Bring-your-own-device (BYOD) technologies have emerged as a popular and cost-effective means of providing mobility and flexibility to employees.
Consistent with most emerging technologies, however, there are a number of legal issues which are often not considered but which may have unintended impacts on an organisation's risk profile. Organisations need to consider the potential legal issues associated with BYOD technologies whether or not they have a formal BYOD program in place.
Learn how smart CIOs are protecting customers from security breaches
CIOs are well aware that employees have always worked out ways (and will continue to work out ways) of connecting their personal devices to work systems, which quite often involves circumventing internal security protocols. This inadvertently exposes an organisation to a potentially uncontrolled level of risk without it even being aware.
At the outset, it is important to keep in mind that BYOD programs do not, in themselves, present any new legal issues. Many of the legal challenges that are associated with BYOD technologies have existed since the adoption of mobile computing. What's new is the fact that the potential for issues to arise has increased dramatically given the widespread adoption of BYOD technologies.
While it is impossible to entirely remove any legal risk associated with BYOD programs (the very concept of allowing external devices to connect to, and interact with, a carefully managed IT system carries with it inherent dangers), there are a number of measures that organisations can adopt to limit their exposure.
Importance of policy
The most important element of any BYOD strategy in relation to minimising legal risk is to have a detailed policy that sets out the terms of the program. The purpose of the policy is to provide clarity around how the BYOD program will operate, as well as to act as the platform to allocate risk between the organisation, its employees and third parties.
The BYOD policy will generally be one element in an organisation's broader policy framework, and will sit alongside the organisation's employment policy, as well as the organisation's existing 'acceptable use' policies.
The policy needs to cover things like the type of devices that can be used by employees, access rights, support arrangements, tracking and monitoring and remote wiping. Much of the policy will not, in fact, directly address legal issues. Having a clear policy will, however, assist in reducing legal exposure.
Employees should be required to actively accept the terms of the policy prior to being entitled to connect any external device to the organisation's IT system.
Liability issues
A key benefit of adopting a BYOD program is the significant capex savings of not having to supply employees with devices for work purposes. Accordingly, in order to ensure that any savings are not outweighed by ongoing operational costs, organisations need to carefully consider how they intend to apportion liability between themselves and their employees in a number of important areas.
For example, who will take responsibility for lost or stolen devices, and who will be responsible for malware or virus attacks associated with an employee's device? There is no fixed answers to these questions under the law, and these are precisely the type of tricky operational issues that should be addressed in the policy.
Support of devices is also an issue that should be covered by the policy, and is one of the most problematic areas because of the often wildly different expectations between an employee and an organisation.
For example, most employers will want to limit the support that they provide to simply connect a personal device to the organisation's network, whereas an employee may expect that ongoing support of the device will be at the expense of the employer. Again, the position that prevails in this circumstance will be largely dependent on what is set out in the policy.
Licensing and insurance
One of the most common pitfalls of organisations implementing BYOD programs is failing to ensure that the scope of existing software licences are sufficiently broad to cover the intended breadth of the program.
Software licences often place restrictions on the type of devices from which software can be accessed and used, and it is not uncommon for the licence to limit access and use to devices owned by the organisation. This type of limitation could prevent an employee from accessing the relevant software from a personal device.
Accordingly, prior to determining which elements of the broader IT system will be made available, the organisation should carefully review the scope of its existing software licences.
Another licensing issue that needs to be taken into account is employees' rights to use applications and software that they have downloaded on their device outside of work, for work purposes. It is quite possible that the scope of their licence is only for personal non-commercial use.
This poses a risk because it may expose the organisation to a claim by a third party that the organisation has encouraged a breach of licence. The BYOD policy should make it clear that employees are not authorised to utilise software purchased or otherwise downloaded for personal use, for organisational purposes.
An organisation's appetite for risk is generally linked to the scope of its insurance coverage. Certain aspects of a BYOD program may fall outside the scope of traditional insurance policies, and it is important for the organisation to clearly understand whether its policies will cover work conducted on devices that are not directly owned or leased by the organisation.
This will be particularly important in the context of professional indemnity insurance, and will require a close examination of the definitions in the policy, as well as the extent of coverage.
Data security
One of the biggest inhibitors to organisations implementing BYOD programs is the perceived lack of data security. Two topics generally colour the legal framework in the context of data security; these are confidential information and litigation obligations, both of which are concerns for any mobility based system.
