The company’s acceptable use policy isn’t enough to cover employee-owned devices, lawyer Lou Milrad writes

10 legal challenges to creating a BYOD policy

Overheard recently at a BYOD symposium: “We’ve now gone from mainframe computers to desktops and on to the coffee shop.” This says it all.

While today’s workplace environment reflects IT consumerization through widespread proliferation of consumer mobile devices that include an array of smartphones, tablets, and netbooks, a host of enterprises still lack strategies regarding mobile device management (MDM) and in particular, strategies that are coupled with a formalized and well-articulated set of mobile use policies. This combining, in the workplace, of personal and business technology on a single device is of mounting concern to corporate IT departments – it reflects a changing dynamic that challenges those that are responsible for the particular technology being used by employees to do their jobs. This challenge applies to both institutionally provided and employee-owned devices.  It is critical for IT departments to comprehend the nature and power of the smartphone and tablet devices that are connecting to their networks so that access to their networks is not only convenient and secure, but also authorized.
 
RELATED CONTENT
 

While workplace access through previously furnished corporate devices may well be covered under the organization’s earlier articulated Acceptable Use Policy (AUP), the array of mobile devices that are being independently adopted by employees that enjoy access privilege or capability (whether authorized or not) that is augmenting a host of IT-related governance and liability concerns, particularly, those relating to privacy and security breaches.  Understandably, these threats remain top of mind, recognizing that there is organizational responsibility for maintaining (i) the non-disclosure of “personal information” as mandated under the applicable federal and provincial privacy legislation (that covers all of the organization’s employees, customers, suppliers), in addition to (ii) strict protection of the soft assets of the organization, namely its commercially sensitive and valuable business information and associated intellectual property.

A further complication is the potential use by employees, on both sides of the firewall, of cloud-based personal e-mail services such as Gmail or Yahoo, as well as their personal postings through a variety of social media sites such as Facebook and LinkedIn.

We’re now witnessing personal emails coming into corporate servers through services that include AOL, Gmail or Yahoo. Information, in the nature of organizational assets, is now transforming from the workplace to Cloud.  Corporate emails are leaving the enterprise through BYOD users forwarding them onto their own personal accounts.

In an effort to reduce security risks, organizations are beginning to focus on creating BYOD policies that will both support and protect mobile devices. Hence, the necessity to create a BYOD program that introduces a phased rollout for “empowered” workers. As prerequisites to any such program and as a first consideration, there is an absolute need to define the necessary MDM and the required mobile security tools, together with a well-considered and articulated BYOD policy.

Given the number of considerations, the BYOD policy should be developed prior to committing to any technology and should start off by reviewing any previously existing Acceptable Use Policy (AUP) with a view to updating, enhancing, or replacing that policy or integrating that policy with the BYOD one.

While not necessarily applicable in all instances, there are a variety of legal issues requiring attention as part of the overall policy, and for this reason, organizations need to include their in-house lawyer or legal department, or external counsel, in the preparation and/or revitalization of a previously enforced policy.

Start the process by requesting copies of what BYOD policies or structures might already be in place with colleague organizations and don’t be surprised if portions are redacted by those that are willing to share – also recognize that there may be some hesitancy in sharing given that the policy itself might be designated as “internally confidential”.

In starting, it is important to bear in mind that the BYOD policy will need to be well balanced and be void of any unauthorized monitoring techniques, or sanctions that are considered invasive, or disproportional prohibitions.  Otherwise, there’s a real possibility that any evidence gathered in support of the policy, might well be excluded in court.

The following (not in any particular order of priority) are the key legal risk issues that need to be considered as part of your organization’s strategy in developing and implementing the policy:

1. General Duty of Care under our Legal System

In drafting the BYOD policy, we must remain mindful of the fact that our legal system recognizes that every person and every entity, whether public or private, has a general duty of care. Early implementation of a best practices approach, that embraces appropriate employee education and training may well preclude your organization from third party liability, financial or otherwise, arising through employees’ or consultants’ personal failure to comply with all applicable regulatory, privacy, IPR and confidentiality obligations. In addition, carefully drafted liability disclaimers can to a certain extent reduce general liability. The BYOD strategy and resulting policy should always reflect a keen observance of this general duty of care.

