The regulatory and practice implications of BYOD
Bring Your Own Device or BYOD is not a new concept. It could be argued that as a practice it has been around since mobile phones and computer technologies were first invented. However, as a practice with a unique name – and growing band of adherents – BYOD has probably been around for about eight years.
Wikipedia states that the term BYOD – or BYOT (bring your own technology) – first entered common use in 2009 when Intel first recognised an increasing tendency among its employees to bring their own smartphones, tablets and laptop computers to work and connect them to the corporate network. It was not until 2011, however, that the term – and the practice – really took off with many businesses starting actively to encourage their employees to adopt the policy.
Despite its growing prevalence, however, many organisations have concerns over BYOD and the implications it can have for those who handle sensitive information or the personal data of others. Nowhere is this more the case than in the legal sector.
In this article, we will take a look at BYOD, at the advantages and disadvantages of implementing the practice, at the risks that exist and finally at some of the steps and safeguards that firms need to consider when implementing it within their own practice – including the need for a robust BYOD policy.
What is BYOD?
The term BYOD refers specifically to the practice not only of allowing partners, directors, employees and others associated with the firm to use their own digital devices (for example laptops, tablets, and smart phones) in the workplace, but also to permit them, and even encourage them, to use those devices to access client and firm information and applications. The phenomenon is commonly referred to as IT consumerization.
Over the past few years, BYOD has become prevalent in the business and legal world. According to a Microsoft study undertaken in 2012[i], 67% of workers were using their personal devices in the workplace in some form, whilst a more recent survey carried out by Tenable and LinkedIn[ii] has revealed that 72% of companies had reached the stage where BYOD was available to all (40%) or some (32%) of their employees. Leading information technology research and advisory company, Gartner, has predicted that by 2018 the number of devices owned by employees but being used for work will be twice as high as that of business-owned devices.
Thus, in ten years the situation has gone from one where employers discouraged the use of an employee’s own device to one where they are actively being encouraged to bring in and use those devices in preference to devices provided by the employer. Indeed, research shows that about 40% of organisations now rely exclusively on some form of BYOD practices as opposed to providing employees with company-purchased devices.
The Advantages of BYOD
So why has there been this shift in attitude? What are the advantages that companies feel that BYOD brings?
For many businesses, BYOD is seen as bringing:
- increased autonomy,
- enhanced employee job satisfaction,
- an increase in the overall morale of staff,
- increased job efficiency,
- increased flexibility,
- increased productivity,
- a reduction in technology costs,
- the ability to allow staff to use technology where otherwise it would have been uneconomic to do so,
- the ability to allow staff to use technology with which they are familiar,
- an increase in employee mobility, and
- reductions in general overheads – for example the cost of office space as employees can work from home or other locations,
Thus, the implementation of a BYOD plan means that firms do not have to purchase significant numbers of potentially costly devices that many of their employees will already own, won’t have to train employees in how to use devices with which they are unfamiliar – for example, IOS users will not have to learn Android methods – and breakages and wastages are likely to be reduced since staff are more likely to take better care of their own devices than they would a device owned by the company and the company will not have so large a device servicing bill.
From the employee’s point of view there are benefits too:
- no need to learn new technology,
- no requirement to carry several devices so as to be able to address personal and work needs, as the one device will fulfil both,
- the ability to work from wherever is convenient and has data access,
- no need to abide by the usual strict rules that can often apply to those using company property,
- possibility that the company will pay for upgrades to hardware and applications, and
- possibility that there will be tax or expenses incentives.
However, as with most things in life, advantages come with corresponding disadvantages and with BYOD these can be significant if not managed correctly – especially in relation to the law firm.
The risks associated with a BYOD plan are wide ranging and those responsible within a business for IT and data control must, at the outset, ensure that those risks are addressed and that processes and plan are in place to address them. Those risks include:
- Technology and practical risks that come from the need to support potentially many different types and makes of devices. For example, because staff are not using one type of device, the IT department will need to support many different types of devices and operating systems and will need to ensure that those devices are able to interact with other systems in the business in an effective way.
- The lack of control over what any given device contains – making it very difficult to enforce security.
