BYOD Yesterday And Today

The proliferation of bring your own device programs – or “BYOD” as it is commonly referred – has drastically changed today’s corporate workplace environment. Employees are availing themselves of smart phones, tablets, and other personal handheld devices to perform the duties that encompass their employment. With more prevalent use of personal devices for work related activity, “an organization must think beyond technological challenges; it must address business policies, management processes and governance as well.”[1]

Bring your own device is a more recent concept and a growing trend for businesses. BYOD is a general term used to indicate policies implemented allowing employees to engage work-related activities from their personal devices – smartphones, laptops, and tablets to access internal corporate resources – also called “the consumerization of IT”.[2] BYOD is a broad concept that also encompasses corporate use of social networking, multimedia and collaboration tools (e.g., Facebook, Twitter, LinkedIn, etc.) that can benefit companies from a sales and marketing perspective as well as for internal collaboration, but which need to be carefully managed to enable employee productivity and corporate confidentiality.[3]

The concept of BYOD broadens further with the introduction of cloud services and other web tools used by businesses today. The shortcomings of technology which made BYOD unrealistic a few years ago have given way to broad popularity and use of these tools

These tools include:

1. Web: Today’s web is the singular way to access any application – business, financial, customer support, sales or technology.

2. Wireless: No matter where you are or what device you’re using, you have access to the back office infrastructure through extensive Wi-Fi networks.

3. Mobile Devices: Device form factors have become more sophisticated, cheaper and more portable, with more robust memory and battery life.[4]

BYOD provides a flexible work environment, along with a number of other benefits. These benefits, however, do not come without drawbacks. But these drawbacks have not stopped companies from converting to BYOD. According to a survey done by Cisco in 2012, 95% of the 600 companies surveyed permitted use of personal devices for work.[5]

As an indication of the scale of opportunity in BYOD, in Canada, there were 17,350,000 subscriptions for mobile devices in 2012, and it is expected that over 1 billion tablets worldwide will be sold by 2016.[6] The ubiquity of personal devices means that there are opportunities of which to take advantage. For example, Dell conducted a survey and found that companies with BYOD programs have realized a 74% productivity increase.[7] It would behoove companies to take advantage of BYOD for the increased production alone.

A good example of a company that has taken advantage of BYOD is Intel. Intel has been a leader in BYOD implementation and innovation since it jumped out in front of the pack in 2008, and became one of the first major companies to allow its employees to use their own devices at work.[8] The impetus for Intel’s proactivity was sparked by its employees’ desire to use their personally purchased devices for work.[9] As a result, Intel has reaped the benefits of introducing BYOD to their workplace. As a result, Intel’s employees report savings of 57 minutes every day because of the program, which yields an annual productivity gain of five million hours.[10] Intel embraced BYOD at a time when the trend was still in its infancy. “BYOD” began to garner much more recognition when software companies Unisys and Citrix acknowledged the presence of BYOD.

Before the launch of the first iteration of the iPhone in 2007, mobile phones were mainly used for three activities: voice calls, text messages, and email.[11] The first phone with internet access, a camera, and 3G capability was launched only 7 years before the iPhone in 2000.[12] These earlier version smart phones were, for the most part, incapable of accessing corporate data.

Before the iPhone, the mobile market was dominated by Blackberry, Nokia and Motorola.[13] All of these companies attempted, albeit at different levels of success, to introduce a “smartphone” or a phone utilizing smart features. Blackberry was easily the most successful, with more than 10 million subscribers by 2007.[14] When it came to the business world, standard was a Blackberry. Blackberry was so popular that there was a website called Crackberry dedicated to serving the needs of the users who found themselves inextricably linked to their device. That is until 2007 when Steve Jobs introduced the iPhone, boasting smart features such as web browsing, email, google searching, maps and multi-touch display – a true “smartphone.”[15]

Today, the mobile phone market is considerably different than it was in 2007. iPhone and Android now reign king, while Blackberry and Windows phones are seen as somewhat of a dinosaur and only used for security or legacy support as a part of a niche industry.[16] The devices dominating the market now are far more advanced in terms of processing power, storage, multimedia capability, data and video processing, and transport speed due to network advances.[17] Not to mention there are over 500,000 apps available on the iTunes and Android Market, and other application sites.[18] There are also a number of apps available for employees to take advantage of.  These apps  give employees the ability to:

• Access corporate databases and do real-time inquiries
• Make business process highly productive by eliminating paper-based, manual, or on-site requirements for dispatch, inventory management, field sales, and technical support
• Attend real-time company video conferences
• Leverage bigger, high resolution smartphone screens and tablets to display graphics, medical charts, presentations, video feeds, and X-rays/MRIs[19]

The ever increasing presence of smartphones with enhanced capabilities such as the iPhone, have necessitated the use of personal devices in the workplace. There are a number of benefits and detriments to consider when adopting a BYOD policy. Below will highlight some of the benefits that come along with BYOD.