Confidentiality
The loss of a device that holds sensitive corporate information presents the greatest confidentiality risk. It is important to keep in mind that particular information might be considered to be confidential even if it is not marked as such. Information may be protected at common law if it has the necessary quality of confidence about it, and it is communicated in circumstances of confidence.
A lost device may not only expose the organisation's sensitive information, but may also potentially breach confidentiality obligations that the organisation owes to third parties.
A technical solution which significantly reduces the level of risk is to implement a 'sandbox' approach in which any organisational information is isolated and stored in a particular segment of the device that can be remotely wiped in the event that the device is lost or stolen, or the employee leaves the organisation.
Of course, any remote wipe functionality which is not carefully administered may also inadvertently wipe personal data of an employee -- it is important to highlight this risk in the BYOD policy to avoid claims for lost holiday photos arising down the track!
Certain information should potentially never be sent to or accessed by a BYO device. This is no different from any mobile device but frankly, in certain circumstances -- for example, access to particularly sensitive types of documentation or travelling to certain countries -- it may be that BYO devices and mobile devices generally should simply not be used.
Organisations should also be aware of the possibility of their sensitive information being stored offshore in the event that employees utilise services such as iCloud or Dropbox to backup elements of their device. Information could end up being stored in a country that is less secure than Australia or which is subject to broad governmental access rights (like the [ital]US Patriot Act[ital]). Whether this is a real concern for an organisation will obviously depend on the nature of the sensitivity of the relevant information.
Discovery obligations
When developing and implementing a BYOD strategy, organisations need to remember that the information stored on BYO devices may have to be discovered (ie provided to the court and the other side) if the business becomes involved in litigation. An organisation cannot object to producing particular information on the basis that it also contains personal information of an employee.
If data becomes mixed, the cost associated with sorting through that data (and removing personal information) may be prohibitive. This highlights the importance of adopting procedures to separate work and personal data at the outset, and ensuring that only work data is backed up.
---PB---
Privacy
Australia's privacy laws are currently in a transitional phase prior to the introduction of a unified set of Australian Privacy Principles (APPs) that will apply to both the private sector and the Commonwealth public sector. Privacy is particularly relevant in the context of BYO devices because an employer may be able to access and back up a variety of personal information relating to an employee and their contacts.
There are no privacy laws that specifically address BYOD technologies. However, organisations will need to comply with the APPs, which regulate things like the collection, handling, storage and disclosure of personal information.
In particular, APP 11 requires organisations to take reasonable steps to protect information it holds from misuse and loss, and from unauthorised access, modification or disclosure. Broadly speaking, organisations are also required to destroy or de-identify personal information if it is no longer needed.
Australian privacy laws (unlike most other privacy regimes around the world) contain an "employee records exemption" which essentially exempts private sector organisations from complying with the APPs where they are dealing with personal information of their employees for the purpose of the employment relationship.
While this provides some protection to organisations implementing BYOD strategies, it does not protect organisations in respect of personal information of an employee's contacts and friends which the organisation may end up backing up. Again, this highlights the importance of segregating work and personal data on an employee's device.
Surveillance and tracking
The legal landscape surrounding workplace surveillance and telecommunications interception is complex and is dictated by a variety of State and Commonwealth laws which organisations adopting BYOD strategies must be aware of and adhere to.
A key principle of the various pieces of legislation is that employees must be provided with notice of all workplace surveillance that will occur, and organisations should have in place (and make easily available) a data surveillance policy which contains certain mandatory information that is required at law. This may be relevant if an employer plans to record, for example, telephone calls and SMS messages sent or received by the employee's device.
Surveillance is also relevant in the BYOD context if an employer intends to utilise some form of tracking mechanism to monitor the location of an employee's device. For example, an employer may require an employee to install a GPS tracking application.
Again, the legal framework surrounding tracking is complex, but the key principle is that employee devices should not be tracked without the express consent of the employee -- mere notification is not sufficient.
While organisations may choose to forego the implementation of a BYOD program because of the potential legal and commercial risks, this approach is not likely to be practical in the long term given the demand for organisational mobility.
Organisational complacency poses the biggest legal risk in any BYOD related context. By carefully considering and managing an appropriate BYOD strategy, organisations can minimise their legal risk. The first (and most critical) step in this process is preparing and adopting a clear and deliberate BYOD policy.
Arvind Dixit is senior associate with law firm Corrs Chambers Westgarth.