Business Law

BYOD Beware

Employees’ use of personal tech devices can be convenient and cost-effective. But there are risks employers need to mitigate.

By
From the June 2013 issue of Columbus CEO

If the results of a 2012 survey conducted by Fortinet hold true, the workplace trend of BYOD, or Bring Your Own Device, is here to stay.

The poll, conducted mid-year by the network security firm, questioned more than 3,800 employees in their 20s about BYOD and its impact on the workplace. Seventy-four percent of respondents said they already utilize their personal smartphones, tablets and the like for work, while 55 percent said they view BYOD as a right rather than a privilege.

With the ever-growing proliferation of mobile devices, employers are faced with the issue of whether to let employees access work email, servers and the like from personal equipment.

While the practice can be cost-effective (think of those hundreds of smartphones you won’t have to buy), there are risks to consider. What happens when a staff member loses a tablet full of email contacts and propriety company spreadsheets or trade secrets? Or someone fails to secure their phone and it’s stolen, or hacked over a Wi-Fi hotpsot?

A survey from Cisco estimates that global BYOD could save businesses $181.39 billion by 2017, up from $67.21 billion in 2011, thanks to reduced equipment and phone/data bills. According to the survey, nearly 90 percent of Americans already use their own devices at work.

To mitigate the risks, smart companies are working to respond, enacting policies that permit, prohibit or limit the use of outside tech devices for work-related matters.

Welcome to BYOD, one of the new buzzwords of the business landscape.

Risky Business

BYOD is a relatively new phenomenon propelled by the advent of the smartphone, says John Marsh, a litigation partner with Hahn Loeser & Parks. Many workers have grown weary of carrying a personal phone and a work phone at all times. “Employees seek the convenience of using one single device,” he says.

The fact that the “consumer world can buy technology quicker than they do in the corporate world” is also a driving force, says Doug Davidson, president and CEO of Jacadis, a Columbus-based information risk management company. Employees are using cutting-edge devices in their everyday life and don’t want to revert to clunkier, less-useful technologies at work, he says.

All these smartphones and tablets can render an ill-prepared employer vulnerable. Experts say there are several reasons businesses should be concerned about BYOD and the confidential information contained on personal devices. According to Davidson, most relate to the security of company data. For example, if an employee reads a work email on his iPad and then his child plays a game through an app loaded on the device, is that email vulnerable to detection?

Employers should require password protection on all tech devices, whether privately or company-owned, says Davidson. It’s equally as important to consider who can access the device and where it is stored. To further complicate matters, some industries (such as financial services and health care) must adhere to federal regulations regarding the protection of private information and ensure client and patient data is safe from detection.

The Cisco survey revealed that more than 40 percent of smartphone owners do not password-protect their devices, although iPhone users are more likely to do so (66 percent) than their Android-using counterparts (54 percent).

Marsh warns employers to take heed. Potential security breaches are a matter of “balancing convenience with security.”

Issues to Consider

The first decision an employer must make is whether the company will allow staff members to use personal devices for work-related matters.

If executives decide in favor of BYOD, it’s imperative to “create a culture of security by managing employee expectations,” says Marsh.

Employment law attorney Bill Nolan, managing partner of the Columbus office of Barnes & Thornburg, says it is paramount for employees to understand that if their personal device is lost, the employer has a right to remotely erase its memory (hopefully that provision has been included in a BYOD policy). He advises employers to put that proviso in writing so workers can sign and acknowledge it. Locking down a device is another option, Nolan says. Employees need to know that in exchange for the convenience of using their own technology, they accept the potential risk of losing some personal information if the memory of their device has to be erased, he says.

If a company opts to permit BYOD, the next issue is to determine which devices the policy will apply to. How many and what types of devices can be used? Will the employer limit the number and types of apps the employee may download on personal devices? Will passwords be mandated?

Attorney Paul Unger, who chairs the steering committee of the Legal Technology Resource Center of the American Bar Association, says employers can visit HYPERLINK "http://www.lawtechnologytoday.org" www.lawtechnologytoday.org to access free resources and technology related information. Unger says the site features 14 ethics opinions pertaining to BYOD as well as various rules governing the practice of law and the protection of proprietary information. He also is a managing partner of the Columbus office of Affinity Consulting Group, which advises law practices and corporate legal departments.

A Growing Concern

Whether the use of personal devices is good or bad for business can be a matter of perspective. Some employers believe they will save money if employees buy and use their own devices. But once security measures and related matters are implemented, the anticipated cost savings may not materialize.

On the flipside, when employees use their personal devices for work, they are utilizing a support tool that is familiar to them—and nearly omnipresent. A study by International Data Corp. reveals that 63 percent of smartphone owners have their phones with them nearly all of their waking hours. Moreover, 180 million people—almost half the American population—currently own a smartphone. By 2017, that number is projected to top 220 million. Employees’ convenience is a luxury that can be difficult for an employer to counteract.

Still, BYOD isn’t for everyone. “Some companies may revert back to wanting to control data by buying the technological devices [employees want],” Nolan says, in order to reduce the business’s exposure to lost or stolen data.

Despite the proliferation of tech devices in our work and personal lives, BYOD may not necessarily be an industry standard forever. “Because technology changes so quickly, it’s hard to say what the future will bring,” says Unger.

Tami Kamin Meyer is an attorney and freelance writer.