July 10 2012 Bring your own devices: opportunities and risks Osborne Clarke | Tech, Data, Telecoms & Media - Germany Tech, Data, Telecoms & Media IntroductionOpportunities: savings, innovation and productivityRisks: uncontrolled devices and environmentsLegal issuesCommentIntroductionHR departments have become aware of a growing trend: instead of being interested in what model of company car a potential employer is offering, job applicants seem more concerned with what mobile devices they will have the opportunity to work with. The HR department's answer is not always what the applicant wants to hear: old computers, not-so-smart phones – much IT equipment in companies lags behind new and innovative technology rapidly coming onto the market.One possible solution is 'bring your own devices' (BYOD) – private hardware in corporate use. Instead of a company being equipped on a central and standardised basis, with the BYOD approach, employees simply use their private mobile devices for work communications.For some, this represents a long overdue development which can lead to increased productivity; while for others, it is a precarious scenario. Nevertheless, many issues arise in this context, particularly in regard to IT security and compliance. Employment law, licence rights and liability matters are also major considerations.Opportunities: savings, innovation and productivityBYOD presents several opportunities. The most obvious is the cost saving on capital investment in hardware. According to a study by Good Technology,(1) half of all companies operating on the BYOD principle make no contribution to the procurement costs of employees' devices. Other BYOD concepts envisage participation or other compensation models. Start-ups in particular can benefit from the savings to be had on major initial capital investment. Established companies can massively reduce the strain on their IT budgets by implementing BYOD; market research company Gartner(2) claims that savings of up to 40% in procurement and maintenance costs can be made. Such specific figures need to be viewed with circumspection. However, one thing is certain: BYOD offers potential for saving on costs.Productivity can also be hugely increased. Employees work in a familiar environment, not in centralised systems representing the lowest common denominator in terms of workflow. This can result not only in increased efficiency, but also in increased employee satisfaction. According to a 2011 survey by AT Kearney,(3) productivity can be significantly improved, particularly in the context of everyday processes, such as emailing and deadline management, if users are working with the device that is best suited to them, rather than with a "suboptimal company-wide standard configuration".BYOD can also lead to a general modernisation of the company's IT equipment. The hardware which employees use privately is often much more up to date than would be possible in the context of a company equipped on a centralised basis. One iPad is quickly purchased and set up, while introducing 500 iPads on a company-wide basis requires considerable time and is hugely expensive. In this context, BYOD can open up entirely new possibilities for innovative workflows in corporate processes.Risks: uncontrolled devices and environmentsPotential cost savings and productivity increases come at a price; in terms of IT security, the diverse IT infrastructure that arises with BYOD represents a huge risk. While standard IT systems in companies can be properly controlled and secured, employees' devices often represent a gateway to malware and attackers. An IT department can hardly ensure (as it can with company-owned hardware) that current patches are applied to all devices and unsecure software is blocked.Users themselves constitute an increased risk. Although during their working hours users will normally operate in a controlled environment (eg, secured network, possibly filtered and restricted internet access), in their leisure time everything is available – from surfing via public hotspots to installing untested software from the Internet.In many respects, therefore, there is an increased risk potential. The devices themselves can be controlled only to a limited extent and can become a source of internal risk, while at the same time users are operating in uncontrolled environments, which can lead to increased external risks.Therefore, security concepts must adapt. Not only is considerable planning involved in the run-up to the introduction of BYOD, but also the day-to-day work of IT departments needs to be much more flexible and, as a result, will become more complicated. In addition, a wide variety of security mechanisms must be implemented on users' devices and then constantly monitored.Thus, part of the savings achieved by no longer having to procure hardware will have to be reinvested in security mechanisms. In addition, further capital investment in infrastructure may be necessary – the huge savings potential of BYOD may be significantly relativised as a result. Much insignificant expenditure on hardware may be transformed into creeping costs, which ultimately may make such a concept unprofitable in the long run.Legal issuesGood planning in the preliminary stages is therefore essential. This includes an analysis of legal implications. Numerous legal issues arise in connection with BYOD – not only in regard to IT security.Liability if the security concept is incompleteThe criterion for almost all regulations on liability is the concept of negligence. A person is negligent if he or she "fails to exercise reasonable care". This means that if no security concept or only an incomplete security concept is developed to take account of the special circumstances associated with the use of BYOD, then the liability risks will be almost incalculable.Many scenarios arise in this context. The most important of these include:liability arising in respect of production shortfall or delay (compensation for delay);breach of confidentiality agreements (damages for breach of contract);viruses sent by email with data loss for the recipient (compensation on the basis of a secondary contractual obligation); andcausal damage to property and injury to persons resulting from the absence of a security concept or from a defective security concept (compensation on the basis of tort).Under certain circumstances it is not just the company as a legal entity, but also the management personally, that can be held liable for damages caused by security issues. This applies to management of joint stock corporations and limited liability companies alike, due to the general obligation to introduce and maintain appropriate risk management.To this must be added:internal losses for the company as a result of production shortfall;loss of profits;costs in respect of analysis; andrectification of the consequences of a possible security problem.An adequate security concept is a fundamental prerequisite for companies. Whether such a concept is adequate depends on the specific risk situation affecting an IT infrastructure. With BYOD this situation changes, which is why it is essential to modify security concepts in order to avoid liability in the event of security problems.Data protection lawA further important issue in connection with BYOD is data protection law, which gives rise to numerous rights and duties which are affected by a hardware concept of this kind.Personal dataThe Federal Data Protection Act governs how personal data is handled. The law does not cover all data, but only data relating to persons – more precisely, data which can be attributed to an "identified or identifiable person" (Section 3(1) of the act).In companies, this includes in particular customer data – for example, in the context of contract management, correspondence or customer relationship management systems. Furthermore, a company's staff data also falls under the scope of data protection law. Ultimately, almost every company works with personal data in one way or another, which has far-reaching legal repercussions.Duty of careFirst, the company itself is affected. The Federal Data Protection Act envisages various duties which must be fulfilled by any "agency which processes data". The law refers to "technical and organisational measures" (Section 9 of the act). Thus if a company holds personal data, it is responsible for ensuring that such data is securely preserved. In particular, the act envisages the following security measures:system access control – protection from unauthorised access;data access control – allocation of dedicated access rights;transfer control – protection from unauthorised transfer;input control – logging of changes; andavailability control – protection from loss and destruction.All of these factors must also be ensured where a BYOD concept is applied. The data that employees store on their terminals must therefore be carefully protected and secured. In most cases it will be difficult to fulfil the high standards required by data protection law. Encrypting data on terminals will be insufficient in itself.In order to fulfil all technical/organisational measures specified by the act, it will usually be necessary to hold data via central systems (eg, private clouds), rather than on a local basis. Various possible solutions can be envisaged in this context. The significant point is that data protection law places narrow limits on the use of data outside the secured environment within the company.Control rightsA further problem arises in connection with the control of employee devices which are used in a professional context. If the devices are used for private as well as professional purposes – which, in the nature of things, is always the case with BYOD – then telecommunications secrecy applies. Consequently, any access to an employee's device is subject to mandatory prior consent.Irrespective of whether it is for local data, logging or remote maintenance, whenever an employer needs access to an employee's device, the employee must give his or her prior consent. Such consent will be effective only if the following conditions are met:Consent must be given voluntarily, which means that the employee must actually be able to take a free decision;Consent must usually be given separately in writing, which means that a clause in an employment contract is insufficient;It must be possible to revoke consent at any time – a consequence of it being voluntarily given; andConsent must be restricted to the specific purpose (ie, consent cannot extend generally to any access irrespective of the reason).The question of whether consent has been given voluntarily is often problematic, particularly in work situations. Ultimately, an employer is often