A multi-national financial institution has decided to implement a Bring Your Own Device (or BYOD) program due to increasing demand from business personnel and a desire to reduce IT costs. The General Counsel’s Office is asked whether there are any legal, regulatory or compliance risks that the organization needs to consider when implementing a BYOD program and developing the policies and procedures governing BYOD.
What is BYOD?
BYOD refers to the policy of allowing employees to use their personal mobile devices to access their employer’s information systems and applications for business purposes. In recent years, there has been a fundamental shift in the way people understand and interact with electronic information. First, the ability of employees to access information at any time and from any location has become essential to most business operations. Second, the technology used to access that information has become a matter of personal choice; no longer are employees satisfied with acquiescing to their employer’s choice of technology (i.e., BlackBerrys). Instead, employees expect to be able to work with the device of their choice and dislike the inconvenience of maintaining two separate mobile devices for business and personal use. And not only are employers largely powerless to stem the tide of this trend, but many employers appreciate the cost savings and flexibility that a BYOD program brings to the organization.
The Risks of BYOD
As with any technology, there are risks associated with implementing a BYOD program. There are legal risks, such as the ability to access information responsive to document requests for preservation or production. There are regulatory risks associated with information on those devices that may be subject to regulatory retention and supervision requirements. There are information security risks associated with lost or stolen devices, as well as many different devices having access to the organization’s networks. There are data privacy risks associated with the mix of personal information with business information on one device. The question for any organization is how to best mitigate and balance these risks in light of the business demand for BYOD flexibility.
BYOD represents a significant change in the way organizations manage the risks associated with information governance. Traditionally, an organization’s approach was to centralize the storage and retention of that information so that the organization had ultimate control over its distribution, management and retention. BYOD, however, undermines that basic approach. Organizations are now dealing with de-centralized data sources where the organization has little operational control over storage, management and retention. Instead, many organizations find themselves almost entirely dependent on policies and their employees’ compliance with such policies to manage the considerable risks associated with electronic data.
Consider the use of text messaging in a BYOD program. With an organization-owned device, the organization has the option of centralizing control of its employees’ text messaging by disabling text or instant messaging capabilities on the device or capturing such messages for business purposes on the organization’s centralized infrastructure. With a BYOD program, however, an organization loses its ability to easily block or capture business-related text messages and is forced to rely more heavily on employee participation and compliance with policies to manage risk.
It is important to note that while BYOD programs are a relatively new trend, organizations have been managing similar risks by relying on employee compliance with policy for many years. Personal home computers also allow remote access to an organization’s network, and organizations rely on employees to abide by policies against downloading or creating business records on those personal home computers. Organizations also rely on employee compliance with policy in addressing the risks of business being conducted on personal email or personal social media sites. There may be heightened risks associated with B.Y.O.D. programs, arising primarily from the portable nature of those devices, the frequency with which such devices are used, and the potential volume of data transmitted to or from those devices, but the risk mitigation strategies associated with B.Y.O.D. programs are not new to the business enterprise.
Tips for Managing the Risks of BYOD
Because an employee’s use of his or her personal device is largely outside of the employer’s control, critical components of any BYOD program include a clear, concise policy that is developed with the input of all the relevant stakeholders, together with audit procedures that validate and ensure compliance with that policy. When developing and implementing those policies and procedures, there are a number of issues the organization may want to consider.
For inquiries related to this Tip of the Month, please contact Anthony J. Diana at or Therese Craparo at .
Learn more about Mayer Brown’s Electronic Discovery & Records Management practice or contact Anthony J. Diana at , Eric Evans at , Michael Lackey at or Edmund Sautter at .
You have no pages selected. Please select pages to email then resubmit.