Bring Your Own Challenges
From reliable surveys and less dependable anecdotes in most major markets, including the UK and the US, opinions point to the almost inevitable expansion of BYOD – Bring Your Own Device – as a cost-saving model for employers. Mobile device providers assure company decision-makers that direct savings will flow by avoiding the cost of purchasing handsets and absorbing service plan fees.
Finance managers concur that the proposed numbers look good, sometimes without a full appreciation of what different or additional internal costs might exist. And employees simply want to be able to pick their own device and avoid the hassle of two.
However, what providers often do not explain is that a company’s election to adopt BYOD for mobile phones and tablets (as an example) brings along a myriad of complex issues ranging from information security and regulatory compliance to employee data protection concerns. This article will briefly survey risks from US and UK perspectives and will conclude with guidance that should assist organisations on both sides of the Atlantic.
A US perspective
The first category of challenges presented to the IT team may be described as control: control over various operating systems, control over varying levels of configuration, control over device security, and control over transmissions outside the firewall. The most basic aspect of the control problem is that while the Apple iOS is consistent across the Apple hardware, the Android operating system is typically modified to suit the needs of the diverse hardware and the preferences of the OEM.
Administering control over such a varied environment is vastly more complicated, and thus expensive (even if “only” internal costs).
This control challenge is exacerbated because individuals are accustomed to installing whichever apps they wish and using the cloud backup service they like. These necessarily evolve into BYOA (as in apps) and BYOC (Bring Your Own Cloud). Contrary to company-issued devices, such as laptops, that the IT team can lock down with administrative privileges, the BYOD ecosystem is a relatively open one with new, unknown and hence untrusted apps being installed. BYOC and Peer2Peer apps mean that uncontrolled company data and files can end up being stored outside the organisation’s firewall.
The next category raises the spectre of company data handling no longer being in compliance with applicable regulations. In the US, as elsewhere, companies in certain industry sectors face particular compliance requirements. Life Sciences firms must maintain electronic files in accordance with strict GxP (Good Clinical Practices, Good Manufacturing, and so on). Health providers and financial service firms must comply with their own set of security and privacy (data protection) regimes. But given the diverse hardware and operating system ecosystem that IT must manage simply for handheld devices, securing basic information let alone regulated data is more difficult than with a narrower set of company-dictated devices. And beyond the desire to protect company data, security events involving regulated data typically involve external costs in the form of legal fees, advisor costs, and fines.
The third grouping of issues relates to the privacy of the employee’s personal data and the extent of autonomy over what each individual not incorrectly views as “my device.” My device, means I can BYOA and BYOC, and control fully who can access what information on my device. However, this employee presumption of ownership (correct) and full control (not so much) can lead to conflict when files must be pulled from the device in the litigation discovery context or when the device has been lost and company policy requires a remote wiping of all data.
A UK perspective
While the core challenges of BYOD remain the same on both sides of the Atlantic, there are differences in applicable rules (and thus subtle differences in the risk profile).
Picking just one issue as an example, one of the paramount issues in the UK (indeed within the EU more broadly) involves the processing of personal data. Organisations in the UK, regardless of industry, sector or size, must ensure compliance with the Data Protection Act 1998 (DPA), which imposes often onerous obligations on data controllers to process their data fairly and transparently for specified purposes and to take all appropriate security measures to prevent unauthorised or unlawful processing, accidental loss of, or destruction or damage to personal data – with failure to adequately protect personal data attracting fines of up to £500,000.
This means the legal responsibility for protecting personal information lies with the company, rather than the individual owner of the device used to carry out such processing. In the context of BYOD, the practical challenge is to adopt a risk-based approach to the protection of personal data, which ensures a robust ICT security infrastructure is in place, without impeding the employee’s use of their device. In relation to BYOC, organisations need to be mindful of the prohibition on transferring personal data outside of the European Economic Area (EEA) without additional safeguards.
