Bring Your Own Device – What should go in your Policy?

Bring your own device (“BYOD”) is a practice that allows employees to use personal mobile devices such as smartphones, tablets and laptops for business purposes. Many employers are delighted by the concept – employees are able to work longer hours because they can interact with the systems they need late at night and early in the morning rather than waiting until they are in the office. But employers should not be lulled into a false sense of security. There are legal and commercial risks that arise with BYOD and employers are advised to consider the issues carefully and implement a policy to manage these.

Here we look at the issues around data security and employee responsibilities and risks which need to be addressed in a BYOD policy.

Security

Wherever there are new access routes to data there are new security concerns – and BYOD is no exception to this. As well as concerns associated with the loss or leaking of commercially sensitive data, employers also have legal responsibilities around the security of certain data under the Data Protection Act 1998. The Information Commissioner’s Office has made it clear that these responsibilities apply “regardless of the ownership of the device used to carry out the processing”.

Research has shown that amongst those employers that have allowed BYOD, around 50% have experienced a security breach.

There are some key steps that employers can take to help control these risks:

• Employers should review their systems and take steps to minimise vulnerabilities before allowing the widespread use of personal devices. Once this has been done, devices should initially only be allowed on a trial basis, by reference only to a limited number of staff so that all of the various functions can be properly tested.
• Employers should also vet the types of devices that they allow their employees to use and employees should only be allowed to use devices that are secure. The Guardian recently reported that the UK Government has rejected new software designed by Canadian mobile firm BlackBerry as “not secure enough for essential work”. 
• Employers should ensure that devices have a strong password and that they lock automatically if an incorrect password is entered. It should also be a requirement that employees use encryption software to store personal data securely, and that any data transferring will only do so through an encrypted channel.

Employee Responsibilities and Risks

Employee responsibilities should be carefully addressed in a BYOD policy. Issues around misconduct, discrimination and confidentiality which may arise where there is improper use of an employer’s IT systems are usually already addressed in an employer’s IT Policy. However, a BYOD policy will need to consider further issues:

• It will need to be clear that any work data will remain the employer’s property.
• The policy should include a requirement that the employer’s data be deleted from a device if an employer either resigns or dismissed.

Of course it is one thing including these requirements but quite another trying to police them. One of the risks around BYOD is that it may be more difficult to detect or demonstrate that an employee has taken or misused commercially sensitive information. The BYOD policy should include a requirement for the employee to hand over any personal device that has been used to access the employer’s information as and when an employee resigns or is dismissed in order to allow the employer to check whether confidential information has been properly and permanently deleted.

Finally, it is worth bearing in mind that enforcing the BYOD policy will depend upon being able to demonstrate that the employee was aware of the policy and that they accepted the terms. By far the clearest way to do this will be will a clear signed statement from the employee to this affect. The easiest and most comprehensive way to ensure this is done may be to make signing an agreement a pre requisite to obtaining the necessary password and or access details.

If all of these issues can be worked through, BYOD will be one route to help both employers and employees in the steady march towards an increasingly flexible workplace.