may migrate into the corporate network and jeopardize company data, or may wipe out unique data stored only on a local device.
Ten Tips to Help Your Company Implement BYOD
1. Start with email. Enterprise email solutions that many companies already use include centralized management tools for mobile users, making email deployment the easiest to manage.
2. Review your current policies. Your current security policies for web applications will likely apply to mobile devices as well.
3. Pick a device. Determine what device or devices you will support, with an emphasis on the security features of those devices and the availability of tools for remote management.
4. Set clear expectations. Train and educate your employees on their rights and responsibilities.
6. PIN/authentication is mandatory. Encryption is mandatory.
7. Pick apps. Certain apps can facilitate a mass exodus of company information or can serve as a conduit for viruses and malware. Choose carefully what apps are and are not allowable.
8. Use mobile-device-management software. Commercial software packages can include information push and mobile central control of company data, and can remotely wipe a device.
9. Address what happens when an employee leaves. Define what will happen when employees with devices on your BYOD platform leave the company. Consider how you will enforce the removal of access tokens, email access, data, and other proprietary applications and information.
10. Integrate your BYOD plan with your acceptable-use policy. Clearly explain in writing what is and is not acceptable use on the employee-owned device that will be holding company data. Discussions about an acceptable-use policy are required to protect company data and shield the company from liability. Remember that written, enforced policies will protect the company in litigation.
Take care when implementing policies to ensure that employees are properly trained and that their use complies with policies. BYOD policies require coordination between management, IT, legal, risk, and compliance to ensure that they comply with other regulatory obligations and data-protection and -retention policies already in place. If properly executed and implemented, BYOD policies can empower employees, protect employers, and save company time and money.
Keywords: litigation, corporate counsel, bring your own device, smart phone, tablet, laptop
Andrew Hinkes is an attorney at Berger Singerman in Fort Lauderdale, Florida.