The Legalities of BYOD

Written by

By Punam Tiwari
In-house lawyers everywhere are finding themselves being asked more and more to revise Bring Your Own Device policies (“BYOD”). This is a concept that has been around for a number of years, but which has recently gained ground within corporates, thanks to the popularity of tablet devices and the consequent increase in fall-outs due to blurred personal and corporate lines.
 
For many businesses, the ability to BYOD has many benefits, including a reduced spend on IT hardware, increased productivity and greater employee engagement. However, these short-term gains could lead to losses if the devices is used but not regulated.

For all of the benefits of BYOD, some questions hang over its usefulness in the corporate world. Those questions are not limited to who actually owns the hardware and the content, although they are among the most pertinent. In-house lawyers should question who is responsible for the safety, security and continued operation of personally owned devices, and then also question the extent to which the corporate should, and is indeed allowed to, take control of the device and its contents, either in anticipation of, or in response to, a perceived threat.

Given the fact that fines and penalties are being levied more regularly, it is important to be able to access all relevant business information in a timely manner. Should a claim be brought against a corporate, it is essential that the parties to the claim produce good-quality evidence that may lie on the individual’s own device.
 
Investigations such as these rely less on corporate emails and more on newer types of communication, which are at the very heart of the BYOD issue. If a company under investigation has not addressed the question of its own rights of access to information, it could waste time arguing with its employees to see whether their devices hold valuable information.

Moreover, in cases where material evidence cannot be obtained because of an ownership problem, such a failure to produce evidence may invite adverse inferences to be drawn from courts.
 
If an employer does not have the consent of the employee to access the data on his or her device, the employer could risk criminal liability. Section 1 of the UK's Computer Misuse Act 1990 prohibits unauthorized access to computer material.

In litigation, parties completing their reasonable searches for disclosure may be required to complete and exchange an electronic documents questionnaire. This form requires the parties to declare the types of documents, systems and devices that were in use during the date range covered by the proceedings, which may be relevant to the matters pleaded, and whether or not they intend to search them. Being unable to search a device because it is outside of the possession, custody and control of the disclosing party (i.e., the corporate) may give rise to applications for third-party disclosure, which could have a tactical disadvantage for either party. For this reason, there needs to be an agreed plan for retention/deletion of the information stored on devices when people leave a company.

My concerns seem to suggest that I am against the concept of BYOD. I am not. The increased competition in the marketplace and the rise of flexible working conditions have given corporates the need for BYOD schemes. Corporates must be careful about the implementation and policing of such schemes and then they will work. IT managers should ensure they work closely with their legal/HR departments to ensure that all of the bases are covered. The following are some of the issues that IT managers should consider:
 
  • Device discrimination: As desirable as certain new devices may appear to be, if they are too new to evaluate or if they are known to have certain bugs that may pose a threat to security, their use should be vetoed.
  • Take responsibility for maintenance: the purpose behind BYOD is to enable employees to use the most desirable devices at work, which means that there is a higher risk of theft of the device and its contents. Employees are unlikely to want to bear the responsibility for the loss of sensitive company information, so a good trade-off is to take the responsibility for maintaining and synchronizing the device with other business systems, so that all information is simultaneously stored on say, Salesforce, in return for making the device secure to the required standard.
  • Joint ownership: At the risk of creating another acronym, businesses could contribute to the purchase of the device, thereby acquiring a stake in the device, which may entitle the business to keep it on termination of the employee’s contract, or require the employee to pay the balance.
  • Set boundaries: There is always a tension between the needs of the business and the rights of the individual. At the very least, businesses must issue guidance to employees as to how business information should be stored on a personal device and be clear about their expectations toward rights of access. This can be laid out in the corporate’s staff handbook.
  • Companies should not assume that they are permitted by law to access or monitor the content of personal communications. Employees have a right to personal privacy and to the protection of data protection laws and guidance which warn against unnecessary and intrusive monitoring in the workplace. Best practice would be to obtain the employee’s explicit consent to access company data on the device at times when it may be most needed. In the past, companies have sought to regulate the boundaries of authorised use of company equipment for personal use. Now, as the lines between personal and business use blur even further, they need to extend these to regulate the use of personal devices for business purposes and set out clear rules for when they may be used and when the company may access its data stored on them.
  • Review contracts: Restrictive covenants, IP and confidentiality clauses in contracts of employment will all need to be tightened up to make ownership of information clear.
  • Register the asset: Requiring employees to declare their use of certain devices and applications is an extension of good information governance. Provided that the assets register is updated on a regular basis, this can help legal departments when dealing with a claim against the company so that they can quickly locate essential evidence.
 
In certain sectors, the ability to use personal devices is driving business agility, flexibility for employees and innovation as companies start embracing this change. Along with technology and innovation, however, comes potential liability that businesses cannot afford to ignore. Companies should do more to address the risks flowing from the use of new devices and modes of communication through the implementation of acceptable use policies and security mechanisms.
 
New devices and new applications are being developed every day. It is likely that the devices and applications we admire the most now will be overshadowed by the technology available in five years’ time. To some degree we have already seen a change in the way that businesses assert their own intellectual property rights. For example, in Hays v Ions (2008), a case in the UK High Court, the defendant was ordered to disclose all of his LinkedIn contacts, plus invitations to connect and responses, in a dispute with his former employer. BYOD and social networking are going to be key frontiers for employers, regulators and litigators to explore, so now is the time to prepare and work together. 

Punam Tiwari is IRM’s Legal Counsel. She is an eight-year qualified lawyer and focuses primarily on commercial practice areas. Having worked previously in private practice, Tiwari now specializes in technology and commercial law, and helps many of IRM’s clients manage their risks from a legal standpoint by presenting interactive seminars, running an ‘Information Security and the Law’ training course and reviewing key information security contracts.

What’s hot on Infosecurity Magazine?