#BYOD or Bring Your Own Device has moved from trend to an permanent fixture in today's corporate IT infrastructure. It is not strictly an IT issue however. Many groups within an organization need to be involved as they grapple with the risk of mixing personal devices with sensitive information. In my opinion, BYOD follows the classic Freedom vs. Control dilemma. The freedom for user to choose and use their desired device of choice verses an organization's responsibility to protect and control access to sensitive resources. While not having all the answers, this mini-series tries to ask many the questions that any organization needs to answer before embarking on a BYOD journey.
Enterprises should plan for rather than inherit BYOD. BYOD policies must span the entire organization but serve two purposes - IT and the end users. The policy must serve IT to secure the corporate data and minimize the cost of implementation and enforcement. At the same time, the policy must serve the employees to preserve the native user experience, keep pace with innovation and respect the user's privacy. A sustainable policy should include a clear BOYD plan to employees including standards on the acceptable types and mobile operating systems along with a support policy showing the process of how the device is managed and operated.
Some key policy issue areas include: Liability, Device choice, Economics, User Experience & Privacy and a trust Model. Today we look at Liability.
In addition to IT, an organization's Legal department needs to be involved with any BYOD policy creation to make sure the liability risk for both the user and company is contained and managed. While employees are an organization's greatest asset (other than Intellectual Property, potentially), they are often the culprits of data exposure, intentional or not. Organizations need to consider employee actions and the corresponding liability. If the employee owns the device, does the liability increase or decrease? Even if liability stays neutral, the overall business risk increases any time corporate data is accessed from personal employee devices, mobile or not.
What happens if personal data on a personal Smartphone is damaged? What happens if it's remotely wiped by corporate IT, if it is lost? These are some areas that must be resolved with the BYOD policy. Some organizations are very clear about lost/stolen policy and users have the choice of opting out. That's just the personal liability.
From a financial liability standpoint, what happens when monthly charges are reimbursed? Often, financial responsibility may dictate legal obligation.
A recent Ponemon Institute and Websense survey showed that mobile devices can be a double-edge sword for enterprises. 77% of the 4640 responses said that the use of mobile devices in the workplace is important to achieving business objectives but almost the same percentage - 76% - believe that these tools introduce a "serious" set of risks. While organizations understand the risks, the survey showed that only 39% have security controls in place to mitigate them. As a result, 59% of respondents said they’ve seen a jump in malware infections over the past 12 months due, specifically, to insecure mobile devices including laptops, Smartphone, and tablets while 51% said their organization has experienced a data breach due to insecure devices.
As part of the BYOD Policy the Liability Checklist, while not inclusive, should:
· Define baseline security requirements
· Assess liability of personal web and app usage
· Evaluate legal ramifications of reimbursement
· Quantify the costs of monitoring and enforcement
· Assess the risk and liability of damaging personal data
There are probably a ton more Liability questions that should be answered but this was intended as a starting point. What other areas should legal be concerned about?