5 BYOD legal risks IT departments can’t ignore

Christine Ing is still waiting for someone to start asking the really tough questions about bring-your-own-device policies.

As counsel with Blakes’ IT Group at the law firm’s Toronto-area practice, Ing has extensive experience in helping with transactions that involve both technology and intellectual property. This includes outsourcing, software-as-a-service and all kinds of other agreements that, if not done properly, can get IT departments and their overall organizations in trouble. She was among a group of panelists at an event I moderated at the Trump Toronto hotel on Wednesday, where she talked about the major stumbling blocks around BYOD policy development and potential liability. Suffice it to say that so far, most of the people she’s talking to have barely scratched the surface.

“It’s been pretty basic,” she said. “They’ll come to me and say, ‘We’re thinking of putting in a BYOD policy. What do you think?’ And I can answer that,” she said, laughing. “I get to feel really smart.”

Unfortunately, Ing warned the group of IT professionals at the session — which also included panelists from Avema, Zenprise and Gibraltar — too many organizations may not realize the depths they’re getting into when they begin to allow employees to start using the smartphones, tablets or laptop of their choice. And there’s no question we’ll see a lot more of this: the day before our session, market research firm Gartner released a report which called BYOD the most radical shift in corporate client computing since the introduction of the PC in the 1980s.

Among the pitfalls Ing said IT departments will need to navigate include:

• User athentication: Just as security experts have been preaching for years that IT departments need to do a better job of authenticating the devices they issues to employees, BYOD programs that overlook this practice will risk data loss or worse.
• Due diligence: In the days when IT managers decided which desktop model would be chosen as the basis of its enterprise fleet, they would do a thorough background check on any vulnerabilities that could put their organization in legal hot water. Now, that role may be left up to the users (who probably won’t think to do it) unless the policy dictates otherwise. And many consumer devices may have plenty of apps with security holes only an experienced IT team can fill.
• Remote wiping: With a corporate-issued machine, losing a laptop or smartphone wasn’t a huge deal because the IT department could simply eliminate its contents. A user’s own device, however, may contain a great deal of personal files, photos and other content that a company may not have the authority to throw away at will.
• Surveillence: “Even if you could have a policy that allowed you see everything your employees are doing — which would probably be outside the bounds of what’s reasonable — ask yourself whether you really want to,” Ing said. Certain kinds of information about an employee’s outside pursuits, particularly criminal activity, could embroil the company into a legal situation it didn’t need to be in.
• eDiscovery: Most companies ignore it until it happens to them, but in many lawsuits, courts are ordering enterprises to cough up not only printed documents but e-mail messages, photos, videos and all kinds of other files. In a BYOD era, many of these may be resident on an employee’s personal device. Make sure your policy includes the ability to comply with such requests.

The Gartner report said policies must be coupled with software, infrastructure control tools and education in the short term, and cloud-based application management in the long-term. It also said policies may need to evolve over time, depending on geographic considerations. Ing said there are also industry-specific considerations. In a risk-averse environment like a law firm, it’s worth taking your time and being a late adopter. Blakes, for instance, isn’t offering BYOD itself at the moment. As for other organizations across Canada, the jury may be out for a little longer yet.

Learn more about BYOD by reading “The Consumerization of IT,” a white paper from Frost & Sullivan.

Image by RMS