- The risk that employees will be distracted by games and social applications when they should be working. Whilst it would be easy to ensure that employees do not download games or other entertainment applications on to a work computer, this will not be the case with the employees own device which will inevitably contain personal applications and games that the employee uses in their own time.
- Technology costs. Although these were cited as being a benefit of a BYOD policy, technology costs can also be a disadvantage, especially if the business has to adapt existing software, hardware, processes and policies in order to accommodate a profusion of different devices used by employees. Simply trying to implement guidelines and security for the devices could ultimately cost a business more than it would have spent had it provided secure and common devices.
- Staff resentment at having to pay for a provide the device that they use for their work
- Security risks. A BYOD policy increases the risk of having a security breach of important data because there is an increased possibility that sensitive information could be left unsecured.
- The need for robust password, confidentiality, usage, sharing and data storage policies.
- The need to consider secure areas of the device for sensitive data.
- The need for there to be some means by which lost devices can be disabled or have their data wiped remotely.
- The need to be aware of licensing issues to make sure the firm has enough licences for all the BYOD devices used. Bear in mind that some software or applications that an employee has on their device may be for personal, not business use or that business licences can only be installed on equipment owned by the business.
- Being aware of other legal issues – for example, who would be liable if a device used both in work and at home was also used for illegal downloading.
- Employees leaving the business. If the employee leaves the business but retains the device they have used whilst employed there, it becomes harder for the business to ensure that the employee is not leaving with sensitive or confidential information.
Furthermore, there are likely to be disadvantages so far as the employee is concerned. For example, there is the question of cost. Not all employees will necessarily have access to suitable devices and even if they do, there may be insufficient capacity on the device to accommodate work and personal applications and data. There is a danger, therefore, that the employee will feel aggrieved at having to supply or upgrade their own device in order to carry out their work, and increased use – and therefore increased exposure to damage or deterioration – could also contribute to the costs incurred by the employee.
From the perspective of the law firm, some of the main disadvantages of a BYOD policy could lie in the area of regulation and law.
So far as regulation is concerned, solicitors are under a duty to ensure that they act in the best interests of each client (Principle 4 of SRA Principles 2011), provide a proper standard of service to their clients (Principle 5), comply with your legal and regulatory obligations (Principle 7) and run their business or carry out their role in the business effectively and in accordance with proper governance and sound financial and risk management principles (Principle 8).
This means that they must be able to:
- have control over the information they hold about clients,
- know how that information is used, who has access to it and where,
- know how the client is contacted,
- be aware of and be able to control the risks associated with the holding of data, and
- know that everyone associated with the firm is abiding by these Principles.
The difficulty with a BYOD policy in the firm is that, unless it is strictly managed then the firm cannot know at all times how data is being used, who has access to it and whether it is secure. Further problems can arise where devices are set up to record and promulgate the user’s current physical location – which in some cases could compromise clients – or where devices automatically upload data to a location independent of the device, for example an insecure cloud-based location.
There are, in addition, specific requirements placed upon solicitors and their firms by the Code of Conduct which could impact upon BYOD policies. These include:
- provide services to clients in a manner which protects their interests in their matter – Outcome O (1.2)
- keep the affairs of clients confidential – Outcome O (4.1)
- have effective systems and controls in place to enable risks to client confidentiality to be identified and to mitigate those risks – Outcome O(4.5)
- have effective systems and controls in place to achieve and comply with all the Principles, rules and outcomes and other requirements of the Handbook – Outcome O(7.2)
- identify, monitor and manage risks to compliance with all the Principles, rules and outcomes and other requirements of the Handbook and take steps to address issues identified – Outcome O(7.3),
- comply with legislation applicable to their business, including data protection legislation – Outcome O(7.5), and
- have a system for supervising clients’matters, to include the regular checking of the quality of work by suitably competent and experienced people – Outcome O(7.8).
Thus, firms must be able to ensure, for example that data is being guarded adequately, that devices are not being lost or misplaced, that if work is being conducted using personal devices that it is being undertaken in a competent manner that addresses the needs of the client, that the person undertaking the work is abiding by all relevant legislation and that those responsible for checking and overseeing work are able to do so. This later may, in particular, be difficult if emails and text messages are being sent from personal devices.
