Just a few years ago, there was a clear divide between employer-owned, work-related devices and user-owned personal devices. But as more and more employees bring their own notebooks, tablets and smartphones for work and for personal purposes, that divide is shrinking and in some cases, shattering.
According to a 2013 study by Gartner, approximately 33 percent of companies currently have bring your own device (BYOD) policies in place for smartphones, while 47 percent have BYOD policies regarding tablets. While these numbers may seem somewhat conservative, Gartner predicts that 38 percent of organizations will abolish employer-furnished devices entirely by 2016, while only 15 percent will avoid BYOD.
By allowing employees to invest their own resources in the devices and/or platforms of their choice, BYOD poses potential cost savings for an organization and promotes a more efficient and readily-available employee. However, BYOD poses significant challenges to an organization. Many IT departments, legal teams and compliance officers are struggling to find a balance between the needs and desires of individual employees, and the regulatory and organizational information governance requirements.
Increasingly Mobile, Increasingly Complex
The bevy of unique challenges posed by BYOD stem from mobile devices like smartphones and tablet computers. Although these devices were once considered inferior to the personal computer (PC) for content creation, exponential growth in technical specifications and a widely expanding universe of applications make these mobile devices formidable options to replace the PC. The numbers back this up: 968 million smartphones and 195 million tablets were sold in 2013, and Gartner predicts that tablets will outsell PCs as early as 2017.
BYOD represents a monumental shift from existing practices for data security, device management and information ownership. On the data security front, IT executives are primarily concerned about the increased risk of a breach. The increased numbers of connected devices -- and the greater variety of operating systems connected -- makes it much more difficult to monitor who is accessing which network and what they are looking at.
Another major concern lies in the sheer number of devices leaving the workplace regularly. A single device can contain thousands, if not millions, of confidential records. The rising cost of a data breach poses a pricey risk in the event that a mobile device containing sensitive corporate data is lost or stolen.
The BYOD trend does not easily mix with existing information governance policies. For highly regulated organizations, the threat of an audit is always looming, and failure to comply often proves expensive. Personal mobile devices prove particularly problematic due to the amount of personal and corporate data that is mixed on these devices. Ensuring that the individual understands the duty to preserve corporate data can prove difficult, and separating personal and corporate data is no easy task.
Similar issues arise for organizations facing litigation, and many questions remain largely unresolved. From a discovery standpoint, the issues revolve around collecting, preserving and producing the electronically stored information (ESI) contained on these devices. There are numerous open- and closed-source mobile operating systems on the market right now, and each operating system requires a different collection and forensics tool. Additionally, as new apps are developed on a daily basis, the variety and volume of data contained on these devices poses numerous collection challenges.
Obligations to preserve, collect, search and produce information from these devices are similarly opaque. The ultimate question arises from Federal Rule of Civil Procedure 34, that a party produce ESI in its “possession, custody or control.”
The amount of case law interpreting this standard with regard to mobile devices is limited, and the results have varied by circuit: some courts have interpreted “control” more broadly, finding that an organization has control when it has the authority or practical ability to obtain the document. Others only find that an organization has “control” when they are in physical possession of the information. Although this is a somewhat opaque area of the law, the growth of BYOD promises that courts will resolve these issues sooner rather than later.
Failing to Plan is Planning to Fail
There's no escaping the amount of personally owned mobile devices used in the workplace. Some organizations may stand firm on banning this trend entirely, but those efforts will likely prove futile: in an October 2013 survey released by Fortinet, 51 percent of employees said that they would ignore any policy banning the use of personal devices in the workplace.
Alternatively, organizations should not wholly ignore the BYOD trend with a “wait and see” approach. The most appropriate response likely lies at the policy level, and organizations should craft proactive, flexible and widely disseminated policies governing the use of mobile devices in the workplace. Here are some of the key considerations for crafting such a policy:
- Understand Regulatory Requirements. Stringent requirements for data security and preservation apply to both corporate- and employee-owned devices. Companies need to work with employees to ensure that all devices, both personal and professional, meet regulatory standards.
- Create, update and disseminate a proactive policy. Policies should clearly define acceptable conduct for an employee on a mobile device. While “acceptable conduct” might vary by organization, there should be clear rules about the use of social media, and the use of unsecured wireless networks, among others. Keep personal and professional data distinct. Ensure that employees understand the distinction between personal and professional information on these devices, and clearly articulate policies for preserving corporate information.
Finally, it is important to note that there is no “one size fits all” policy that effectively mitigates the challenges posed by BYOD. Needs vary by organization, and polices should work in harmony with existing corporate policies. Whether your organization is starting from scratch or revising an existing approach to BYOD, proactive planning is the key to staying ahead of the daunting challenges it poses.