Case In Point
BYOD Policy – Charting A Good Path To Higher Ground
Date: January 16, 2013
The desire to use personal mobile devices to undertake work has risen like the incoming tide. Employers must make a choice: turn the tide on the use of personal devices by re-enforcing an outright ban or chart a thoughtful path to higher “Bring Your Own Device” or “BYOD” ground. Employers that do neither will sink into the mire of unreasonable IT security risk.
This FTR Now discusses the pros and cons of adopting policy that allows employees to use a personal mobile device for work and the aims of proper BYOD policy.
PERSONAL DEVICE BANS CONFLICT WITH EMPLOYEE DESIRE
Bans on the use of personal devices have played an important role in IT security. An employer can utilize every reasonable technical measure available to secure its information, but if employees work in a manner that puts business data outside of a secure system all security efforts are rendered useless. This is why work on personal devices has traditionally been banned outright. Simple.
Though glorious in their simplicity, personal device bans have come under significant pressure. IT departments across Canada have been facing rising demand for alternative mobile services for several years. Employees want to carry one phone with state-of-the-art consumer features and popular consumer applications. Whether IT cost savings also justify the adoption of personal device use is questionable: employee desire seems to be the driving force.
Can personal device bans be enforced in spite of rising employee desire?
Some employers may be able to sustain a ban on the use of personal devices for work. Have employees already adopted the practice of carrying two mobile devices – one for work and another for personal use? This sign of security-sensitivity may suggest that that re-enforcing a ban is a reasonable option.
Or, does the concept of two-phone use seem unrealistic? Are there regular signs of non-compliance with an existing personal device ban? If so, re-enforcing a ban may be problematic. Employers should not let IT security rest too heavily on a rule that they can reasonably foresee will be broken. Enter BYOD.
THE ELEMENTS OF BYOD POLICY
BYOD involves the use of employer-controlled technology and employer-made directives to enable and govern the use of personal devices for work.
Technology can be used to give employers a measure of control over personal devices by:
- gathering data from devices about the use software and the configuration of security settings;
- controlling the configuration of security settings;
- scanning and filtering data between devices and the internet to deal with malware and other security threats to business data;
- synchronizing business data so a copy is retained on a company server; and
- remotely deleting all or part of the data stored on a device when confronted with a lost or stolen device.
Technology that invites employer control also invites a sacrifice of employee control and privacy. Employers should therefore help employees understand the nature of the technology to be employed on their personal devices and how it will be used. Conflicts about the remote deletion of data on a lost device, for example, are easy to anticipate. Employees who want time to wait for a lost device to be recovered may come into conflict with employers who do not want to bear any risk of unauthorized access. Employers should use policy to clearly spell out the full extent of their discretion to delete so employees’ acceptance of the discretion is clear and well-informed.
Although BYOD technology may be somewhat intrusive, it will rarely be sufficient to address all risks associated with the use of personal devices for work. Employers also need to create BYOD directives.
The directives that are appropriate will vary based on the risks that are not adequately addressed by the use of employer-controlled technology. Here are some common BYOD directives:
- “Keep your security settings configured to our standard and keep your operating system updated to the newest version within one month of a new operating system release.”
- “Use only approved applications for conducting work.” (This is a critical rule for maintaining control over business data because the applications used to conduct work will generally determine where data resides.)
- “Don’t ‘jailbreak’ your Apple device.” (Jailbreaking is a means of circumventing the limitations on an Apple device that prevent the installation of software from a potentially untrustworthy source other than Apple.)
- “Don’t lend your device to anybody, including your family members.” (This rule is a reasonable rule in the absence of security features that prevent “guests” from gaining unauthorized access to business data.)
Finally, employers must address their interest in having access to business data. Employers must understand what business data created on personal devices will reside exclusively on personal devices. For what purposes is access to such data likely to be required? What are the risks and consequences of failing to obtain access? What is a reasonable process for obtaining access to this data given it will be stored on a personal device? Employers should address these questions and deal appropriately with the risks in their BYOD policies.
Employers’ path to “BYOD higher ground” is not always clear. Adopting BYOD is challenging and will entail the acceptance of some risk. In general, employers who adopt BYOD sacrifice the strong technical control associated with owning employee devices and rely more heavily on directives and (to a good degree) employee trust.
Employers should not abandon personal device bans too quickly and without good consideration of the relative risks, but many will opt for BYOD. For those who do, picking the right path to higher ground requires the development of BYOD policy that supports transparency about the use of technical security measures and that carefully addresses the remaining risks in a reasonable manner based on clear and well-understood directives.
Dan Michaluk is chair of Hicks Morley’s information and privacy practice group. Dan regularly advises employers on the legal aspects of information technology policy and regularly represents employers in cases about technology misuse. In 2012, Dan and Joseph Cohen-Lyons appeared for the Canadian Association of Counsel to Employers at the Supreme Court of Canada in R v Cole, a significant case on employee privacy and work computer systems.
The articles in this Client Update provide general information and should not be relied on as legal advice or opinion. This publication is copyrighted by Hicks Morley Hamilton Stewart Storie LLP and may not be photocopied or reproduced in any form, in whole or in part, without the express permission of Hicks Morley Hamilton Stewart Storie LLP. ©