We all use the proliferation of mobile devices available to us in our daily lives as well as in our legal practices. Given clients’ evolving expectations concerning instant access to our legal services, 24/7 communications and remote meetings, lawyers and their employees use mobile devices and other technology every day, whether it be in the office or while working offsite. We frequently edit documents, provide direction and instruction to our staff and engage in client communications when out of our offices during and outside of regular business hours.
In addition to concerns about overtime claims from employees answering messages outside of regular working hours, this practice has sparked the BYOD (Bring Your Own Device) phenomena commonly referred to as "IT consumerization". IT consumerization is the blending of personal and business use of tech devices and applications.
With IT consumerization comes the need for lawyers, as corporate employers, to implement comprehensive BYOD programs to balance organizational needs, professional obligations as well as employer and employee preferences. BYOD programs cannot be ignored, given that our mobile employees are not likely to draw a line between corporate and personal technology without one, potentially exposing employers to a plethora of challenges around protection of corporate networks, systems and data - including the security of client documents and information. Often an employer is not even aware of the technology being used to access its systems, as employees expect to be able to use their preferred technology at the office whether it be a matter of convenience, efficiency or preference. As a result, control is being lost on what technology employees use to perform their duties and responsibilities and where. This is where a BYOD program comes in.
Under BYOD programs, employees are permitted to use the same devices for personal and office use. BYOD programs are obviously only of use where employees utilize electronic devices and require access to organizational networks and emails in order to be productive. The assumed driving force behind such programs is the new self-sufficient employee base who already own and use their own personal mobile devices that are assumed newer and more advanced than organizationally deployed mobile devices or other technology devices.
BYOD programs can be broken down into three categories:
- Employer-allowed usage of employee owned mobile devices;
- Employer-owned mobile devices, with or without liability, whole or partial, for the monthly service costs of employee use; and
- A hybrid approach.
In each category, the implementation of the BYOD program and permitted uses of the mobility devices will differ slightly. Corporate ownership of mobile devices provides better control for employers that need to protect important intellectual property (IP) and confidential information from loss or leakage. Additionally, if the organization is providing the mobile device, it probably will block installations of things that are distracting or unproductive (such as Candy Crush or Facebook) where they could not do so if the mobility device belonged to the employee.
BYOD Advantages
The connectivity of BYOD programs provides many advantages to organizations and employees given that employees are provided with the opportunity to essentially do more work, when, how and where they want to. Having a BYOD program also serves as a selling or recruiting point.
The advantages include greater innovation and use of more cutting edge technology (as employees generally update hardware more often than corporations), better work-life balance due to flexible work hours and work locations, better user experiences (e.g., Mac users can avoid using PCs and vice versa), increased productivity (employees are often faster and happier using their own technology), increased effectiveness and ultimately, higher employee morale and job satisfaction. The flexibility provided by a BYOD program to work from anywhere and to restart one's work day outside the office, permits easy and efficient accommodation of employee needs.
BYOD programs can also be advantageous in that they have the potential to realize the following reduced costs:
- Employer-allowed usage of employee owned mobile devices: for the organization in reduced operational and hardware costs (for secondary devices) in that employees are using their own personal mobile devices, which are assumed to already exist, to access the organization's resources; or
- Employer-owned mobile devices: for the employee as the organization buys the mobile devices, configures it and provides with the office VPN for Internet access and pays for monthly services (Internet and data).
BYOD Disadvantages
To the Employer:
On the flip side BYOD increases pressure on organization’s IT departments to manage and secure devices, networks and data - particularly on employees' personal devices. If an organization's BYOD program is not fully understood and regulated, it could threaten IT security and put sensitive systems and data at risk.
Security
Large legal and competitive advantage risks for an organization in implementing BYOD programs arise out of the fact that the organization is permitting employee users to hold corporate data on personal smartphones, tablets and other devices, which could lead to a myriad of confidentiality and IP issues. Corporate data could be compromised, whether intentionally or not, where employees have not strictly adhered to the organization's BYOD program's security measures. For example, software, IP, confidential and/or proprietary information could be:
- Lost or stolen through inadvertence where: (a) the employee failed to take proper precautions or a child uses a parent's iPad that the parent uses professionally and personally; or (b) the mobility device is hacked because limited password protections were put in place or an unsecured network is used to access organization data; or
- Copied and used by an employee or former employee for improper purposes.
