“Bring your own device” (BYOD) has been part of the revolution in the workplace, saving businesses the costs of IT hardware at the same time as facilitating flexibility for employees: many would rather work on their preferred interface and applications rather than adapt to an employer’s systems. But it comes with obvious, and substantial, legal (IP, data protection and contractual) risks: once information reaches an employee’s own device, it leaves the employer’s physical control without relieving the employer of legal responsibility.
These risks can be exacerbated by personally owned devices that are designed to connect all aspects of their owners’ personal lives by facilitating the easy (and often automatic) sharing of data. Device owners are used to sharing personal information with other users and in the cloud. Some devices automatically store a backup of the data on a device to a cloud-based account, or to the user’s PC.
BYOD also carries a significant security risk. Few personally-owned devices are protected against malware or intruders to the standard applied on corporate IT systems.
So, what should businesses do to protect themselves?
Policies and training
The traditional answer has been to impose an internal BYOD policy explaining to staff which devices are eligible for BYOD and what the employees may and may not do with data on their devices for business purposes. As we have previously suggested, this could include requiring the use of passwords to access the device and the need to install antivirus and antispyware. Policies can also lay down the circumstances (such as the installation of security software or carrying out inspections, among others) in which the employees must allow corporate access to their devices, or when the company may eliminate corporate information stored in the device to guarantee its security (for example, if the number of failed attempts to introduce the password in the device is surpassed or in the case of long periods of inactivity). The BYOD policy should in any event oblige the employees to immediately inform their employer if the device as such has been stolen or lost.
Experience shows that BYOD policies work best if their implementation is accompanied by employee training so to raise the employees’ awareness on the legal issues and risks involved. The employees need to understand that the disclosure of company data and trade secrets may not only cause significant harm to their employer but, if occurred for the purposes of competition, for personal gain, for the benefit of a third party, or with the intent of causing damage to the employer, may lead to criminal sanctions. They also need to be aware that the license terms, e.g. for royalty-free cloud applications operated on their devices, might not allow the use of the application for business purposes. At least under German law, the employer may be liable for any copyright infringement caused thereby.
However, even when employees fully understand and intend to respect such a policy, a risk of information leakage remains. For example, staff may be happy to let family members use the device, or provide credentials (including passwords) to a third party for maintenance or repair.
As always, active prevention is better than seeking a legal cure. If possible under the applicable data protection laws, regular audits of the business data stored on devices should be conducted; technical solutions can help with this. An audit of devices is of significant importance as well, in particular when staff leave or replace their device, so that all business data can be removed and access to business systems is revoked. Better yet, prevent any unauthorised devices from accessing sensitive business or personal information, and ensure that authorised devices are only able to access the data and services you are willing to share with BYOD employees.
But to make these approaches work, businesses must balance technical controls with usability; if a solution is too restrictive, staff will find workarounds or use unsafe alternatives, and the trade secrets will be just as vulnerable as if no control had been imposed at all. And under the draft Trade Secret Directive, that may not be considered “reasonable steps” to keep the information secret – potentially resulting in the information no longer qualifying for legal protection, either. Looking ahead, in order to properly protect your company’s sensitive data, it will be crucial not to allow BYOD employees to access sensitive business information with their own device. BYOD may have its attractions, but PYTS (Protect Your Trade Secrets) is the maxim employers need to keep in mind.