This article from the LexisPSL IP&IT team focuses on the key considerations and potential risks an organization needs to evaluate when considering whether or not to permit BYOD.
What is BYOD?
'Bring your own device' (BYOD) refers to arrangements where an organisation allows designated users to connect to its corporate IT network using their own communications devices for specific purposes. This will most commonly apply to use by staff of their personal devices for work, but may extend to others, such as educational institutions and their students or persons who deal with organisations, such as customers and business partners, as a way to exchange information. BYOD arrangements may cover a range of device types including laptops, tablets and smartphones.
The concept of BYOD is not new. For years employees have been using personal devices to do work in some way or another (often not company-sanctioned), such as sending work documents to their personal email accounts. However, organisations have more recently started to accept this reality and are realising there may be benefits to the business in allowing use of personal devices.
What are the key risks and benefits of BYOD?
|Potential benefits||Potential downsides and risks|
|Cost||There is a cost savings for the organisation in not having to invest in procurement, replacement and management of devices for users.||The organisation will still need to make some investment in a technical solution, training and support to enable BYOD access by users (which may in some cases make it more expensive).|
|Flexibility||There are potential savings regarding service charges (where users may be compelled to use devices more responsibly)||If an organisation stops buying devices for employee use under existing contracts with their communications provider (which often bundle a range of products and services together), this may impact discounts they receive on other product/service lines. It is important, therefore, to review existing supply contracts before implementing BYOD.|
|BYOD is a potentially effective response to changing ways of working that enables employees to be more flexible and mobile.||Organisations have less control over user devices and there is an increased risk of a device containing company information being lost or stolen, particularly on public transport or in other public places.|
|Productivity||Users' familiarity and comfort with their own devices can mean they are more productive.|
|Time can be saved if users can move between applications on a single device (instead of switching to and fro between company infrastructure and personal devices).||Users being able to readily access personal apps on the same screen as work programs may be a distraction.|
|Employee satisfaction||Employees are potentially happier when using a device that they presumably like (since they bought it in the first place).||Employees' personal financial circumstances need to be considered when it comes to timing of device upgrades.|
|Device quality and 'newness'||Users may be more likely to invest in the latest devices (whereas organisations tend to buy the most basic model that delivers the required functionality at the best bulk buying discount).|
|Device care and support||Users may be more inclined to take better care of and troubleshoot their own devices than company-owned devices.||Users may be more likely to leave company devices at work, potentially reducing the risk of devices being lost or stolen (whereas they will take their personal device with them everywhere).|
|Information security||Technological advances are reducing some of the security risks typically associated with BYOD, eg solutions that ensure company information is not stored locally on a user's device and data wiping technology.||There are security risks associated with users accessing the corporate network and potentially saving company information locally on their devices.|
|Given employees are probably using their own devices for work anyway, by setting up BYOD properly, organisations can at least ensure this is managed more effectively.||There is the potential for financial loss, legal liability and brand damage to organisations arising from security breaches or data losses involving user devices.|
|Additional measures may be needed to demonstrate compliance of BYOD arrangements with regulatory requirements (which may carry a cost for the organisation). There are also the practical issues of enforcing rights to audit users' devices.|
|There is the potential for users' devices to infect corporate network with viruses or malware.|
|User data and personal privacy||The company may install security measures that better protect the user's device from viruses and hacking, etc than they would have themselves.||In return for being able to use their own devices, employees will generally have to be prepared to accept a certain level of intervention or intrusion by the company.|
|Data wiping technology does not necessarily discriminate between company information and users' personal data.|
|Tax treatment||* Salary sacrifice benefit schemes may provide tax and National Insurance Contributions benefits for employees who buy their own mobile device for mixed personal and work use||* Under current tax rules, money paid to an employee to use their own mobile phone (or laptop) may be taxable as a benefit|
|* Organisations should evaluate the respective advantages and disadvantages of refunding employee expenses versus direct corporate expenditure|
|* The personal tax and corporations tax consequences of BYOD for employees and organisations respectively have been the subject of debate and changes are being considered.|
How can organisations that allow BYOD protect themselves against security risks?