One of the main concerns raised by the Code of Conduct in relation to BYOD is that of confidentiality and the protection of data. The Code of Conduct is clear that there is a duty upon both individuals and the managers of firms to ensure that confidentiality is not breached and that all information that is relevant to clients is kept secure and confidential
In addition to the regulatory implications of the Code of Conduct, solicitors are, like all other businesses, subject to the data protection provisions of the Data protection Act 1998 which provides, for example, that appropriate technical and organisational measures shall be taken against accidental loss or destruction of, or damage to, personal data.
Steps firms should consider
The solution, therefore, lies in managing how BYOD policies are operated within firms and by ensuring that proper consideration is given to the risks of implementing a BYOD policy and the methods for mitigating, if not preventing, those risks.
At the heart of BYOD is the fact that the device that is used by the employee is owned, maintained and supported primarily by that user. The effect of this is that those responsible for the management of the firm – and hence the control of any data used by those within the firm – will have significantly less control over the device, and hence the data upon it, than they would have had if the employee had been using a device owned and provided by the firm. This is a problem likely to be exacerbated by the fact that the persons or persons responsible for the control of client information and data security may well a large number and a wide range of devices for which they are responsible. Thus, the employee could be using their own home computer, laptop, tablet, mobile phone, smartwatch or even games console to access data relevant to clients.
If those responsible for the management of the firm are to be able to control the use of devices and access to, and security of, data and the service provided to clients then it is essential that they assess:
- the type of data which is being held,
- where that data is stored,
- who has “official” access to the data,
- who might get “unofficial” access to the data – for example spouses, partners, family members and friends,
- how any data is transferred – for example the use of encryption ,
- the potential for data to be leaked or become accessible to third parties,
- the implications of the blurring of personal and business use of a device,
- the security capabilities of the device and whether these need to be increased,
- what should happen if the device is lost, misplaced or stolen,
- what contingences exist if the device fails at a critical time,
- what should happen if employee leaves the firm’s employment,
- how supervises in the firm are to access the content of the device for file review purposes,
- how staff should be trained in the safe use of devices so as to avoid data breaches,
- the extent to which training is required in relation to social media, internet usage, content and tone of emails, passwords, cyber security and fraud,
- how the firm is to be alerted if problems arise in the use of the device or the matter being dealt with using the device,
- the potential for the device to be used indirectly (for example an insecure app giving the users location) to prejudice the client, and
- the compatibility of the device with other systems operated by the firm.
Having undertaken that assessment they need to consider the practical aspects of BYOD and, in particular, need to ensure that requirements and restrictions are transparent and easy to understand.
This could include:
- defining a list of permitted devices and the applications those devices are allowed to run,
- ensuring that the firm has the technological capability in order to ensure that multiple devices can be supported by the firm’s systems,
- deciding whether employees are to be reimbursed for devices and applications used,
- creating and notifying to employees the firm’s Wi-Fi access policy,
- defining and notifying employees of anti-virus software options, lock-screen and password requirements,
- investigating and, where appropriate, implementing secure data stores,
- clarifying data confidentiality responsibilities,
- defining what is to happen to devices and data where employees are dismissed or resign,
- defining what is to happen if a device is lost or stolen,
- reducing the practical usage aspects into a clear BYOD policy and ensure that all employees understand that policy,
- undertaking training where necessary as to the various aspects of the policy,
- ensuring that employees understand the possibility of theft or unauthorized access due to an unsecured network (for example in public areas such as coffee shops, trains and gyms),
- ensuring that employees understand the implications of using devices for personal and business use (for example not downloading the apps and games without checking as to whether this puts at risk confidential data),
- putting in place a system for checking what is on devices and getting the employees agreement to those checks,
- ensuring that if possible a remote device management process is in place – especially one designed to wipe sensitive data in the event that the device is lost or stolen,
- setting up additional secure cloud storage for data so as to reduce or eliminate the need for sensitive data to be stored on devices,
- looking into encryption of data and communications.
