Whether you’re aware of it or not, the odds indicate approximately 6 out of 10 of your employees store your company’s data on their personal laptop, smartphone or tablet, according to a 2013 Ovum survey. The ‘Bring Your Own Device’ (BYOD) culture has been consistently expanding, increasing employee’s work satisfaction and saving you money. The advantages have been well-documented; Intel research indicates BYOD saves an hour per day for each of its 23,500 employees, resulting in $700 million in savings. However, the downsides continue to challenge IT departments to protect their data from potential breaches and confusion regarding intellectual property rights.
Data Loss Guidelines
It may seem obvious that your company’s data, even when stored and transmitted on a personal device, is your property and not your employee’s. However, gray areas exist because the device also stores personal data, which can complicate your IT department’s domain over the entire hard drive in cases of loss. The laws in each nation are different. In Germany, for example, if a personal device used for business is lost, wiping the data remotely to prevent corporate data breach is unlawful, a guideline that would reasonably deter BYOD for most businesses due to the high level of portable technology loss.
In 2011, $30 billion worth of mobile phones alone were lost in the UK, and according to technology company Symantec, 80 percent of the time, those who find it will attempt to access corporate data. In other nations it is allowable to install software that removes data if a device is lost or stolen, but your employees must agree to relinquish the rights to their own personal data in a technology contract in advance to ensure your legal rights are protected. Employing COPE (corporate owned, personally enabled) instead of BYOD is a solution in cases that do not allow remote data wipe. In these cases, your company would allow your employee to select a digital device for professional and personal use that you would purchase, and you would then own all of the content stored on the device.
The IT contract must also include a clause about the intellectual property rights to the work they develop on their personal devices that may overlap with their work for your company. For example, if they also operate as a freelance contractor outside normal business hours, how would your company handle their use of a personal computer or smartphone for developing the work? If all of the work they create during the employment term is your company’s property, they need to be aware that the data on the device could be reviewed at any time and they could be potentially terminated if it were to trespass on these policies.
Your potential security risk is high when employees use personal devices for work without your knowledge, because they could lose the device and not inform you, allowing access to important documents that may compromise your legal protection with corporate espionage. Requiring them to log on to your network to access company information and restricting cloud and other storage methods that could transmit files outside of network is a common method for preventing data breach. Designing the BYOD registration process so it addresses personal data concerns with user-friendly training and transparent language may also help deter unreported personal device if you do not have a company network.
Forty percent of adults younger that 35 years old admit to sexting, or texting with sexually explicit language. This activity is company data, even if executed using BYOD. The potential legal ramifications of illegal or potentially illegal activity should be defined in the IT contract, such as how employees’ behavior can be monitored with software or an audit. If the security technology, legal language and training reasonably addresses this issue, you can significantly reduce your legal liability, according to inc.com.
Continue to anticipate and monitor BYOD developments. Train employees and update IT contracts to reflect the changes. Mobile device management systems such as BlackBerry MDM have evolved to allow an employee to operate personal and professional devices together with less risks to the company. Keeping on top of these developments is key.
A few takeaway items to ensure your business content and legal rights are protected in a BYOD work environment:
- Design a clear, transparent and compulsory BYOD registration and training process that includes network-only access and data wipe.
- Ensure the policies inform employees that your company can view or access all information on their portable digital device, particularly in cases of security, a legal investigation, an audit or litigation. Describe the risk to their personal data in these cases.
- Use sandboxing technology that separates business and personal data as an additional measure to protect your company from potentially violating any government legal unreasonable search guidelines.
The author, Jonathan Powers previously worked in business operations for an engineering firm. He has now switched his focus to working with enterprise mobile technologies.