2. Privacy (Personal Information)

We have the makings of a perfect storm with the convergence on one device of both personal and corporate data and which presents a complication – the trusteeship by the organization of personal information of the person using the BYOD device coupled with possible access, handling and disclosure of personal information of others stored on the corporate servers. A workplace surveillance strategy may also be envisioned and in which event, employers will need to have in place, and made easily available and accessible, a data surveillance policy. Will the company be permitted access to an employee’s own emails and text messages (SMS) on a personal smartphone or tablet used by that employee for work? And what about browsing history, installed software and other data?

3. Data Security and Protecting Data Integrity

Employees will need to be educated as to what constitutes acceptable use. There is a fundamental duty upon the organization to take reasonable steps to protect the information it holds from misuse and loss and from unauthorized access, modification or disclosure. It’s about the data – not the device and the ability to separate “personal” from “business” while also ensuring data is backed up, and that relevant documents are not deleted. Consider the procedures that are required for separating personal from work-related data, so as to ensure that appropriate non-delete, backup and redundancy features are implemented.

Restrict access to highly sensitive Confidential Information (refer to item 5. below).

4. Prohibition against “Jail Breaking” or “Rooting”

While it is important to include strict prohibition against “Jail Breaking” or “Rooting” employees’ devices, it is critically important to communicate to employees the underlying rationale supporting this prohibition and the associated security risks. Trojans, mobile malware, and pirated software are often associated with “Jailbreak” sites. It is important to point out the possible legal sanctions associated with bypassing digital rights management restrictions intended to protect copyrighted works; other concerns to be recognized, on this side of the firewall, include direct access to locked file systems, user interfaces, and normally hidden or locked network capabilities. Additionally, Rooting or Jail Breaking a device to run a free Wi-Fi hotspot may well violate the contract service terms thereby providing affected carriers with cause to terminate subscribers contracts.

Also, there is the potential risk of loss of manufacturer’s warranty and carrier throttling for BYOD.

5. Confidential Information

Employees and others acting on Company’s behalf are responsible for protecting the Company’s confidential information, including trade secrets (whether the company’s own or those entrusted to it by third parties), from unauthorized disclosure whether internal or external, deliberate or accidental.

It is critical to secure a written, signed confidential disclosure agreement before taking any steps to disclose confidential information to a party outside of the organization. While a general manager or technical director might well possess the necessary signing authority, it is suggested that a medium to high level member of management, such as a vice president, be the designated party responsible for signing confidential disclosure agreements. In addition to maintaining a fully signed copy of that document, a log recording the date, time and location of signing should likewise be maintained for future reference.

For a comprehensive discussion around “confidential information”, please refer to this author’s article in the September 2012 issue of CIO Canada  “For your organization’s eyes only – IT governance requires vendor relationships that treat confidentiality as job one. How to make sure your contract includes it.”

6 Licensing & Intellectual Property Rights

It is important to recognize that the enterprise’s various software applications may be licensed to the company under a variety of software proprietors’ individual or collective strategies – software and service services providers typically have fairly comprehensive and detailed fees-based licensing structures and charges that range from a per user, or per device type of license, to a number of users concurrently accessing the software from a single location, through to an enterprise wide arrangement. Therefore, it is critically important to spend time carefully reviewing the terms of use under such applicable licenses to ensure that corporate implementation of BYOD technologies will not breach the licensing terms in place with the software and providers. Allowing employees to use company applications on their own devices, for example, may breach the company’s current licensing agreement. Consider also the licensing terms for the BYOD applications and the accompanying licence rights – what are the limitations, to whom do they apply (largely dependent on whether it is the company or the employee that signs up with the provider), and are they, or will they be in violation of any existing third-party contracts or corporate policies? It is incumbent upon the company, as well as the employee, to mitigate against potential intellectual property and contractual claims from third parties.

