BYOD in 2023: Regular Evaluation Can Help Reduce Risk
- Information governance
- 3 Mins
Is it time to revisit your organization’s Bring Your Own Device (BYOD) policies? The answer to this question is subjective, but doing so can be beneficial as the workforce and productivity behaviors change. Having a BYOD program allows employees to conduct business on their personal devices, which can save an organization money and foster flexibility. CBS News cited that most – 67 percent – U.S. workers conduct business over their personal phones, which includes instances where there is no formal BYOD policy in place.
Over the past few years there has been a rise in remote working while technology continues to advance. There are more applications than ever before to communicate through or store data. This creates cyber, privacy, and legal risks associated with conducting business on personal devices. Due to this increased risk, it may be time to change gears.
BYOD Evaluation Checklist
If an organization currently has a BYOD program or is thinking about establishing one, consider assessing these five components:
- Business applications: Along with the popular business applications such as email, calendar, and Teams messenger – there are a variety of other apps available to conduct business. This is where organizations need to clarify what is acceptable under their BYOD policy to avoid security breaches. A 2022 survey by Helpnet reported that 57 percent of employer respondents were concerned about employees downloading unsafe apps or content.
Can employees connect directly to the company server? Are text messaging or cell calls allowed – or should all business communications be handled via Teams, email, or other approved communication apps? How can organizations enhance security for authorized apps and monitor compliance with the policy? These are a few key questions to address and reassess as new technologies enter the business sphere.
- Cyber controls: Security is the top priority in a BYOD program, which was confirmed by the same Helpnet survey where 63 percent of respondents reported data leakage as their top concern. Some factors to consider are integration capabilities, unsupported or unsecure networks, lack of passwords or two-factor authentication on devices, malware, updates, and physical theft.
To reduce risk, the first place to start is having a robust policy covering everything from accepted applications to data storage instructions. Employees need to receive copies of the policy and any subsequent updates, along with regular training on acceptable practices. Enhanced passwords such as two-factor authentication, articulated procedures for lost devices including the ability to data wipe, and solid IT support are all helpful controls to manage security risks present in a BYOD environment.
- Regulatory applicability: The regulatory landscape is expanding, especially in the context of consumer privacy. This means that employees who handle personal data as part of their job need to be cognizant of this when using a personal device. Employers may consider banning certain functions involving sensitive information on personal devices or take extra measures to secure that data. Failure to do so could result in violation of applicable privacy laws and increased liability in the event of a data breach.
- Litigation exposure: When data lives outside company walls, it can still be discoverable. All communication and files are potentially discoverable if deemed relevant and unique, even over personal devices. Employees need to be aware of litigation hold potential. This is why it is extremely important to have clear boundaries around which applications are acceptable, as the failure to do so could result in collection of text messages or other apps where personal and business data are intertwined. Over-collection can also be expensive and defeat the cost-saving aspects of having a BYOD program. Generally, collection from an enterprise level chat application is performed at the server level, so personal device collection would not be necessary.
With the rise of personal device usage in the remote working era, courts have recently addressed the issue of who controls data stored on an employee device. Take the case of In re Pork Antitrust Litigation, No. 18-CV-1776 (JRT/HB), 2022 WL 972401 (D. Minn. Mar. 31, 2022) as an example. Here, the court found that employer control over text messages was lacking. The absence of clear ownership over texts in the BYOD policy meant that the employer could not demand access to these messages. This provides notice that the wording of a BYOD policy is crucial and will guide potential disputes.
- Supervision: A BYOD program carries an inherent level of trust, as it can be more difficult to monitor compliance when employees are conducting business off-premises on their own devices. With the complexity and breadth of new digital applications entering the market, this may be enough risk for organizations to decide that BYOD is no longer acceptable. However, many will likely still find the benefits to outweigh the risk and those organizations will need to rethink new ways to supervise compliance. This can be tricky as employers will want to avoid encroaching on the personal aspect of their employees’ devices, but requiring business take place only in the cloud or over company applications is a good place to start. If conduct outside this policy occurs, it is important to have a check-in to realign expectations and avoid consequences.
When balancing business benefits against risk, it is difficult to predict what the future holds for BYOD programs. It is a safe bet that more organizations will start implementing formal policies and increase supervision. This will require individualized risk analysis and be dependent on the technology available and authorized. Information governance and data security challenges will continue to evolve. The courts will also play a key role in further addressing possession, custody, and control. Organizations need to remain cognizant of all these developments when determining whether BYOD is acceptable and what constraints to implement.
The contents of this article are intended to convey general information only and not to provide legal advice or opinions.