Bring your own device (BYOD) is a growing trend fueled by employees who prefer to use their own products rather than the company’s, and by those who don’t want to carry two separate devices. Employers, for their part, are happy to avoid the capital cost of the devices, and sometimes also the monthly recurring usage costs.
Each of these motivators can represent real benefits for both employer and employee, but there are real risks, too.
Many devices, such as laptops, smartphones, and tablets, provide optimal functionality and utility when they’re configured to synchronize information like email, contacts, and calendar entries, and sometimes data files, with the corporate network. This synchronization enables the employee to be productive on behalf of the company, whenever and wherever he or she may be. But it also means that if an employee’s relationship with the company is severed, that same valuable and sometimes sensitive corporate data is now on an employee-owned device, and the company may or may not have the ability (legal or technical) to delete information from the employee’s device.
For example, I worked with a law firm that fired its administrator, who had been using her own personal BlackBerry for remote access to email, calendar, and contacts. After the termination, the firm was unable to delete any of its data from the administrator’s BlackBerry, because no policy was in place before the termination granting them permission to wipe data from employees’ devices, and the administrator refused to grant them access after the termination. Detailed contact information and email exchanges with the firm’s clients were now in the hands of a non-employee of the firm, representing at the very least a compromise of the firm’s clients’ confidentiality, and possibly a breach of the law firm’s ethical responsibility.
At another firm I represented, a senior executive resigned to work for a competitor. His iPhone contained contact information for the company’s clients and prospects that had been permitted to synchronize with the company’s Exchange server. His iPhone also contained personal contacts, music, photos, etc. The outgoing executive wouldn’t allow the company to reclaim or wipe his device upon termination, and no policy existed that permitted the company to do so.
To avoid such problems, companies should establish and enforce policies surrounding the use of PDAs, whether company- or employee-owned, addressing the following:
1. Data Security
The policy should specify what corporate data is permitted to be stored on the device—e.g., proposals, unreleased product announcements, trade secrets—and under what terms. While it may be acceptable to temporarily copy documents needed for a meeting onto the device, it should also be stipulated that the documents must be removed from the device once the portability of the information is no longer required. The company should further require that devices be password-protected, antivirus protected, and encrypted before any sensitive information can be stored on them.
2. Data Protection
If work product is being created on the device, the employer should specify the employees’ requirements for backing up the data.
3. Integrity of Data
Are there any applications that might be installed on the device that compromise the integrity of the data, i.e., file-sharing apps, possible malware- or virus-infected apps, etc.? Is anti-malware protection specified by policy? If not, it should be.
4. Physical Security of the Device
As much as an employee may not want to lose his or her device, once corporate data is on it, the risk of compromised confidentiality resulting from loss or theft becomes a company consideration. Requirements should be established regarding physical safeguards for devices, such as stipulating that devices are not to be left unattended in hotel rooms.
5. Ownership of the Data
Policies should make clear what data on the device belongs to and should remain the property of the company even if the employee’s relationship with the company ends.
6. Rights to Delete the Data
Policies must explicitly grant the company the right to wipe out corporate data on the device, even if this entails wiping out the entire device, including the employee’s personal data. Our firm has seen one situation where the employer tempered this a bit (based on the nature of the data the employees accessed and subject to all of the other above policy considerations), allowing employees to sign a Certificate of Data Destruction (attesting that the employee has to the best of his or her knowledge and ability deleted all corporate data) whereby their devices would not be erased.
Dave Rosenbaum is president of Real-Time Computer Services (RCS), a technology consulting firm focused on meeting the needs of small and midsized businesses.