The Legal Side of BYOD
Enterprise Connect Orlando 2014 examined what a BYOD policy should include, and what the pitfalls are in rolling it out.
Enterprise Connect Orlando 2014 has just wrapped up, and once again the topic of bring your own device (BYOD) programs was high on the agenda. We were lucky enough to have MDM vendor AirWatch (now a VMWare company) and Samsung Telecommunications as sponsors. Samsung is touting its KNOX mobile security program that provides a secure boot function as well as a secure container on its Android devices. AirWatch is one of the MDM vendors that supports KNOX, so I got to hear both sides on that.
One of the more interesting sessions in which I participated was "Assessing the Legal Issues Around BYOD," which was moderated by telecom attorney Martha Buyer, and also featured Jim Brashear, General Counsel for secure email provider Zix Corporation. Besides his work at Zix, Mr. Brashear is Co-Chair for two subcommittees of the Association of Corporate Counsel in areas relating to security, privacy, and cloud/SaaS.
The idea behind this session was to look at what type of legal exposure organizations might be creating by moving to BYOD, and what would be the most effective provisions to include in a mobility policy to lessen that exposure. According to Mr. Brashear, there are a lot of risks and potential liabilities, including:
* Lost or stolen devices: This concern topped the list of security concerns in the InformationWeek 2013 State of Mobile Security survey. Losing an unsecured and unencrypted smartphone or tablet chock full of sensitive corporate data is the kind of scenario that will keep a CSO up at night. Of course, that concern exists primarily because the data resides on that mobile device. Zix sells a VDI-like email, calendar and contacts solution in which all of the information is stored in the cloud and never on the device itself.
* Mis-Wipe: If the organization is using an MDM solution, it is usually possible to erase just the corporate data if the device is lost or the user leaves the company; however, wiping the device using the basic capabilities of Exchange ActiveSync or IBM's Notes Traveler results in a total wipe. Even if there is an MDM system in place, mistakes happen, so users should be made aware of the possibility and reminded to back up their mobile devices on a regular basis.
* Surrender for eDiscovery Proceedings: It is important that the policy spell out clearly that employees will have to surrender their devices if required for an eDiscovery proceeding. Some enterprises also require the device be surrendered for periodic security audits. Some organizations have provisions in place where they will buy the user a replacement device to use until their own is returned.
* Injuries By Driving: If a mobile user is on a business call and injures someone in an automobile accident, the company will be sued for damages along with the employee--that's where the "deepest pockets" will be found. Martha Buyer has written about this issue, and while all of us on the panel leaned toward advocating an outright ban, I've yet to see any company go that far. About the best we can do in the mobility policy is include guidance regarding the safest ways to avoid all distractions while driving, point out which situations are most potentially hazardous, and suggest techniques for avoiding them.
Mr. Brashear also pointed out some of the subtleties to be addressed in managing the legal side of BYOD. One big pushback we are seeing from users is the concern that if companies require an MDM client on the phone, IT will be able to view the user's personal information. In fact, IT will at most be able to see a list of the applications that are installed, and will not be able to open those applications or see the data stored in them. However, good communications are key to addressing this and other compliance requirements.
One very important point Mr. Brashear made is that if there are penalty provisions in the policy, it is very important that they be enforced. If you do wind up going to court, advertising a penalty but failing to enforce it works against you, in that it implies that the company is not really serious about the policy in the first place. There are also differences in the expectation of privacy depending on whether the device is company-provided or personally owned.
All of this points out the need to have input and buy-in on the policy from Security, HR, Legal, Labor Relations, and the line-of-business managers. Finally it is important to recognize the limitations of the technology. Remote wipe doesn't work 100% (e.g. if the device is switched to "Airplane Mode"), and users might not use a secure container religiously for company information.
Probably the most important guidance Mr. Brashear imparted was that this is still a developing area of the law. That means there are few precedents, so it may be some years before the legal foundation for all the potential issues is fleshed out. In the meantime, we will keep following it at Enterprise Connect.