It's 2013. Do You Know Where Your BYOD Policies Are?

Posted
By David C. Johnson and Joshua Konvisser

Imagine you grab your phone only to find it locked, with all of your applications, pictures, and contacts permanently deleted. Imagine your employer's IT department remote-wiped your phone because they mistakenly believed it was stolen. Better yet, imagine your Angry-Birds-obsessed child triggered an auto-wipe with too many failed password attempts (don't laugh - it's based on a true story!). Can your employer really do this to your phone?

Imagine instead that you are the CIO responsible for protecting sensitive corporate and third party information. How can you ensure information security when your employees carry sensitive data in their pocket everywhere they go, and let their friends and family play with these devices?

The use of user-selected personal mobile devices for work (often called "Bring Your Own Device" or "BYOD") is undoubtedly delivering benefits for employers and employees alike. Yet, competing employee-employer interests and related risks must not be ignored. Remarkably, only 20.1% of companies surveyed globally have implemented signed BYOD policies according to a recent study (Ovum Research Shows U.S. Ahead of Other Countries in Asking Employees to Sign BYOD Agreements). This three-part series will outline competing interests and risks, and will suggest that the best way to manage these risks is through the drafting and enforcement of proper BYOD policies.

This Part 1 will consider employee interests related to BYOD; Part 2 will focus on the employer's perspective; and Part 3 will present some developing BYOD trends based on recent reports, and suggest some best practices for drafting and implementing a BYOD policy.

BYOD is the New Normal
BYOD is here to stay. Using personal mobile devices at work has become so common that BYOD can no longer be treated as a mere trend. In fact, a recent Cisco study found that 90% of full-time American workers use their personal smartphones for work purposes. As one recent article put it, IT departments have "learned to stop worrying and start loving user experience." This comes as welcome news to many employees, who no longer have to juggle two cell phones. Droidheads and Macheads alike can work and play on their phone of choice. BYOD also allows employees to be productive and available without being tied to a desk.

Employee Concerns: Privacy and Control
In exchange for the user-experience benefits mentioned above, employees typically have to give up some level of control and privacy. To maintain information security employers may require access and control over an employee's device (the subject of Part 2). These security controls push up against the privacy concerns of employees. Employees reasonably expect a certain level of privacy, especially when it comes to their personal property and private information. When corporate information is stored alongside private information on a private device these corporate-personal divisions become murky. An employee could reasonably ask the following questions: What personal information can and will be accessed by the employer? Under what circumstances will an employer obtain such access? What private information could be saved and disseminated by the employer (e.g., through automatic backups)? Under what situations would the employee be asked or forced to surrender the device (discovery, external or internal investigations, security maintenance, etc.)? If a device is surrendered, how would private information be protected? Is the employer able to use GPS and other location-based data to track the employee's location? Employers must determine the answers to these questions, formalize the approach in a policy, and communicate this information to employees.

In addition to privacy concerns, employees should consider the preservation of personal content (mobile apps, pictures, contacts, etc.) on a personal device, especially when employers have the ability to remotely wipe a device. At a minimum, if employees are given notice that their device could be remotely wiped at some point in the future, they could mitigate by backing up their content frequently. A more employee-friendly option would be to require advance notice or even employee consent before a remote wipe is performed. Available technology allows companies to restrict remote locks and deletions to corporate applications under certain implementations.

Corporate BYOD policies must take employee control and security interests into account. A policy should not be patently unfair to employees, and employers should provide clear notice and obtain employee consent before implementing BYOD policies that impact an employee's privacy.