While the potential security and legal aspects of bring your own device (BYOD) are frequently mentioned by vendors – especially as a good reason to buy their mobile device management software – the plain truth is that there haven’t been many, if any, clear cut cases related to BYOD. Yet.
But as Frances Barker, a partner at Blocks Solicitors, is quick to point out, almost all employment law cases these days do involve IT in some capacity, even if it is just an email sent from a work PC, so it is almost inevitable that one day soon, someone’s personally owned BlackBerry or iPhone will be required to give evidence in court.
And many organisations are clearly concerned – as reflected in the number of enquiries that law firms such as Blocks is receiving.
In broad terms, though, BYOD is already well covered by existing laws and conventions, even if they were not originally written with BYOD in mind. “The laws relevant to BYOD would be the general context of employment law, which will be the Employment Rights Act 1996; the ACAS code of practice on disciplinary and grievance procedures; and, the Data Protection Act,” says Barker.
She continues: “Specifically, in relation to BYOD, it will also depend on the contractual terms under which a person uses their own device – that’s the ‘deal’ between employer and employee.”
That is why organisations have been urged to develop their own policies on BYOD: in order to cover themselves under the terms and conditions of employment that govern their relationships with staff.
Generally speaking, she adds, employers ought to set similar boundaries on staff using BYOD devices that they would expect if staff were using company supplied kit. “Although obviously the member of staff can use it for private use as well,” she adds, and this private use needs to be respected by the employer.
She continues: “The employer is also going to have to – and this is the intrusive bit – reserve the right to monitor and to inspect the device in order to investigate potential problems.
Put like that, and suddenly it doesn’t sound quite so enticing. Indeed, many software vendors also promote such capabilities as the ability to remote wipe some or all of the storage of a smartphone or tablet computer should the member of staff lose the device or, worse still, go to work for a bitter rival.
“And the device is almost certainly mobile, so you will have security implications related to that, too,” she adds. “What is key is, what happens when they leave or you suspend them?”
While current laws and regulations that encompass BYOD are quite flexible, one of the big problems surrounding it, adds Kathryn Wynn, a senior associate with law firm Pinsent Masons, is that there is no specific legislation relating to it. “Most of the laws [relating to BYOD] were written over 10 years ago and never really envisaged the concept of BYOD,” says Wynn.
Even so, a first step is to draw up a reasonable, binding policy on BYOD based on rights and responsibilities under existing laws.
Practical Law, the online legal advisory service run by Thomson Reuters and widely used in business, has even drawn up a draft BYOD policy document that subscribers can consider. It is intended both to explain to staff the risks that the company is exposed to when it adopts BYOD, as well as to prescribe a code of behaviour.