More than 60 percent of employees say it is OK to transfer work documents to personal devices or online file-sharing apps. Given that statistic, it's no surprise that companies want to rein in BYOD. However, there may be alternative: A move to company-owned-personally-enabled devices promises to give employers greater control of mobile devices without trampling on privacy.
Let's face it, you're a thief.
At some point in your life, you swiped something from a previous employer -- business contacts, source code, staplers -- and used it for personal gain, perhaps as a sacrificial, competitive offering to your next employer or to help kick-start your own business. Fact remains, the stuff wasn't yours.
But it's so simple, you say, especially in these early days of BYOD. It's easier than ever to whip out your smartphone and record a strategic meeting, take a screen shot of a document or photo of a whiteboard, copy and paste company information contained in an email to a personal cloud storage service, shoot off untraceable text messages, and other violations of the eighth of The 10 Commandments.
With BYOD, you don't even have to employ multiple devices or stealthily use a thumb drive like the techies in the geek cult classic "Office Space," or stupidly create an electronic paper trail by forwarding corporate email to a personal email account. Rather, you can do all your pillaging from the safety and comfort of your cubicle with little chance of getting caught.
COPE Offers IT and Workers Middle Ground
Companies, though, are smartening up. While they know they can't stop the powerful current of consumer gadgets flooding the enterprise, they can slow down BYOD. They're regaining control with an emerging computing model and big-time contender to BYOD called company-owned-personally-enabled devices, or COPE. It's a hybrid that sits between free-for-all BYOD and traditional company-owned computers that forbade personal use and held zero expectations of privacy for employees.
[ Slideshow: 12 BYOD Disaster Scenarios ]
"We have seen several large companies moving to the company-owned-personally-enabled-model primarily to give the employer greater access to mobile devices without creating privacy snafus," says Larry Ponemon, founder of research firm Ponemon Institute. "This approach appears to be acceptable to data protection authorities and other privacy regulators, including those in high-risk countries such as Germany, France and other EU nations."
BYOD's meteoric rise is starting to slow down because of security concerns, thus opening the doors to COPE. Ponemon Institute surveyed 895 IT and security specialists and found that 60 percent are unsatisfied with current BYOD solutions, mostly due to cost and inadequate security.
Workers and Employers Both Wary of BYOD
A Workshare survey found that the number of employees adopting BYOD decreased from 80 percent to 62 percent, largely due to the increase in IT security and in the awareness of the dangers of BYOD.
Protecting intellectual property in the age of BYOD has become paramount for companies big and small, in every industry. Consider this startling statistic from a Symantec survey earlier this year: Half of employees who left or lost their jobs in the last 12 months kept confidential corporate data, and 40 percent plan to use it in their new jobs.
The majority of the offenders don't believe this is wrong, either. Sixty-two percent of employees say it is acceptable to transfer work documents to personal devices or online file sharing apps. On the tech front, 42 percent believe a software developer has some ownership of his work and do not think it's a crime for him to reuse the source code, without permission, in projects for other companies.
It's no surprise that companies feel a need to rein in BYOD, given its supporting role as the getaway driver in intellectual property theft.
"Corporations will side step from BYOD in 2014 to the more practical use of COPE," says Bob Janssen, CTO of RES Software. "With COPE devices, organizations will have greater control and security over the devices used by employees. The device will then have the ability to be used personally and professionally, and will be able to switch between the two contexts."
COPE devices have some enormous advantages when it comes to data security, says attorney Paul Starkman, who heads the labor employment group at law firm Pedersen & Houpt in Chicago. For starters, he says, COPE acts as a deterrent -- that is, employees are less inclined to steal using a corporate-owned device.
[ Related: BYOD's Battle Royale Pits IT vs. Employee ]
Many companies also get cyber-risk insurance to protect against lost or stolen devices with sensitive information on them, such as social security numbers or customer health information, but those policies don't cover personally-owned devices. When a legal dispute arises, law enforcement will often help get the device back if it's company property, not personal property.
How Much Privacy Does COPE Imply?
COPE's biggest advantage might be in the judge's mind. An employer needs to have authorization or consent to pull data from a device, Starkman says, and it's much easier to establish that the employee has no expectation of privacy when using a corporate-owned device than a personal one. This allows companies to search a device for evidence of intellectual-property theft.
"It's a much easier sell to a judge to say, 'This is a company-owned device, and while we let them use it for personal use, we told them that whatever they do with it, they need to understand that personal activity is open to scrutiny and may be monitored,'" Starkman says.
On the other hand, COPE's greatest danger is giving a false sense of security to IT. While there may be no expectation of privacy for employees, Starkman advises companies not to go snooping into personal stuff. "You don't want to cross into password-protected personal accounts and websites and social media," he says. "COPE is not a full-proof plan."
In the case of Borchers v. Franciscan Tertiary Province of the Sacred Heart, Diane Borchers, a food service director, was issued a computer with a written policy permitting "occasional personal use." In 2007, she reported to human resources that she was being sexual harassed by her supervisor, Michael Frigo. (The follow-up internal investigation found no evidence.)
After Borchers left, Frigo directed his administrative assistant to check Borchers' computer for business-related information -- and found Borchers' personal AOL account. Borchers' emails contained everything from spiteful feelings toward co-workers to intensions to take advantage of disability benefits. Upon realizing that Frigo had seen her emails, Borchers promptly withdrew her sexual harassment claim.
Then Borchers sued in state court, alleging violations under the federal Stored Communications Act. A state judge granted summary judgment to the employer, claiming that the administrative assistant did not act with wrongful intent. But the Illinois Appellate Court revived the privacy lawsuit, citing that the administrative assistant printed out more than 30 personal emails.
"The question is, if the device is company-issued, does that somehow raise the likelihood that the employee has no expectation of privacy? That may not be the case," says Heather Egan Sussman, co-head of the global privacy group at law firm McDermott Will & Emery. "It may be that the employee, because they're allowed to do some personal activity, retained some sort of an expectation of privacy."
More and more cases concerning employee privacy and intellectual-property theft on computers and mobile devices are bubbling to the surface. Whether it's employees claiming privacy violations or employers arguing theft, companies would be in a better position with COPE rather than BYOD. But, as the Borchers case illustrates, COPE alone doesn't keep companies out of hot water.
"If you allow personal use, then you're blurring the lines," Starkman says.
Tom Kaneshige covers Apple, BYOD and Consumerization of IT for CIO.com. Follow Tom on Twitter @kaneshige. Follow everything from CIO.com on Twitter @CIOonline, Facebook, Google + and LinkedIn. Email Tom at firstname.lastname@example.org
Read more about byod in CIO's BYOD Drilldown.
This story, "IT Learns to COPE With Mobile Devices" was originally published by CIO.