The Changing Threat Posed by Recent Cyber Attacks
July 14, 2015
Getting to Know Your ESI: Early data mapping efforts pay dividends – Part 2
August 21, 2015

To BYOD or not to BYOD? Pros and Cons of a BYOD Program

Does your company have a written policy regarding whether employees may “bring your own device” (BYOD) for work? If not, you need one. At a minimum, your company policy should clearly state whether employee-owned devices may be used in the workplace or to access company data, and if so, in what circumstances. If your company has not already determined what the policy should be, there are risks and benefits of allowing BYOD that you will have to weigh.

Two options for employees to use mobile devices for work include “Bring Your Own Device,” in which an employee purchases a device and uses it for work, and “Corporate-Owned, Personally Enabled” devices, or COPE, , involves issuing company-owned devices to employees. Each program has benefits and risks and you will need to determine what program fits best within your corporate culture.

When we talk about BYOD programs, smart phones are the first devices that spring to mind. However, in planning your program, be aware that employees also bring tablet computers, laptop computers, and their own portable media.

There are many benefits to both employer and employee when it comes to bringing employee devices. There are apparent cost savings for each device that an employee purchases. If an employee owns, pays for, and manages the device, the cost savings will add up fairly quickly.

One of the major draws is the always-on availability of employees. This is likely to be more noticeable in a pure BYOD context. In a COPE context, employees may opt to use their own device for personal communications, while isolating their COPE device for professional needs. In allowing employees to use their own personal devices, there can be an expectation that those devices will be with them some or all of the time. Whether implementing a COPE or BYOD program, employees can be more available during travel, while in transit, or during nontraditional working hours. Only allowing an employee to use a desktop device as designated by the company will require your employees to be in the office when they need to get work done.

From a recruiting and retention standpoint, many employees consider the ability to carry a single device to be a significant benefit, while they see being forced to carry a work device and a personal device as an inconvenience. Employees may be more productive when they can choose the devices that they are most comfortable with rather than forcing them to work with whatever device your IT department has under contract. This can be of particular use in certain fields where there are device specific applications, or applications with which your employees are more comfortable. The look and feel of one brand may be very different from another, and while productivity gains may be small for each task, in the aggregate, small productivity gains can grow into large time savings. This can be particularly important in tech-heavy positions like programming, graphic design, and UX design where different operating systems support different products.

While employers may elect to permit BYOD as a cost saving program, many companies have found that BYOD may cost more in the long run, due to the risks involved. Therefore, it is important to carefully assess the likelihood and potential impact of BYOD risks before establishing a BYOD program.

Data security and privacy is the first and largest risk to be aware of when implementing a BYOD program. The data you collect is frequently the lifeblood of your organization. Keeping your company’s lifeblood inside your organization and not letting it bleed out into the world is both crucial and potentially difficult. It is easier to maintain the security of data if it is all kept in one geographic location under lock and key - a paper filing cabinet is harder to obtain data from than, say, a cell phone left in the back seat of a cab Your policy may reflect some limitations on which devices are acceptable to use, as an example - you probably don’t want jailbroken phones on your corporate network.

Intermingling of data is more likely with BYOD devices. With a BYOD program, if you find yourself in litigation, you may end up investigating nooks and crannies for data that you didn’t even realize existed. Tracking employee which devices employees are bringing to work as well as which applications they actually use to do the work (for more on this, see my “BYOA” blog post) is the only way to ensure that you will know where relevant data is when it is requested.

Employee privacy issues are another potential issue. While you do want to know what your employee is doing for you, you don’t want to cross the line into employee surveillance. Each state has its own workplace privacy law and compliance with each is obviously mandatory. Difficulties can arise when an employee uses their personal device for work as well as for immoral or illicit activity. The bleed between the private and the professional can come up in IT repair requests or other instances which can cause HR issues for you. BYOD also increases the chances that an employee can accidentally reveal information about himself or herself which accidentally give either insight or information about himself or herself which is inappropriate to share in the workplace.

COPE programs pose one specific set of issues that are beyond the scope of this piece - what to do with personal data on a corporate owned device at the time an employee leaves the company. This issue can become extremely thorny, particularly if the termination is not amicable.

From a practical standpoint, high data usage costs is another potential risk. Employees making out of country calls and gobbling up limited data plans can put a serious dent in the bottom line of your program. Other hidden costs include IT department training for support and help desk, . The balance of who pays for which parts of the service, of course, helps determine possession, custody, and control for purposes of discovery in litigation and investigations. The more the company pays for, the less expectations of privacy that an employee can have, and the more corporate custody and control can be argued. I will expand on that in a future blog post.

BYOD and COPE programs promise increased productivity, always-on availability, and corporate cost savings. You will need to assess whether those advantages balance the attendant risks. Whether you allow employees to bring their own devices or not, make sure that you have a clear and explicit policy which includes your expectations for those devices as well as acceptable use policies. I will dive more deeply into what your policy should encompass in a future post as well.

Jonathan Swerdloff
Jonathan Swerdloff
Jonathan Swerdloff is Director of Global Client Services and eDiscovery at Scott+Scott Attorneys at Law LLP. Prior to this role, he was an expert Consultant at Driven, Inc. Learn more about Driven's Consulting Services