Keywords: BYOD, compliance, procedures, personal mobile devices
A multinational financial institution has decided to implement a Bring Your Own Device (BYOD) program due to increasing demand from business personnel and a desire to reduce IT costs. The General Counsel's Office is asked whether there are any legal, regulatory or compliance issues that the organization needs to consider when implementing a BYOD program and developing the policies and procedures governing BYOD.
What is BYOD?
BYOD refers to the policy of allowing employees to use their personal mobile devices to access their employer's information systems and applications for business purposes. In recent years, there has been a fundamental shift in the way people understand and interact with electronic information. First, the ability of employees to access information at any time and from any location has become essential to most business operations. Second, the technology used to access that information has become a matter of personal choice; no longer are employees satisfied with acquiescing to their employer's choice of technology. Instead, employees expect to be able to work with the device of their choice and dislike the inconvenience of maintaining separate mobile devices for business and personal use. And not only are employers largely powerless to stem the tide of this trend, but many employers appreciate the cost savings and flexibility that a BYOD program brings to the organization.
The Risks of BYOD
As with any technology, there are risks associated with implementing a BYOD program. There are legal risks, such as the ability to access information responsive to a document requests for preservation or production; there are regulatory risks associated with information on those devices that may be subject to regulatory retention and supervision requirements; there are information security risks associated with lost or stolen devices, as well as many different devices having access to the organization's networks; and there are data privacy risks associated with the mix of personal information with business information on one device. The question for any organization is how to best mitigate and balance these risks in light of the business demand for BYOD flexibility.
BYOD represents a significant change in the way organizations manage the risks associated with information. Traditionally, an organization's approach was to centralize the storage and retention of that information so that the organization had ultimate control over its distribution, management and retention. BYOD, however, undermines that basic approach. Organizations are now dealing with decentralized data sources where the organization has little operational control over storage, management and retention. Instead, many organizations find themselves almost entirely dependent on policies, and their employees' compliance with such policies, to manage the considerable risks associated with electronic data.
Consider the use of text messaging in a BYOD program. With a organization-owned device, the organization has the option of centralizing control of its employees' text messaging by disabling text or instant messaging capabilities on the device or capturing such messages for business purposes on the organization's centralized infrastructure. With a BYOD program, however, an organization loses its ability to easily block or capture business-related text messages, and is forced to rely more heavily on employee participation and compliance with policies to manage risk.
Tips for Managing the Risks of BYOD
Because an employee's use of his or her personal device is largely outside of the employer's control, critical components of any BYOD program include a clear, concise policy that is developed with the input of all the relevant stakeholders, together with audit procedures that validate and ensure compliance with that policy. When developing and implementing those policies and procedures, there are a number of issues the organization may want to consider.
- Involve all Relevant Stakeholders. BYOD implicates many aspects of the organization's operations, and all of those stakeholders should have input into the policies and procedures governing BYOD Those relevant stakeholders may include personnel from the Legal, IT, Human Resources, Information Security, Compliance and Business departments.
- Authorized BYOD Users. Careful consideration should be given to which employees the organization will permit to participate in a BYOD program and whether special procedures are needed for certain types of employees participating in BYOD. For example, because of retention and supervision requirements, the risks may be higher for regulated employees participating in a BYOD program than for non-regulated employees. And the organization's need and ability to access information on an individual's personal device may raise data protection concerns for non-US employees in certain jurisdictions. The organization should consider whether and how to adjust its policies to address high-risk employees, and whether special training, security or audit procedures are needed.
- Uses of the Device. When developing policies and procedures relating to BYOD, consider the types of applications that employees will be authorized to use on the devices for business purposes, as well as any restrictions on the use of those applications. This includes the type of information that may be exchanged or distributed using the application, the ability to ensure data security, the ability or need for the organization to capture the information exchanged through the application on its own systems and the ability to quickly access, preserve, retrieve or delete data stored on the device itself. Employees should be provided with clear and specific guidance on the appropriate use of authorized applications, as well as uses that are prohibited.
- Ownership of the Data. Most organizations have data retention policies or electronic communication policies notifying all employees that all data on organization's systems belongs to the organization and is subject to monitoring or use by the organization. An organization implementing a BYOD program should clearly convey to participating employees the organization's policy regarding ownership of data on devices that are part of a BYOD program. For example, the organization may have a policy that all business-related data on a BYOD program belongs to the organization (regardless of where on the device that data is stored).
- Access to the Device. The organization's ability to access information on an employee's personal device as part of BYOD program is critical to the organization's ability to meet its legal, regulatory and compliance obligations. The organization should consider the extent and nature of such access, including whether: (i) remote access to data on the device is needed for collection or supervision, (ii) the organization may have to take possession of the physical device under certain circumstances and (iii) the organization wants the ability to remotely delete information from a lost or stolen device, or from a device belonging to a former employee.
- Compliance & Audit Procedures. Given the challenges of monitoring and controlling the data on devices in a BYOD program, organizations should consider the need for specialized and enhanced training and audit procedures. Specialized training on the proper use of authorized applications may help to minimize confusion and inadvertent user error. Enhanced audit procedures, such as signed acknowledgements of the policy, periodic certifications of compliance or random testing for compliance, should also be considered. Incorporating these steps as part of a BYOD program provides additional assurance of compliance and strengthens the defensibility of the overall program.
Visit us at mayerbrown.com
Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.
© Copyright 2014. The Mayer Brown Practices. All rights reserved.
This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.