BYOD Creates New Legal Challenges

By | May 18, 2012

So, you've decided on a new mobile device policy which allows employees to use their own devices at work. "Bring your own device" (BYOD) policies have quickly gained popularity in many organizations.

Business and technical executives buy into the allure of happier and more productive employees, a newer and more attractive fleet of devices, and potentially lower corporate costs. But there can be unforseen risks and controversy that result from BYOD policies implemented without careful careful consideration.

A story in CIO reveals some of the unintended consequences to BYOD corporate policies: lawsuits.

CIO interviewed Ben Tomhave about policies that allow personal devices at work. Tomhave, a governance, risk, and compliance consultant, has an unusual perspective, as he sits on the American Bar Association's (ABA) SciTech Information Security Committee.

Tomhave used a provocative example to illustrate the magnitude, and difficulty created by these policies:

Corporate data needs to be analyzed on an employee's personal iPad that is used at work. The company's IT forensics team finds pornography on the device unrelated to the job.

Was permission given to conduct e-discovery on personal data? Is the team obligated to call law enforcement, and if so, would such findings be admissible in court? Was the employee's privacy rights violated? Was the BYOD policy thorough enough to cover such scenarios?

The risks involved in personal devices at work can induce risk and affect both employer and employee. Abuses in and from personal use policies can occur through infractions by either side, whether intentional or unintentional.

BYOD Considerations or IT Executives

The trend of bringing personal devices to work is growing, and it is growing quickly. Personal technology can be positive and perceived as an attractive business benefit, which is increasingly supported by both employee and employer.

As indicated by the example above, however, there can be privacy challenges and conflicts. But despite uncertainties and potential risks, good policies can provide desired levels of productivity, convenience, style, and protection for employees and employers alike.

Your legal team, whether internal or external, should be included in the drafting, approval, and change management of most corporate policies. That certainly includes policies which govern the business use of personal devices.

If your organization does not have a personal use policy in force, it is strongly advised that you consult with your legal team and consider developing one. Surveys indicated that employees are using their devices for access to your network without knowledge and approval, and that can cause legal, technical, and security problems if no addressed correctly and thoughtfully.

Employees should be included in the dialog. If a personal use policy is supported by IT executives, having employee buy-in and awareness can help encourage more use.

A well-conceived, clearly defined set of expectations and rules can help create policies that fulfill the promise of personally owned devices, build trust, and simultaneously manage the risk.

This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. Like us on Facebook. Follow us on Twitter.

IBM Solution Security & Resiliency

IBM IT security expertise can help medium-sized businesses develop, implement and maintain comprehensive strategies to combat ever-evolving security threats without increasing complexity, cost, or resources required for administration.

Learn More »

More on This Topic

Three Security Concerns for 2016

By Allan Pratt on Dec 4, 2015
As we near the end of 2015, what will 2016 look like in the information security sector? Undoubtedly there be an increase in data breaches across all industries, but will businesses take the high road and inform their customers and ...