Benefits Of BYOD

Numerous survey’s delineate the benefits of allowing and encouraging BYOD. One of the more attractive benefits of adopting a BYOD policy is that it cuts costs by shifting the price of buying a device to the employee.[20] Allowing employees access to corporate resources through their own personal devices will save the organization money on high-priced devices that it would have otherwise purchased for them.[21] And because people tend to take better care of their own devices, companies save money in the area of replacement of broken or stolen company-bought devices. It makes sense that employees want to use self- selected devices, instead of one forced upon them by their employer.

Which brings about another benefit of BYOD: improved employee morale. Employees select the personal devices they carry for a reason, and that is because they desired the device enough to invest their money in it.[22] And because they desired the device, they are much happier using it than they would be an unfamiliar device forced upon them by their employer.[23] Employees want BYOD because they are happier when using applications they like and know. Increased happiness means increased efficiency and increased efficiency means increased production which means increased profits.

Employees bringing their own devices to work enhances many aspects of the workplace. For example, BYOD can improve inefficiencies in work processes, help meet the needs of customers with the ability to respond at any time, make companies more competitive, and help to meet corporate goals more effectively. [24] BYOD programs also make employers much more attractive to prospective employees. Job seekers want to work for companies with flexible work environments where they can use their own devices. This highlights the importance of BYOD for employers as it pertains to attracting and retaining top talent in the future.[25]

The following are a few reasons why prospective employees desire:

1. BYOD allows for more flexibility in working hours.

2. Employees will be more creative.

3. Employees will use applications that are familiar to them, making their work    more effective.

4. Employees will be more innovative because of the ability to collaborate and share ideas at any given moment and from any place.[26]

The Risks Of BYOD

Adopting BYOD means that security risks increase a great deal. There are a number of issues to consider when adopting BYOD because control and management of the device is no longer in the hands of the IT department. Usually when a company issues a device, that device comes with an acceptable use policy. Company-issued devices are protected by security programs installed by the company, which are managed by the IT department. An employee using their own device manages and updates their own security. The risks here are obvious:

• Managing Security: One of the riskiest aspects of a BYOD environment is managing security. Your BYOD policy should require minimum security measures. Consider scenarios such as an employee who loses a mobile phone or laptop and puts sensitive company data in the wrong hands. Develop a process for establishing those controls before the employee is allowed to access company data. What about compliance issues? Does your business operate within an industry that must adhere to certain practices for protecting data?
• Controlling Acceptable Use: Allowing employees to use their own personal devices means that your company has suddenly lost some levels of control over the appropriate use of the technology. Unlike a company-issued laptop or device, which comes with an acceptable use policy, it’s not exactly easy to control how someone uses a personal device. That’s why many companies are turning to BYOD policies to set reasonable expectations.
• Retrieving Data: Your BYOD policy should also address what happens if/when an employee leaves your company. Who will discontinue their access to your company data? Do they have their own phone number? What if clients were calling that number directly? In a sales environment, this is particularly risky. Suddenly, your ex-employee may become a direct competitor with easy access to your client’s contact info and vice versa.[27]

These risks are serious because companies focus on controlling the device and not the user, which is why a strong BYOD policy should be user-centric. Why? Because the user’s use of the personal device is where the risk begins.

Implementing BYOD may not be easy, there will be roadblocks when implementing BYOD.[28] In the long run, however, the roadblocks should not stop a company from realizing the benefits of BYOD. Some roadblocks that companies face include:

1. Abuse of policies

2. Theft/loss of mobile devices

3. Lack of control of use of applications and date on devices

4. Employees leaving the company with insider knowledge/threat to our IP on personal devices

Employers must be upfront and specific about what employees can expect with regard to the privacy of their personal information.[35] When rolling out BYOD programs, employers should craft an acceptable use policy that takes into account privacy concerns, under both state and federal privacy laws.[36]

