Bring-your-own-device (BYOD) technologies have emerged as a popular and cost-effective means of providing mobility and flexibility to employees.
Consistent with most emerging technologies, however, there are a number of legal issues which are often not considered but which may have unintended impacts on an organisation's risk profile. Organisations need to consider the potential legal issues associated with BYOD technologies whether or not they have a formal BYOD program in place.
CIOs are well aware that employees have always worked out ways (and will continue to work out ways) of connecting their personal devices to work systems, which quite often involves circumventing internal security protocols. This inadvertently exposes an organisation to a potentially uncontrolled level of risk without it even being aware.
At the outset, it is important to keep in mind that BYOD programs do not, in themselves, present any new legal issues. Many of the legal challenges that are associated with BYOD technologies have existed since the adoption of mobile computing. What's new is the fact that the potential for issues to arise has increased dramatically given the widespread adoption of BYOD technologies.
While it is impossible to entirely remove any legal risk associated with BYOD programs (the very concept of allowing external devices to connect to, and interact with, a carefully managed IT system carries with it inherent dangers), there are a number of measures that organisations can adopt to limit their exposure.
Importance of policy
The most important element of any BYOD strategy in relation to minimising legal risk is to have a detailed policy that sets out the terms of the program. The purpose of the policy is to provide clarity around how the BYOD program will operate, as well as to act as the platform to allocate risk between the organisation, its employees and third parties.
The BYOD policy will generally be one element in an organisation's broader policy framework, and will sit alongside the organisation's employment policy, as well as the organisation's existing 'acceptable use' policies.
The policy needs to cover things like the type of devices that can be used by employees, access rights, support arrangements, tracking and monitoring and remote wiping. Much of the policy will not, in fact, directly address legal issues. Having a clear policy will, however, assist in reducing legal exposure.
Employees should be required to actively accept the terms of the policy prior to being entitled to connect any external device to the organisation's IT system.
A key benefit of adopting a BYOD program is the significant capex savings of not having to supply employees with devices for work purposes. Accordingly, in order to ensure that any savings are not outweighed by ongoing operational costs, organisations need to carefully consider how they intend to apportion liability between themselves and their employees in a number of important areas.
Sign up for CIO Asia eNewsletters.