dependent on obtaining its employees' consent. The employer is faced with the conflict between employees' rights and the technical/organisational measures that it must fulfil in order to ensure data security. Accordingly, employees may feel pressurised to a certain extent when it comes to giving consent.Such consent is usually sought at the start of an employment relationship – and which employee wants to make a negative impression on their first day at work by refusing his or her consent? For this reason, case law does not usually regard consent given in such circumstances as voluntary. Consequently, is it possible to get employees to agree to any access to their devices and their data only under strict conditions.This is particularly problematic in cases where companies are dependent on their employees' data. For example, if an employee who calls in sick has been working on a contract for weeks and that contract must be sent off urgently, it can be a serious problem if access to the data on the employee's device is not possible.With conventional IT models, this problem is frequently solved by implementing a general ban on employees using IT infrastructure for private purposes. In such cases, all communication would be for business functions only and telecommunications secrecy would not be a problem. From a technical point of view, the problem can at least be partially mitigated. However, any solutions are far from being completely satisfactory – mostly because private use tends to creep back in gradually and telecommunications secrecy becomes an issue again.However, in this context BYOD does offer a favourable way out. An employee's decision is truly voluntary if he or she is offered the choice between using his or her own device (and accepting access by the employer in regard to specified purposes) or using a device provided by the company.Consequences of data protection violationsAny violation of the requirements of data protection law can have serious consequences. Not only can a data leak lead to a PR disaster, but also fines may be imposed by the data protection authorities. Even criminal law consequences may arise – for example, if employees' devices have been accessed without prior and adequate consent. In any event, the risks are not to be underestimated and should be taken seriously.Issues of ownershipIn some BYOD models, the issue of device ownership can lead to problems of an entirely different kind. In cases where the company has made a cost contribution to devices, the question can arise as to who owns the device – the company or the employee. This in turn gives rise to important consequential questions: who is liable if the device is lost or damaged? Who pays for maintenance, licences and updates?All of these questions need to be considered in advance and contractually regulated with employees in order to avoid subsequent disputes.Employment lawQuestions of employment law also arise. For example, liability is usually at least limited as far as employees are concerned, and in some cases is totally excluded. Employees are subject to their employer's right to issue instructions. Employers are also responsible for the organisation of the operation. Thus, it is only in the context of gross negligence or deliberate misdemeanours that an employee can be fully liable.In connection with BYOD it is, above all, questions of delimitation that arise in this context. Thus, a situation will often arise where the private and professional use of the device become blurred. What happens if an employee is grossly negligent in the private sphere and damage arises for the employer as a result, (eg, if an employee installs dubious apps which allow attackers to gain access to company data)? Here the question arises as to whether the employee is liable for such conduct as an employee or as a normal private person. In a case dealing with this issue, an employee was deemed not to be subject to his employer's right to issue instructions, but was considered to be operating outside the sphere of the operational organisation. This issue and other specifics remain open and must be considered on a case-by-case basis.LicencesBYOD also has consequences in regard to licence regulations. For example, do private licences for software also apply in respect of devices that are used partly professionally and partly privately? This is a familiar legal dispute mainly in connection with television and radio licence fees for computers. Here, the question arises as to whether the fee is payable twice for such devices – once for private use, once for corporate use. There is no uniform case law on this subject, and accordingly it is to be expected that there will be many different legal perspectives on questions relating to licensing regulations. The respective licence agreements are also a decisive factor here, so this problem must be considered individually in advance.Best practiceLegal framework conditions alone give rise to some points that need to be taken into account if the BYOD concept is to be introduced. As is always the case with legal questions, each case is unique and must be subjected to separate legal examination. Nevertheless, some methods can be recommended which are expedient and plausible in most cases in the context of BYOD:Business data must not be stored on the device – if business data is kept not on an employee's