For example, who will take responsibility for lost or stolen devices, and who will be responsible for malware or virus attacks associated with an employee's device? There is no fixed answers to these questions under the law, and these are precisely the type of tricky operational issues that should be addressed in the policy.
Support of devices is also an issue that should be covered by the policy, and is one of the most problematic areas because of the often wildly different expectations between an employee and an organisation.
For example, most employers will want to limit the support that they provide to simply connect a personal device to the organisation's network, whereas an employee may expect that ongoing support of the device will be at the expense of the employer. Again, the position that prevails in this circumstance will be largely dependent on what is set out in the policy.
Licensing and insurance
One of the most common pitfalls of organisations implementing BYOD programs is failing to ensure that the scope of existing software licences are sufficiently broad to cover the intended breadth of the program.
Software licences often place restrictions on the type of devices from which software can be accessed and used, and it is not uncommon for the licence to limit access and use to devices owned by the organisation. This type of limitation could prevent an employee from accessing the relevant software from a personal device.
Accordingly, prior to determining which elements of the broader IT system will be made available, the organisation should carefully review the scope of its existing software licences.
Another licensing issue that needs to be taken into account is employees' rights to use applications and software that they have downloaded on their device outside of work, for work purposes. It is quite possible that the scope of their licence is only for personal non-commercial use.
This poses a risk because it may expose the organisation to a claim by a third party that the organisation has encouraged a breach of licence. The BYOD policy should make it clear that employees are not authorised to utilise software purchased or otherwise downloaded for personal use, for organisational purposes.
An organisation's appetite for risk is generally linked to the scope of its insurance coverage. Certain aspects of a BYOD program may fall outside the scope of traditional insurance policies, and it is important for the organisation to clearly understand whether its policies will cover work conducted on devices that are not directly owned or leased by the organisation.
This will be particularly important in the context of professional indemnity insurance, and will require a close examination of the definitions in the policy, as well as the extent of coverage.
Sign up for CIO Asia eNewsletters.