BYOD is fraught with legal peril, audience told

Businesses face gotchas ranging from liability for personal data to overtime pay triggered by working at home, expert says at Enterprise Connect

Orlando -- Businesses worry most about security when it comes to bring-your-own-device programs, but the legal ramifications of letting employees use personal smartphones and tablets at work can be just as threatening, attendees of Enterprise Connect were told.

Michael Finneran

Michael Finneran

These issues include accidentally removing workers’ personal and potentially valuable data from the devices when legitimately purging corporate data, says Michael Finneran, principal at dBrn Associates speaking at the conference on unified communications.

+ Also on Network World: BYOD Research Center +

Even when employees agree to allow their employers to install software on their phones they may have a legitimate gripe if personal documents and photos are destroyed in what he describes as a “thermonuclear wipe.” Depending on the value of that data, companies could face liability but also legal costs dealing with the fallout.

Beyond that, since these devices may be subject at some point to legal discovery proceedings that are part of lawsuits against the employer, these employee devices could have to be turned over for inspection. This raises privacy issues about whether lawyers should have access to whatever personal information is on a worker’s BYOD device, Finneran says.

Similarly, privacy issues can come up if mobile-device management software that can peer into these devices is misused by other workers with access to the management platform, he says.

Beyond litigation, BYOD can cause contractual woes, he said, because it enables employees to work from wherever they have connectivity. While that is a plus from a productivity standpoint, it can become a compensation issue, too. For example a worker asked to simply send data on the device after regular business hours could trigger a contract provision that automatically makes that worker eligible for four hours’ pay, Finneran said.

These problems are not insignificant given that 68% of businesses do allow mobile personal devices to be used at work, according to Finneran, and that number is growing.

He said he finds it troubling that 45% of businesses he polled say their BYOD policy allows use of any device for BYOD so long as certain policies are adhered to. In the same survey 41% say their policy allows a limited and specified set of devices if they are running a mobile-device management agent

Of those two choices, “There is a right answer,” he said – that only specified devices with MDM software should be allowed. So according to his data, more businesses got the wrong answer than got the right one. Another 9% say their policy allows any device with no restrictions.

Security still dominates concerns about BYOD, he says. The threat range is broad because the devices are mobile so they are susceptible to being lost or stolen and jeopardizing sensitive business data. Use of unvetted personal applications can leave the devices open to malware that siphons off corporate data. Even workers’ use of weak passwords can pose problems, Finneran says.

The answer is developing policies that clearly define devices that can be used, how they are secured, what rights the business has and what responsibilities the employee has, he said. These policies should be written by groups that include management, IT, IS, legal and human resources members.

Tim Greene covers Microsoft and unified communications for Network World and writes the Mostly Microsoft blog. Reach him at tgreene@nww.com and follow him on Twitter @Tim_Greene.

Insider Shootout: Best security tools for small business
Editors' Picks
Join the discussion
Be the first to comment on this article. Our Commenting Policies