Finally, having looked at all of these aspects the firm needs to implement the process. It is suggested that a pilot project is launched first, possibly comprising those most committed to the idea and possibly bringing in individuals from the various stakeholder groups within the firm. Once this is up and running and any problems have been eradicated, the project can be rolled out to others within the firm.
The need for a policy
Alongside the rollout of the BYOD project, the firm will need to implement a BYOD policy, communicate this to partners, members and employees and ensure that, where necessary, training is given.
A BYOD policy does not have to be complicated – indeed the simpler it can be kept the more likely it is that employees will read it and abide by its provisions – and it should be one that ensures that users and managers understand their respective responsibilities. It should also link with, and where relevant refer to, other related policies such as email use, internet use and social media use policies.
The actual contents of the policy will depend upon the unique circumstances of the practice. However, the following are likely to be component parts;
- Acceptable Use
- Define what is acceptable business use – essentially those activities that directly or indirectly support the business of the firm,
- Define what is acceptable personal use – especially during company time where firms may wish to limit use to urgent emails and exclude social media, games and personal communication not of an urgent nature,
- Define which websites/applications are not to be accessed during work hours or while connected to the firm’s network,
- Decide and then define whether cameras and/or video recorders are to be disabled whilst in the workplace,
- Define what the employee may not use the device for at any time – for example the storage of illicit materials or proprietary information, harassing others, engaging in outside business activities, discussing the affairs of clients with others etc.,
- Define which apps may and may not be used – either in the workplace when connected to the firm’s network or generally wherever the employee is,
- Make it clear that the device must not be used whilst driving unless in hands-free mode, and
- Place an onus upon the employee not to use the device in any other way that could, directly or indirectly, lead to the disclosure of confidential client or firm data.
- The devices
- List those devices that are allowed including, where necessary, details of operating systems,
- Provide details of who within the firm is responsible for approving and here necessary, maintaining, the devices,
- Provide details of the circumstances in which the devices can be checked and by whom – including in relation to case/client/matter management and supervision,
- Provide guidance on any secure storage, what data may be stored on the device and what must be stored on secure storage,
- Provide information and guidance on the correct use of passwords and have a firm policy only to permit strong passwords. Firms may wish to have a separate password policy so as to ensure that security is observed in relation to all data.
- Set maximum times which the device may remain idle without locking and abortive login attempt limits
- Forbid the use of rooted or jailbroken devices on the firm’s network
- Forbid the use of unapproved devices on the firm’s network
- Ensure that employees are unable to download forbidden apps and that they are aware of the prohibition
- Ensure that the firm can, and that the employee is aware that the firm can, remotely wipe the device if it is lost or stolen, if the employee leaves the firm, a virus or similar threat is detected or there is a breach of any of the firm’s data policies.
- Liabilities & Disclaimers
- Make it clear that it is the duty of the employee to backup and keep safe personal data, even in circumstances where the firm has been forced to wipe the device
- Set out procedures and contact points for notifications of loss or theft of phone, data breach or other issues
- Reserve the right to disconnect the device or disable services at the discretion of the firm
- Reserve the right to wipe the device in the event of loss, theft, breach etc.,
- Stress the duty upon the employee to use the device in a business-like, ethical and regulatory compliant manner,
- Deal with issues relating to the cost of the phone and any related services – for example, the extent of any reimbursement, the responsibility for replacement, the responsibility for upgrading and the costs of repair,
- Ensure that the employee takes full responsibility for risks including, but not limited to, the partial or complete loss of company and personal data due to an operating system crash, errors, bugs, viruses, malware, and/or other software or hardware failures, or programming errors that render the device unusable,
- Ensure that the firm reserves the right to take appropriate disciplinary action up to and including termination for noncompliance with this policy.
To conclude, therefore, it is clear that BYOD policies and practices are here to stay – at least for the foreseeable future – and that firms should embrace them in a positive and proactive way rather than trying to resist them.
Yes, they do present challenges to those tasked with the job of managing data, confidentiality and device use within a firm. However, as a way of reducing costs, increasing efficiency and empowering staff they do seem, at least for now, to be a satisfactory way forward.