BYOD: Legal and Security Risks That Could Impact Your Business

Imagine a bunch of lawyers prying into every email you sent and received during a certain period of time, on every device you use – even your own personal devices. That means any laptops, PCs, smartphones and tablets you use for work and play. What if they got a subpoena to look at the emails on the personal devices used by your spouse and kids? Turning over your kid’s tablet can’t be fun.

If you think it can’t happen, think again. Something similar happened in 2005 in a case involving trade secrets, which serves as a troubling reminder that personal devices and data can indeed become part of corporate court actions.

So what can you do to protect against this happening to your business? Mobile devices can boost employee productivity and job satisfaction, which is why so many people are using their own personal devices for work these days. Yet new and murky legal issues have emerged around this bring-your-own-device (BYOD) trend. Read on to learn about some of the potential legal implications of BYOD at your business:

Privacy
Many businesses go to great lengths to protect their company data from being leaked, hacked, damaged, lost or stolen on BYOD devices. That includes tracking the device’s location, monitoring its usage and wiping it if it’s lost or stolen. Some companies also choose to check the devices of outgoing staff before they exit the company to ensure no trade secrets or confidential data are on it. But since BYOD devices contain personal as well as professional data, these practices could violate employee privacy. Before adopting any of those practices, ask yourself if they violate any federal or provincial privacy laws.

To mitigate privacy concerns, some lawyers suggest you inform staff how, when and why these security measures may occur. Then, get staff to sign informed consent waivers allowing you to take these measures. Try not to be too invasive with monitoring, and give employees the right to revoke their informed consent at any time. Why? It’s possible that a court could nullify your BYOD policy by ruling that a) it is too heavy-handed, or b) you put undue pressure on an employee to sign it.

Simply having a BYOD policy isn’t always enough
There are lots of ways an employee can breach company security or break the law when using a personally-owned device in the workplace. They include:

– Stealing, leaking or losing company data

– Violating customer privacy

– Exposing company or supplier trade secrets

– Infringing on copyright laws or licensing agreements (i.e. using unauthorized copies of software)

– Committing a crime (like fraud or harassment)

– Withholding or deleting data requested by police or court officials

You might assume that simply having a BYOD policy absolves your company of liability in these instances, but this isn’t always the case. If you fail to properly educate your staff about your BYOD policies and tools, you could be open to some liability. The same goes for failure to update and enforce your BYOD policy. Just as personal and business data are ‘shared’ on an employee’s device (when used in the workplace), BYOD policies are a joint responsibility shared by you and your workers.

Other legal issues
These are just some of the many legal issues to be aware of in a BYOD workplace. Here are some others your BYOD policy should address:

– What happens to the device and its data if the employment arrangement concludes?

– Who and what is covered under the company insurance policy if the device is lost, stolen or breached?

– What type of liability is assigned to your company in that policy (i.e. if there’s a data breach on the device, is your company partly liable?)?

The bottom line
BYOD is a trend that’s still evolving, and the legal implications surrounding it are still largely undefined. Get advice from a lawyer versed in BYOD issues, and do what you must to protect your data in a BYOD situation. But strive to protect the privacy, trade secrets and personal data of your staff, customers, partners and suppliers at the same time.

Which legal issues have arisen from the BYOD situation at your business? How have you addressed them? Share your thoughts and experiences in our comments area below.