The buzz at Georgetown Law’s recent Advanced eDiscovery Institute on Information Governance and Big Data (November 21-22, 2013) made it crystal clear to attending corporate C-suiters: Bring Your Own Device (BYOD) is here to stay and so are its risks.
BYOD describes the trend of companies allowing employees to use their personal smart phones, tablets and other devices to create and store business information and access company networks. Corporations have been cautiously receptive of the trend, recognizing its morale, productivity and cost-saving benefits. Whether BYOD actually saves money in the long run remains to be seen; corporate bulk buying power and resulting discounts can be lost in the shift to BYOD. Also, allowing varied devices and applications can exponentially increase the burden on corporate IT departments for backup, service and support.
BYOD also creates a host of compliance, corporate risk and data privacy issues:
Employees may connect to the internet over unsecured connections, causing data on the corporate network to be unwittingly exposed to theft, alteration and other risk.
Casual, improper disposal or loose protection of a personal device increases the risks of data theft or hacking.
As data security for protected personal information continues to evolve as an increasing regulatory concern, BYOD and its IT security challenges raise the regulatory risk profile of most companies.
Unforeseen liabilities and expenses may arise that relate to regulatory control over some types of data (e.g., protected health information under HIPAA) for business sectors in which the corporation normally does not operate.
Both the employee and the employer may claim ownership of data on a BYOD device.
A proper BYOD policy that addresses data protection and ownership issues may help mitigate these issues. Ensuring regular backup, basic security, encryption and remote-wiping capabilities will protect confidential corporate data in most circumstances.