device but centrally on a secured server, this will certainly contribute to data security. In addition, however, many legal problems can be mitigated as a result (eg, problems regarding technical/organisation measures or the mixing together of private and professional data).Devices must be securely configured: terminal software and sandboxes – as far as possible, not only data but also professionally used software should be separated from the rest of an employee's system. Data security can be put at risk not only by direct access to data, but also by compromised or manipulated software. In certain circumstances, problems relating to licensing regulations can also be circumvented in this way.Unsafe apps should be blocked – unsafe apps on smartphones are a significant problem, not only in the professional sphere, but also in the private environment. This does not only concern malware in the narrower sense. For example, Skype can bring entire networks to a standstill if it makes a client a master node on the basis of frequent use and large transmission capacity. This area contains some hidden dangers which must be closely examined before any BYOD policy is implemented.Central administration, obtaining consent – as mentioned above, access to employees' devices requires explicit prior consent. At the same time, access is possible only within narrow limits. To that extent, it is advisable for as much maintenance work as possible to be carried out centrally, without the need for individual intervention in a specific terminal. For example, central updating of software can ensure that employees' applications are always up to date, while at the same time rendering any manual intervention in employees' systems unnecessary. A word of caution, however: the central administration of software does not replace employee consent – consent is also mandatory for automated and centralised interference.Allowing employees to choose – employees should be allowed to choose whether they want to work with their own device or with a device provided by the company. There is one major advantage to this in particular: the use of employees' own devices can be linked to the employee agreeing to the IT department having occasional access to these devices for maintenance purposes or for security reasons. If employees are allowed no choice in the matter, this consent could possibly be invalid on the basis that it has not been voluntarily given.These recommendations are merely an initial guide. Many other aspects also need to be considered, and changing one parameter can have repercussions for all other parameters. Legal department should be involved in any plans and deliberations concerning BYOD at an early stage. It is essential that any technical concept takes into account the legal issues arising from a company's specific circumstances.CommentBYOD offers many opportunities. Particularly in technically oriented sectors, BYOD can make use of underused resources and can lead to massive savings. But the effects, specifically where employees are concerned, should not be underestimated. Working in a familiar system environment can increase productivity, and working on modern terminals that are adapted to employees' own needs can increase motivation. At the same time, the potential of early movers can also be used to shorten innovation cycles within the company.However, all of these advantages come at a price. The requirements in terms of security concepts become more complex and entirely new legal questions arise. There is also the risk that the level of support required will impose new tasks on IT departments, the extent of which will be difficult to assess. Therefore, in order to make use of the opportunities provided by BYOD, comprehensive and thorough preparation is necessary.Yet there are solutions to all of these challenges. With thorough planning, some legal problems can even be better solved than with conventional IT structures – for example, in regard to obtaining employee consent to terminals being checked. If employees are permitted to choose between centralised provision of hardware and the BYOD model, it is possible to achieve the otherwise difficult balance between the need to have access to employees' data and the voluntary consent of the employees concerned.The effort involved in such a comprehensive conceptual change will not benefit every company, and it may not be possible to fulfil security standards in all areas of work adequately. Nevertheless, BYOD will be worth considering in many sectors. As Ben Fried, chief information officer of Google, stated: "The Chief Information Officer must learn to turn the ever-faster rate of technical change to his advantage, instead of fighting it."In the IT sector at least, BYOD may soon be the only way forward. From a legal standpoint, this development needs proper support, although it must be structured in the right way to avoid problems at a later stage.For further information on this topic please contact Georg Meyer-Spasche at Osborne Clarke by telephone (+49 221 5108 4206), fax (+49 221 5108 4207) or email ([email protected]). Endnotes(1) Available at media.www1.good.com/documents/Good_Data_BYOD_2011.pdf.(2) See www.computerwoche.de/management/it-strategie/2370514/index3.html.(3) Available at www.atkearney.de/content/veroeffentlichungen/executivebriefs_detail.php/id/51430/practice/sitp.