The ABCs of BYOD to CYA

Chad McManamy

In an effort to reduce the overwhelming cost of staying current on IT hardware for employees, many organizations are considering the alternative approach of Bring Your Own Device (BYOD).  Since employees are already bringing their own devices into the workplace and these employees have a passion for using the latest and greatest devices, it follows that organizations should consider a policy to allow the use of these employee-owned devices for corporate purposes.

There exists a major challenge with opening a corporate network to the expansive list of potential devices employees might want to bring to work. That challenge is that the structure and controls the IT department put in place to protect data for employer-owned devices become very difficult to enforce on employee-owned machines. 

Obviously BYOD policies can and should be implemented to minimize the risk of data loss, but there exists a blurring of the lines between these policies when the hardware being used by the employee was purchased from his or her own pocket. 

A few points to consider when implementing a BYOD program that may help “CYA:”

A. Analyze the desire and implications of starting a BYOD program.  Depending on the industry and culture of an organization, employees may not want the complications of BYOD, or executive management may not want to the risk exposure associated with BYOD.

B. Buy-in from all levels of the organization is critical to a successful program. Since protection of corporate data is a multi-departmental activity, it follows that allowing employees to bring their own devices should involve all of those departments including: legal, human resources and finance just to name a few.  

C. Connect policy to process. It is not enough to have a BYOD policy in place. Organizations must connect their policies to a clear, concise process. A well-defined process will drive a successful BYOD program.

It is this last point that has the most impact on corporate liability and the legal department. Consider the complications presented when corporate content is co-mingled with personal information on the same device and a data breach occurs on that device.

Consider further the need for IT departments to wipe the device when it contains personal photos that don’t exist anywhere else. Or another scenario where the corporate content on a device is subject to a discovery request as part of litigation.  Does the organization have the technology in place to properly collect data only related to the litigation without also collecting personal data? 

There are many questions to be answered to properly implement a BYOD program. And while BYOD may not be for all organizations, it is proving to be a popular “perk” for employers to offer.

More Info: Catch our BYOD webinar with Inside Counsel on and The e-Disclosure Project's Chris Dale on demand. View it here.

No comments :

Post a Comment