Develop and implement a BYOD policy
Organisations that decide to roll out BYOD should have a defined policy governing its use, to which users sign up. A BYOD policy should clearly:
o set out the overarching policy objective : protection of company information--any rights or obligations under the policy should be directed towards achieving this objective
o define who is covered by the policy
o specify the devices covered by the policy--decide which devices and operating systems will be supported (and ensure this can evolve over time) and implement a device registration procedure
o define who owns what in terms of data and apps
o outline what technical support the organisation is prepared to give and the limits on this
o set out users' obligations , eg regarding security measures (ie passwords), costs of repairs, back-ups of data, permitted apps/non-permitted activities (eg 'jailbreaking'), segregation of personal and work data and compliance with requests by the organisation to audit their device
o the consequences if the user does not comply with the policy, the user's device is lost or stolen or the user stops working for the organisation
An organisation's existing policy on acceptable use of corporate technology can form a useful starting point for developing a BYOD policy. The BYOD policy will also need to dovetail with the organisation's broader information security policy.
Choose the right technical solution
There are a range of models that can be used for the technical solution that will underpin user access via BYOD. The main considerations influencing the solution ultimately chosen will be:
o technological capability of existing company IT systems
o support requirements
o how users need to be able to work and what systems they need access to via non-company devices
o regulatory requirements, (depending on which industry the company and/or its customers operate in), and
An organisation's key concern from a security perspective will be ensuring it maintains network security and control over company information being accessed via personal devices.
Direct network access and local copies
If users are able to access the company network directly from, and/or save company information onto, their personal devices, this is not the most secure option and additional protections will be needed to ensure the company can contain potential information security breaches or data losses.
In this scenario, organisations could:
o contractually oblige users to co-operate in deleting company information from their devices on the occurrence of certain specified events (eg the device being lost or stolen), and/or
o encourage users to adopt certain security measures and data management best practice, such as regularly backing up their personal data on their own devices and ensuring that company information is stored only in designated areas/folders on their devices
However, there will always be the issue of how an organisation can enforce this in practice when it needs to contain an information security crisis quickly and effectively. (See 'Remote data wiping' below.)
If company information on company IT systems is accessed via a web portal, where core applications are virtualised, and no local copy is saved on the user's device, the information security risk to the company is reduced.
Where there is a need for users to work agilely and remotely, use of private clouds by companies to support BYOD is proving an increasingly popular solution.
Emerging models such as 'secure containers' are also enabling better segregation of user data from company information, meaning that restrictions on functionality such as printing, copying and pasting can be imposed selectively on data within the work container, and a gateway can be imposed to prevent unauthorised apps from opening files stored in the container.
Connection and tracking
Technical measures can be implemented to ensure that only authorised users can connect to the corporate network and also to track what data is being copied onto a user's device (assuming such copying is technically possible). Organisations that use such technology will need to notify users (in writing) that they are doing this, either in their BYOD policy or otherwise, and comply with their relevant obligations under the Data Protection Act 1998 (DPA 1998); see 'Organisations monitoring users and/or remotely accessing users' devices' below.
Software also exists that locks down a device to prevent users from installing any unapproved apps on the device, but it may be unrealistic to expect a user to accept this on a device they have paid for.
Remote data wiping
Remote data wiping technology can enable an organisation to remotely wipe user devices of company information if there is a data security issue. The problem is that generally this enables data on devices to be wiped only on an 'all or nothing' basis, meaning that the user's own data and apps will also be lost. However, more discriminate wiping of data is becoming possible, eg if 'containerisation' is used (see above).
Encourage users to adopt responsible security behaviours
Because under BYOD devices are user-owned and controlled, organisations will need to rely on users to take primary responsibility for the security of their devices. Users should be encouraged to implement passwords or lock screens for their personal devices. Such passwords should be strong and not easily bypassed, and ideally there should be separate password verification for each service accessed. These requirements should be incorporated in the BYOD policy, to which the user signs up, and enforced practically when the user registers their device.
Organisations may wish to build into their BYOD policy some guidelines for users on acceptable use, partic-ularly as the line between work and personal use may easily become blurred if a user is using the same device for everything. However, organisations should not be excessively prescriptive about what employees can and cannot do with their own devices (particularly in their own time), and such guidelines should therefore be confined primarily to:
o activities that present a real security risk to the organisation
o reminding employees that they should behave no differently than they would on a work device in terms of the content they can view and how they treat other users, and
o the action that may be taken by the company if an employee (inadvertently or not) transmits inappropriate material over the company network or transmits company information via social media, email or other personal channels
Organisations will also need to determine how, practically, they will get users to install company-prescribed apps and updates.