Furthermore, the lines become increasingly blurred when trying to differentiate between the employee’s own data and that of the organisation’s stored on the device. The issue of privacy in the UK directly stems from increased regulation in respect of data protection and an individual’s right to access their personal data. Obtaining access and control of the device in order to fulfill its obligations under the DPA, as well as protecting the employee’s right of privacy, can no doubt be a complicated and sensitive issue when not dealing with company-issued devices. There is a difficult balance to strike, as careless deletion of employee personal data or accessing the device without proper authorization, might be in contravention of the specific regulations such as the DPA, Computer Misuse Act 1990 or employment practices codes, and thus is decidedly costly from an internal business perspective.
Use is also another complex factor to monitor and control in the world of BYOD. While organisations can implement rigorous policies covering acceptable use of the device, it is very difficult to govern such use in a non-working environment. The influx in use of technology and proliferation of devices available, has improved the concept of flexible working and ensured business continuity; merging personal life and the workplace. Though there are obvious benefits to this, organisations must be cognisant of the security risks attached to use of devices containing company data in an everyday non-working capacity.
In order to profit from the benefits of BYOD, it is clear organisations must implement an effective and coherent BYOD policy which is able to bring the business together, by safeguarding internal concerns and obligations, without being so restrictive that employees end up being frustrated and disengaged.
The issues confronting firms around the globe are largely similar to those discussed above. The key for management is to determine in advance of a BYOD program how the company wishes to mitigate the risks that it identifies.
The key elements of a BYOD program will include the following:
Scope of Participation. Depending on the nature of the data handled by the organisation, it may not make sense for all employees to be able to participate in the program. For example, those employees with access to particularly sensitive data or regulated data may be required to use a company-controlled device for company communications. Depending on the employment laws of each country, it may be easier or more difficult to mark these delineations. And often some of those employees pushing the hardest to select and use their own devices are within senior management.
Range of Devices. Because of the multiplicity of hardware and o/s combinations (especially on Android platforms), it can often make sense to designate particular products as being supported and eliminating others. While this, like narrowing the scope of participation, may result in some grumbling, the resulting reduction in complexity for support and security purposes can save on the IT learning curve and operational costs.
Consent to Employer Access. This marks a particular challenge across jurisdictions, as many national data protection rules discount the validity of consent from an employee, arguing that consent cannot truly be provided freely. In the US, the consent hurdle is more easily overcome but remains important, given that when the company owns neither the device nor the account through which service is provided it is significantly more difficult to obtain access to the device for discovery purposes.
Security Rules. Essential to any BYOD program, regardless of other choices, is the inclusion of security requirements. Several mobile device management (MDM) tools exist. These facilitate the security of certain user profiles on the device, create a “locker” of sorts for the secure storage of work-related data and files, handle encryption keys between the device and the company’s network, enhance the strength of user passwords on the device, and enable remote wiping of either the work-related files or the entire device in the event of loss.
Departing Employees. For the time when a BYOD -participating employee leaves the company, regardless of circumstances, it is important for the organisation to have a process or exit interview that includes removal of company data from the device. While work files such as email attachments will be more easily separated, distinguishing between company contacts and the employee’s contacts can be difficult, especially when the employee was responsible for developing and maintaining external relationships on behalf of the firm.
Compensation. Finally, companies will typically reimburse employees in a BYOD program in some manner, often through a monthly supplement to counter the cost of the wireless service plan. The amount of reimbursement, whether it is available to all BYOD participants, whether local employment or data protection law implications arise from the reimbursement, are all considerations.
This article was first published in Outsource #37 (Autumn 2014)
About the Authors
Peter McLaughlin advises DLA Piper’s US and international clients on their handling of personal information, with particular emphasis on international data transfers and the privacy and security of health data.
Callum Sinclair is a Partner at DLA Piper and has a broad range of experience in technology and strategic sourcing matters, intellectual property, and commercial contract work. His clients include central and local government buyers, international banks and blue chip ICT suppliers.