7. Employee-Employer relationship

Employees are obligated to respect the company’s confidential information, including business and trade secrets, lists of sales leads, and other proprietary data and to keep and maintain the confidentiality of such corporate assets after termination of an employment contract.  Criminal prosecution may result from any failure to maintain the confidentiality of such information, particularly if intentionally misappropriated. In addition, companies often require employees, consultants, contractors, and freelancers to sign confidentiality agreements (NDA’s) to establish a legal framework for non-compliance. Organizations become challenged in gathering proof of a breach of confidentiality and enforcing policy when people store any such proprietary data on their own personal iPhones, Androids, and other smartphones or tablets.  Therefore, an absolute requirement of a BYOD policy needs to require employees (and project consultants, etc.) to permit the company to check out their device when they leave the company to make certain that all confidential information has been deleted. The actual timing of the checking procedure becomes a critical factor.

8. Electronic Communications, Document Preservation and Evidentiary Obligations

While not really part of a BYOD policy or of this article, CIOs need to be mindful of general legal requirements governing electronic communications and e-commerce.

Perhaps, more aligned with a BYOD strategy are document retention requirements arising under private contracts as well as under diverse statutory schemes that include provincial and federal and corporation acts, income tax as well as privacy-related legislation. Legal retention requirements may also apply to documents comprising employment records, workplace safety, and pension benefits. In addition, in any civil or criminal matter, there’s a legal framework for introducing into evidence any electronically stored information (ESI). Hence the need to become aware of document retention (and destruction) laws and policies as well as those pertaining to digital evidence.

9. Insurance and Liability Considerations

Review applicable insurance policies for coverage/non-coverage, as the BYOD policy will need to consider how liability will be apportioned between the individual and the organization. Pay particular attention to the protection and compliance with all Intellectual Property Rights (IPR – see 6. Licensing & Intellectual Property Rights above) and licensing issues. Is the employee or organization to be responsible for lost or stolen devices? What about responsibility for malware or virus attacks on BYOD device? Does the employer’s existing insurance provide coverage for employee owned devices that are part of a BYOD policy? Who is to be specified as responsible for replacement upon theft or loss should employer’s insurance coverage not provide for employees device coverage – it is necessary to identify in a BYOD policy whether the user or company will be liable for loss or theft of BYOD devices (particularly important if the organization’s insurance policies cover an employee-owned device being used under a BYOD policy.

10. Training & education

Implementation and adherence to a policy can only be effective if there has been proper training and education for employees and those others having access to corporate information. Companies are well advised to organize programs that will serve to familiarize employees with the strategy and with the thinking that preceded implementation of the BYOD policy.

 
Lou Milrad is a well known Toronto-based business lawyer that assists public & private sector clients with legal services relating to technology licensing and associated legal strategies, IT procurement, commercialization, cloud computing, open data, and public-private alliances. In addition to being the creator and editor of “Computers and Information Technology”, a 4 volume series of IT legal precedent licenses, services, supply, and database contracts and published through the Carswell Division of Thompson Reuters and now into its 16th release. Lou also acts as external General Counsel to each of MISA (Municipal Information Systems Association) and URISA (Urban & Regional Information Systems Association), and for 13 years, acted as external General Counsel to ITAC (Information Technology Association of Canada). Lou can be reached at 647-982-7890 or through lou@milrad.ca or via http://www.milradlaw.ca.

Related Download
Moving from the back office to the front lines: CIO insights from the Global C-suite Study Sponsor: IBM Canada Ltd
Moving from the back office to the front lines: CIO insights from the Global C-suite Study
This report from IBM’s Institute for Business Value summarizes the results of more than 4,000 interviews with C-suite executives worldwide about the changing role of technology and the Chief Information Officer (CIO).
Register Now
Share on LinkedIn Share with Google+ Comment on this article