Incorporate BYOD 'deregistration' with HR processes on exit
Consider how users will be 'deregistered' from the BYOD platform when they cease working for the organisation. This may involve removing access tokens, disabling email and/or web portal access and checking user devices to ensure locally saved company information and company apps have been removed as part of the standard human resources (HR) exit process. However, if the circumstances of departure are fractious or no formal exit interview is held, this will also be difficult to enforce practically.
Therefore, organisations should ensure they have a back up plan for removing access to the company network by former employees or other users and safeguarding company information by remote means if user co-operation is not forthcoming. Measures such as (non-selective) remote data wiping should be used only if this is reasonably necessary and is a proportionate response in light of the information security risk posed to the organisation.
What rights do users have to preserve their personal privacy?
The need to safeguard organisational information security will always have to be balanced against the individual rights of the user. From the user's perspective, data protection, personal privacy, human rights and employment law considerations may come into play where BYOD is concerned.
One of the main practical issues with using BYOD is that it is not always easy to neatly separate company information from personal information on a user's device.
The technical basis on which users are granted access to company IT systems is important--an organisation will generally only need to consider measures such as remote access and/or data wiping if a local copy of company information is stored on a user's personal device.
Organisations monitoring users and/or remotely accessing users' devices
In the UK, the Computer Misuse Act 1990 (CMA 1990) creates 'hacking' offences, prohibiting unauthorised access to computer material. It is an offence to cause a computer to perform any function with intent to secure access to any program or data held in any computer, where such access is unauthorised, and the person causing the computer to perform the function knows this.
Therefore, a user's authorisation will be required for an organisation to lawfully access data on their personal device by remote access or other technology.
Organisations should accordingly not use BYOD as a surreptitious way of monitoring what their employees are doing. For instance, an employer should not use its access to an employee's device when registering this for BYOD as an opportunity to install mobile tracking software on an employee's device to covertly monitor where they are and what they are doing during work time.
Indeed, if an organisation intends to install any 'intrusive' apps onto an employee's device as part of being registered for BYOD, it should obtain the employee's informed consent to do this. This would require the employer to disclose the details of the app and briefly explain what it is used for.
The DPA 1998 will apply where monitoring generates information relating to a particular identifiable individual (eg a particular employee or customer). The DPA 1998 imposes various obligations, including an obligation to inform individuals that data relating to them is being gathered via monitoring of IT and communications systems and the reasons for this.
Employees will also enjoy certain protections under employment law and duties of confidentiality. There is an implied duty of trust and confidence between employers and employees read into UK contracts of employment. This obligation is supplemented by the provisions of the Human Rights Act 1998 (HRA 1998), which grants individuals a right to respect for private and family life. Breach of an employee's reasonable expectation of confidentiality or privacy may give rise to a claim (eg a discrimination claim where an employee claims their communications are excessively monitored or restricted compared to other staff).
In some other jurisdictions, the labour laws restricting access by employers to employees' personal devices are even stricter.
How far can an organisation go in accessing user devices?
The rights an organisation can reasonably exercise to access user devices, either physically or remotely (if any), will vary depending on:
o how the organisation IT network is accessed by users, and
o the reason the organisation requires access to the user's device
If user access to the company network is via a web portal (apart from possibly initial BYOD set-up) there is generally no need for the company to access the user's device (or the data on it). However, if local copies of company data are saved onto the user's device, the organisation will need to consider how it will deal practically with situations that require rapid action (ie security breaches) or other situations where the company wants to ensure no company information remains on the user's device (ie a user ceases working for the company).
Loss of users' data
Where data wiping technology is used, this will not generally work selectively but will wipe all data on the user's device, including personal data (eg contact lists), photographs and other media (eg music) and apps for which the user has paid.
Organisations will therefore need to consider carefully the circumstances in which they will use (non-selective) data wiping and, if so, what assistance (if any) they will give to users to help restore their own content on their devices. It would be difficult to justify the use of indiscriminate data wiping unless:
o there was a serious and immediate threat to organisational information security that could not reasonably be dealt with by other means, and
o the organisation had taken reasonable steps to minimise loss to users' data
Reasonable steps to minimise loss to users' data may involve preventative action (eg encouraging users to regularly back up their own data) and/or restorative action (eg providing support to users to restore content onto their devices or replacement devices).
The Information Commissioner's Office has issued specific Bring your own device guidance. A key point emphasised in this guidance is that 'the data controller must remain in control of the personal data for which he is responsible, regardless of the ownership of the device used to carry out the processing'.
This article was originally published in LexisPSL IP&IT.