In an effort to reduce the overwhelming cost of staying current on IT hardware for employees, many organizations are considering the alternative approach of Bring Your Own Device (BYOD). Since employees are already bringing their own devices into the workplace and these employees have a passion for using the latest and greatest devices, it follows that organizations should consider a policy to allow the use of these employee-owned devices for corporate purposes.
There exists a major challenge with opening a corporate network to the expansive list of potential devices employees might want to bring to work. That challenge is that the structure and controls the IT department put in place to protect data for employer-owned devices become very difficult to enforce on employee-owned machines.
Obviously BYOD policies can and should be implemented to
minimize the risk of data loss, but there exists a blurring of the lines
between these policies when the hardware being used by the employee was
purchased from his or her own pocket.
A few points to consider when implementing a BYOD program
that may help “CYA:”
A. Analyze the
desire and implications of starting a BYOD program. Depending on the industry and culture of an
organization, employees may not want the complications of BYOD, or executive
management may not want to the risk exposure associated with BYOD.
B. Buy-in from
all levels of the organization is critical to a successful program. Since
protection of corporate data is a multi-departmental activity, it follows that
allowing employees to bring their own devices should involve all of those
departments including: legal, human resources and finance just to name a
few.
C. Connect policy
to process. It is not enough to have a BYOD policy in place. Organizations must
connect their policies to a clear, concise process. A well-defined process will
drive a successful BYOD program.
It is this last point that has the most impact on corporate
liability and the legal department. Consider
the complications presented when corporate content is co-mingled with personal
information on the same device and a data breach occurs on that device.
Consider further the need for IT departments to wipe the
device when it contains personal photos that don’t exist anywhere else. Or
another scenario where the corporate content on a device is subject to a
discovery request as part of litigation.
Does the organization have the technology in place to properly collect
data only related to the litigation without also collecting personal data?
There are many questions to be answered to properly implement
a BYOD program. And while BYOD may not be for all organizations, it is proving
to be a popular “perk” for employers to offer.
More Info: Catch our BYOD webinar with Inside Counsel on and The e-Disclosure Project's Chris Dale on demand. View it here.
More Info: Catch our BYOD webinar with Inside Counsel on and The e-Disclosure Project's Chris Dale on demand. View it here.
No comments :
Post a Comment