As more and more companies rushed to hastily implement their own home-cooked BYOD-based mobile device/apps management policies to cash in on the new fangled idea of gaining enhanced employee productivity, industry experts warned that there were bound to be a few problems along the way. Though most of these problems were related to device management and corporate data security, many legal concerns have also emerged from BYOD implementation. In a BYOD environment, employees are allowed to use the same device for both personal and work-related activities. Here we will discuss some of the grey areas created by BYOD implementation by companies.
Employer’s access to Employees’ Personal Messages/Data
It really was much easier in the RIM (Research In Motion) age of long ago with only a few company-owned BlackBerry phones handled by a select group of high-ranking individuals, who connected to the enterprise network using those mobile devices. As it was company property, there was no question that whatever data was on the device was owned by the employer and the employee was expected to use the device only for of work-related activities. Following the implementation of BYOD, it’s not so clear anymore and many companies forgot to include express instruction related to management of personal data contained on those devices. A device bought and used by an employee under the employer’s BYOD policy may or may not contain a clear definition of what data on the device can be accessed by the employer. In such uncertainty, either party can (and probably will) perceive their situation to be infarction on their rights and demand for legal advice. Personal messages and personal data are only the tip of the iceberg- the situation could include an employee’s personal project, which is considered to be in direct conflict with a current project of the employer and so on. In each of these cases, if a carefully worded legally-valid document stating the current BYOD policy of the employer is unavailable, many of the cases could end up in court and lead to wastage of both time and money for all parties concerned.
Till some years ago, the practice of introducing spyware into enterprise computers to monitor employee behavior was considered to be an acceptable practice and such invasion of privacy was believed to be essential for securing the employer’s interests. Currently, companies have moved towards alternate methods such as blocking access to web pages using firewalls or restricting access to corporate networks using user authentication systems, key-based encryptions etc. Many offshore software development companies provide such enterprise security solutions to companies all over the world. Unfortunately, BYOD devices are not owned by the employer unless they provide reimbursement for the device purchased by the employee and mention the same in the BYOD policy document. This is a veritable legal mine-field and there is often no clear answer to the question it poses about- employee’s rights vs. employer’s rights. There are additional problems too, such as, what can the employer legally do, if an employee’s BYOD device contains potentially illegal data such as pirated music, pirated videos or other restricted material? Does the employer have the right to wipe such data or just inform the employee about a possible legal infarction? By informing the employee about the possibility of legal infarction, does the employer become an accomplice to the crime committed by the employee? These are but some of the tough questions that an organization’s legal department needs to figure out in order to develop an efficient BYOD strategy.
The Grey Area Intersecting Cyber Risk Insurance and BYOD
In legal terms, an organization (company) is considered to be an entity with the right to protect its existence as well as itself from criminal acts as well as other actions that have a detrimental effect on its operations. In order to reduce the losses incurred by breach of data security, many firms are resorting to the use of Cyber Risk Insurance as a tool to reduce probable losses. However, a new problem has emerged subsequent to introduction of BYOD in the enterprise. A number of the current cyber risk insurance policies currently in effect, provide organizations coverage for only those security breaches, which originate from company-owned devices. As, BYOD devices are employee owned and not company-owned (unless otherwise mentioned in any employee-employer agreement), such devices are not covered by many of the existing and currently applicable Cyber Risk Insurance policies. In such a case, if a security breach in the corporate network occurs due to improper usage of an employee-owned BYOD device, the insurance company can (and most probably will) decline any payout to the organization as such as device is not covered by the currently applicable Cyber Risk Insurance policy. I think this classifies as an example of the classic “out of the fire pan, into the fire” situation!
Some Probable Solutions
The first possible solution can be based on the point of view that “prevention is better than cure.” To that effect, an employee can choose to own two separate devices one for use at the workplace and the other for personal use, however that nullifies a key benefit of BYOD- having a single device of the employees choice for all of his/her work and personal requirements. Some legal experts have also advised employers to seek legal counsel at the time of signing a BYOD agreement to ensure that their rights as an individual are not infringed by the agreement, however, in practice that might be difficult as well as quite unfeasible for both the employee and the employer. The unfortunate fact is that, legal processes tend to move quite slowly as compared to the blazing speed of IT technology and mobile apps development and this creates gaps such as the gap caused between BYOD and its legal implications for the enterprise. It hence falls upon companies to introduce proper protocols to ensure that such situations are prevented wherever possible and also ensuring that an employee understands the ramifications of the security policy / BYOD policy currently followed by the employer. All of this is a source of concern provided that employers actually continue with the deployment of BYOD at the work place, though it is doubtful that the policy of enterprise BYOD would reverse itself following the current enterprise environment.
With respect to the cyber risk insurance situation, it is definitely advisable for organizations to carefully review the existing terms and policies of their insurance. If required, organizations would negotiate with the insurance to add new elements to the existing policy or if necessary, search for a new insurer to ensure that the corporation’s interests are adequately protected. Additionally, investing in custom software development targeted at strengthening the security of sensitive corporate data available on the company’s servers would also help organization weather out this BYOD storm.