Lazette v. Kulmatycki[37] is a recent case that illuminates the problem with employer overreach into personal information. In Lazette, a Verizon employee claimed that her supervisor accessed more than 48,000 personal e-mails on her company-issued Blackberry, which she was allowed to use for personal email. The employee returned the Blackberry to the company upon her termination.[38] However, the employee’s supervisor failed to delete the personal information stored on the employee’s phone.[39]

The supervisor then accessed and disclosed the employee’s personal email messages to third parties.[40] Once the plaintiff found out about this unauthorized use, she immediately filed suit.[41] The court held that the employer was not authorized to access a former employee’s email simply because the company issued the device to the employee.[42] In other words, a company-issued device does not automatically grant the employer access to the employee’s personal e-mail. The court further held that the Stored Communications Act (SCA)[43], applied to this case. Therefore, the supervisor could be liable, and the employer may also be vicariously liable. The Lazette case illustrates the need for a strong BYOD policy that spells out the precise boundaries of what an employer will and will not do with regard to personal information.

What does this mean? It means that along with crafting a robust acceptable use policy, organizations should examine current BYOD policies to ensure that employees are given clear and precise notice, as the court stated in Lazette. Next, organizations should have clear cut policies describing the times when access to personal information might be appropriate. Last, organizations should otherwise restrict access to employee’s personal information to instances where informed consent has been given.

The following excerpt is a fill-in-the-blank sample form of two of the most important sections of a BYOD policy: Expectation of privacy and accessing services on BYOD

Expectation of Privacy: [SAMPLE COMPANY] will respect the privacy of your personal device and will only request access to the device by technicians to implement security controls, as outlined below, or to respond to legitimate discovery requests arising out of administrative, civil, or criminal proceedings (applicable only if user downloads company email/attachments/documents to their personal device). This differs from policy for company owned equipment/services, where employees do not have the right, nor should they have the expectation, of privacy while using company equipment or services. While access to the personal device itself is restricted, [SAMPLE COMPANY] Policy regarding the use/access of company e-mail and other company system/service remains in effect. If there are questions related to compliance with the below security requirements, the user may opt to drop out of the BYOD program versus providing the device to technicians for compliance verification.

1. Accessing [PRODUCT NAME] (e-Mail/Calendar) Services on BYOD

·            As a default, [Company Owned Mobile Management Tool] will be enabled to perform an e-mail wipe on the phone after 10 password failed attempts;

·            If the device is lost or stolen, the user will notify the [SAMPLE COMPANY] Help Desk ([COMPANY HELPDESK PHONE] or [COMPANY HELPDESK EMAIL]) within one hour, or as soon as practical after you notice the device is missing. [SAMPLE COMPANY] will lock the device, e-mail on the device will be deleted, and [Company Owned Mobile Management Tool] services will be deactivated;

·            Users must comply with all [SAMPLE COMPANY] password policies, including use of strong passwords, password expiration (6 months), and password history (3).

·            [SAMPLE COMPANY] reserves the right to terminate company-provided [Company Owned Mobile Management Tool] services for non-use. The policy for terminating [Company Owned Mobile Management Tool] services is 30 days.[44]

Employees should be fully aware of the range of actions an employer will take to protect its data, and this should be communicated clearly through the BYOD policy. A robust BYOD policy should have the following elements: 1) require employees to follow security protocols; and 2) inform employees of instances when personal information might be accessed and when it will not be; and 3) require consent to remote wipe procedures in cases of lost, stolen, security breach or termination.

Another concern for BYOD policies is off-clock work. Providing non-exempt employees with mobile devices or using their personal device for work related email while off the clock, can bring about serious overtime issues.[45] One way to ameliorate these issues is to restrict server access after work hours.[46] Another way to solve the problem would be to limit the BYOD program to exempt employees only; thus, eliminating altogether concerns of non-exempt employees.[47]

Organizations should create a BYOD plan based on their company’s needs and goals. This policy should be clear and precise. Employers should then have their employees sign off on the policies. Lastly, organizations should continue to monitor court decisions with regard to BYOD employee privacy expectations in the workplace and continuously update BYOD policies with the ever-changing state of technology and communication devices.

Conclusion

At this point, BYOD should not be a question of “if” a company should implement, but a question of “how” to implement a program that will succeed in cutting costs, increasing efficiency, and improving employee relations and morale. Companies should have the proper security architecture that enables it to quickly support personal devices and provide access to data without increasing risks. A cursory glance at successful implementation of BYOD by companies like Intel can be a model that companies without BYOD can follow.