There are also legal obligations tied to client intellectual property, personal medical and other confidential or proprietary information that an employee may be required to store on their personal device. The organization is ultimately liable for the protection of such personal, confidential and/or proprietary information. Failure by an organization to ensure adequate protection of such information - and employee adherence to protective measures - may result in civil suits and liability for damage awards arising out of the disclosure and/or use of such information together with the breach of professional and/or organizational confidentiality obligations. Added to the same will be the associated damage to the organization's reputation, which will result in losses in confidence of clients as well as employees, business and profits.
Privacy
In addition, there are employee privacy concerns. In monitoring, logging and tracking usage to ensure compliance, is the BYOD program limiting the IT department’s efforts? What expectations of privacy should employees have, and have those expectations been adequately addressed in the BYOD program? These important parameters must be established by employers.
Maintenance
Managing BYOD programs requires technology and people to identify when employees fail to adhere to the program. BYOD programs can result in runaway IT department service and help desk hours and associated costs as well as runaway service charges that employees expense back to their employers.
As a starting point, all employers participating in a BYOD program need an efficient enrolment and inventory management system that keeps track of which devices employees are using, where the device is located, whether it is being used, and what software and apps it is equipped with. Thereafter, the chosen manner of monitoring can begin.
To Employees
On the employee side, the following are potential disadvantages for employers to consider when developing their BYOD programs:
- The costs involved with the employee buying the equipment and paying for both personal and business Internet and data usage. Is there a fair or unfair distribution of costs?
- Restrictions that an organization may place under the BYOD policy on the device (i.e., "no" to games and certain websites) and other negative user experiences;
- Reduced employee privacy. For example, if an employee uses Facebook or Twitter – whether personally, professionally or both – the employer will acquire access to the employee's login credentials. Additionally, employees may be concerned that their employers could have the ability to record or log employee actions on the device on their own time that may give out personal information they won’t want to share with their employer. For example, religious or political affiliations; and
- Program functionality challenges and associated lost productivity. This could arise from such items as technical difficulties or runaway expenses.
If these potential disadvantages to employees are not properly addressed by organizations in their BYOD program, implementation will likely not be successful.
Minimizing the Risks
The successful implementation of a BYOD program requires the balancing of the needs and strategic objectives of the organization to keep company data secure against maintaining employee privacy and satisfaction in the overall context of an organization's corporate culture. To minimize the risks and maximize the benefits, it is recommended that organizations:
- Look at each employee’s job individually: some rarely or never deal with sensitive information; others primarily deal with sensitive information or have access to confidential and proprietary information. Do you need user groups based on role, function, division, geographic location or other factors?
- Establish security measures. What security measure are in place if employees' mobility devices are lost, stolen or compromised? What limits are placed on devices, apps, access and content? Consider what apps interaction will be restricted. Consider specifying which devices (e.g., laptops, mobile phones, tablets or wearable devices and whether limited in scope to primary device or to a secondary device) and apps (and which versions) employees can and can’t use to access the organization's network. Create policies to address:
- What types of information or content can and can’t be held on personal devices (the "what"), as well as what the consequences are if inappropriate information is discovered. Will there be containerization to separate corporate (regulated) from personal information on each device?
- Where and when an employee can access the organization's network and any limits on what data and/or a limit on the number of apps employees may access;
- What types of user privacy will be provided. Specifically consider : (i) whether there will be limits per user on the number of devices allowed; (ii) what security measures must be adhered to - such as passcode requirements and restrictions; (iii) what data and activities will be monitored – that is what exactly can be seen or monitored ; (iv) what device functions will be controlled by the organization's IT and what admin controls will the organization's IT have over enrolled devices; and (v) who in the organization can assist with employees' privacy questions or concerns? and
- Compliance and remediation. Consider what compliance rules will be necessary, how to address noncompliance and what measures to put in place to permit employees to remedy their own basic compliance violations where less severe; and Obtain legal advice. Get experienced and knowledgeable counsel involved in the planning and roll out of your BYOD program in order to address and reduce exposure to legal issues.
Having a BYOD program is not enough. Given the ever-increasing demands of clients and the constant evolution of technology, employers need to continually review and update their BYOD program and monitor it to ensure it is efficient and effective in meeting the challenges involved in balancing organizational needs, professional obligations and employer and employee preferences.
About the author
Sheryl L. Johnson is an associate in the labour and employment law practice at Fogler, Rubinoff LLP.