2. Spell it out
Whatever your BYOD policy is, you should define it in a written document. Employees should be required to read and accept the terms of the BYOD policy before receiving permission to use a personal device for work purposes.
BYOD is still a nascent concept, and organizations are just beginning to deal with the repercussions that result from IT and employees misunderstanding the rules of engagement. Take the plight of Amanda Stanton, who in 2010 learned the hard way that her company had the power to remotely wipe and reset her iPhone, which she had purchased and managed herself.
Any smart BYOD policy should spell out crucial details such as how much access or control the organization expects to have over an employee-owned device. Will an app, agent, or profile be required for the company to deploy and manage policies on the device? How much power will the company have to lock or wipe data from the device? Under what circumstances will the device be wiped?
All of these questions need to be considered and resolved, and the answers should be shared with employees before BYOD hardware enters the workplace.
3. Who owns the data?
Issues surrounding data ownership become complicated once BYOD enters as a variable. It’s easy to make the case that the person who owns a device should have authority over the data it contains. On the other hand, a company can’t surrender ownership of proprietary data just because it allows an employee to access or store that data on a personal smartphone or tablet.
Take the case of Larry Sitton, who in 2011 sued his former employer in Georgia after discovering that the CEO of his old company had gone into his office and accessed a personal email account on his personal laptop, which he was using in a BYOD capacity. Sitton argued that his former employer, a printing company with some 120 employees, was crossing the line and that its act was an invasion of privacy. The court, however, ruled that the company had the authority to access the computer because it was being used for BYOD.
To prevent such scenarios from happening, one approach may be to segregate data into separate silos: Keep personal data sequestered in personal directories, and keep company data in company-managed containers. Don’t let personal and company data mix, and define a BYOD policy for management accessing company data on employee-owned devices.
This approach might work, but Rod Beckstrom, vice chairman of the Global Agenda Council on the Future of the Internet, World Economic Forum, expressed a more ominous view during the RSA conference's BYOD panel discussion. Beckstrom suggests that under various legal and compliance mandates, an organization may not legally be able to segregate data, or guarantee that personal data will be protected. As a corollary, if a company is ever required to surrender data under legal discovery, the personal data on a BYOD device may be forced into play—formal BYOD agreements between employers and employees notwithstanding.
Another problem is that once company data has landed on a modern BYOD device, it’s exceptionally difficult to control where it goes. For example, if an employee has company data on a personal iPhone, and that data is backed up to iCloud, wiping the device is no longer sufficient to protect that data. It’s difficult—if not impossible—to know which servers or devices are storing company data. So, if you’re in charge of data security, you need to consider all the various places data might end up once it leaves the servers over which you actually exert control. You should also limit the data that employees can access (and therefore store) to information you’re willing to set free in the wild.
4. What happens when it breaks?
One last thing to consider is who handles troubleshooting and support for employee-owned devices. For employers, one of the perceived benefits of BYOD is offloading the burden of hardware and software support, and letting employees work directly with device vendors and wireless providers to fix problems.
That sounds good at face value, but if the productivity of your employees is tied to the functionality of their personal smartphones and tablets, and those devices are having issues, that has a direct negative impact on your business. Admittedly, device vendors and wireless providers are often the best choices for troubleshooting and support, and should be a first line of defense. But you still need a Plan B.
You should work with employees to establish expectations for addressing BYOD support issues. How long is it acceptable for a device to be inoperable? Will the company take any role in facilitating or managing the support process? If the device is out of warranty, will the employee be expected to pay for service out of pocket, or will the company subsidize the necessary repairs? What happens if the device is beyond repair, and the employee can’t afford to replace it—or simply chooses not to?
One thing is clear when it comes to BYOD: Nothing is ever really clear. BYOD means different things to different people. Allowing an entry-level employee to access company email from a smartphone poses a different level of risk than allowing a company executive to store intellectual property on a personal laptop.
The bottom line, though, is that BYOD is here to stay. The question isn’t BYOD or no BYOD. The question that organizations must consider is whether they want to embrace BYOD as a strategic opportunity, or to allow BYOD to happen to them with no well-considered management plan.