[1] Sam Ganga, “BYOD: Six Tips for a Successful Implementation” http://www.datacenterjournal.com/it/byod-tips-successful-implementation/ (last visited March 15, 2014)

[2]Eun Byol Koh, “A Study on Security Threats and Dynamic Access Control Technology for BYOD, Smart-work Environment” available at http://www.iaeng.org/publication/IMECS2014/IMECS2014_pp634-639.pdf

[3] Kathryn Weldon, “Bring Your Own Device: How to Protect Business Information and Empower Your Employees at the Same Time” available at https://www.wireless.att.com/businesscenter/en_US/pdf/current-analysis-byod-trends1.pdf

[4]“What BYOD Means for Business” available at http://www.sophos.com/en-us/security-news-trends/whitepapers.aspx

[5] Id.

[6] Sarah Marshall, “It Consumerziation: A Case Study of BYOD in a Healthcare Setting” http://timreview.ca/article/771 (last visited May 11, 2014)

[7] Id.

[8] Ben Dipietro, “Companies Adopting BYOD, Forgetting to Enact Policies http://blogs.wsj.com/riskandcompliance/2013/07/31/companies-adopting-byod-forgetting-policies/ (last visited May 11, 2014)

[9] Id.

[10] Id.

[11] See Kathryn Weldon, “Bring Your Own Device: How to Protect Business Information and Empower Your Employees at the Same Time” supra note 3.

[12] Michelle Maisto, “eWeek at 30: Glory Days of Nokia, Motorola, Blackberry Ended with iPhone http://www.eweek.com/mobile/eweek-at-30-glory-days-of-nokia-motoroa-blackberry-ended-with-iphone-2.html (last visited May 10, 2014).

[13] Id.

[14] Id.

[15] Id.

[16] See Mobile” Learn from Intel’s CISO on Securing Employee-Owned Devices, supra note 11.

[17] Id.

[18] Id.

[19] Id.

[20] Joshua Burke, “Bring Your Own Device: Risks and rewards” http://www.techrepublic.com/blog/tech-decision-maker/bring-your-own-device-risks-and-rewards/7075/#. (last visited May 9, 2014).

[21] Id.

[22] Blog, “BYOD Trends vs. Mobile Enterprise platform trends” http://lazure2.wordpress.com/2013/01/21/byod-trends-vs-mobile-enterprise-platform-trends/ (last visited May 7, 2014).

[23] Id.

[24] “BYOD: Putting Users First Produces Biggest Gains, Fewest Setbacks” available at http://www.pspinfo.us/FileLibrary/Dell_DS_BYODusers.pdf

[25] Id.

[26] Id.

[27] Blog, “The Pros and Cons of BYOD (Bring Your Own Device) Workplaces http://www.gwi.net/policy/blog/the-pros-and-cons-of-byod-bring-your-own-device/ (last visited May 6, 2014).

[28] See supra note 3.

[29] Id.

[30] Craig Galbraith, “BYOD: Employees Ignoring Heartbleed, other Security Risks” http://www.channelpartnersonline.com/news/2014/04/byod-employees-ignoring-heartbleed-other-security.aspx (last visited May 7, 2014).

[31] Id.

[32] Id.

[33] Id.

[34]Forrestor Consulting, “Flexible Workforce Environments Require a Mobile Workplace Management Strategy, November 2013, available at http://www.business.att.com/content/whitepaper/flexible_workspace_env_req_mwm_strategy.pdf

[35] Nancy M. Barnes, BYOD: balancing employee privacy concerns against employer security needs http://www.lexology.com/library/detail.aspx?g=1109490a-6895-40f0-a7a3-afc714316165 (Last visited March 15, 2014)

[36] Id.

[37] No. 3:12CV2416, 2013 WL 2455937 (N.D. Ohio June 5, 2013)

[38] Paul Mollica, Blog. http://www.employmentlawblog.info/2013/07/lazette-v-kulmatycki-no-312cv2416-2013-wl-2455937-nd-ohio-june-5-2013.shtml (last visited March 17, 2014)

[39] Id.

[40] Id.

[41] Id.

[42] Id.

[43] 18 U.S.C. § 2701, et seq.

[44] BYOD Policy available at http://www.tsif.com/DL/Sample%20BYOD%20Policy.dotx

[45]Bridget Webb, “BYOD and Non-Exempt Employees”, March 26, 2013 http://redeapp.com/byod-and-non-exempt-employees/ (last visited March 17, 2013)

[46] Id.

[47] Id.