The consumerisation of IT is the latest technology trend posing challenges to Australian businesses. As workplaces consider the benefits of flexible working practices allowing their employees to work from home or remotely, they increasingly face legal, technology and commercial challenges on a number of fronts.
Along with cloud computing, the BYOD (Bring Your Own Device) trend is one of the key outcomes of the current shift in working practices. Organisations are facing increasing challenges as tech-savvy employees demand more flexibility about where and when they work. The traditional 9 to 5 working day based in an office is no longer the norm. Employees are working remotely, from home, from coffee shops and want to be connected 24 x 7.
The Citrix Global Workshifting index found that by 2012, 93% of organisations will have implemented workshifting polices, up from 37% in 2011. It is clear that the move to BYOD is happening in every organisation whether they like it or not. Those organisations that embrace the trend are likely to reap the benefits of improved staff productivity, increased staff retention and a reduced environmental footprint. Those that do not will be playing catch up.
The tension between the privacy rights of individual employees and those of the organisations they work for is perhaps best highlighted by a recent story involving an American company, Mimecast Inc. Peter Bauer, the CEO of Mimecast, was holidaying in South Africa with his family. Mid way through the trip his young daughter picked up his smart phone and after five unsuccessful password attempts, the Mimecast remote wipe capability triggered and all of the photos taken during the first half of the holiday were immediately deleted. The story is made all the more poignant as Bauer had been instrumental in instigating the Mimecast BYOD policy which approved remote wiping of smart phone devices.
This story highlights the tension between effectively managing the rights of individual employees and those of their employer. With corporate owned devices, it is a lot easier to manage compliance with existing privacy laws. Employees are likely to have less expectations of privacy in relation to personal content stored on such devices. This is not necessarily the case when the devices are owned by the individuals themselves.
Putting in place some frameworks which manage personal information effectively as part of an organisation’s BYOD policy will therefore be one of the critical issues moving forward. This is likely to become even more important with the rights of individuals to be strengthened in the first quarter of 2013 under proposed revisions to the Privacy Act 1988 (Cth).
Closely following the risks posed by privacy, data security risks come a close second. With a spate of data security breaches occurring in 2010 with Sony and most recently in Australia with Telstra and Billabong, data security breaches are a key risk for organisations. BYOD heightens the data security risks to organisations as mobile devices by their very nature are easier to lose, misplace or be stolen. How individual employees use their devices is particularly important in this context. The increased popularity of third party consumer applications like Evermore and Dropbox pose particular security risks.
It is therefore critical for organisations to have a firm policy on how and what types of enterprise data will be stored on such applications. Will enterprise data be segregated from personal data? Adopting mobile device management tools may allow organisations to more effectively pick and choose which information is made available to particular employees. Many organisations who adopt a “virtualised” approach are better able to ensure that when the device is lost or stolen there is no physical data held on the device itself. It is all accessed via the internet and the device can be switched off or killed remotely.
No matter the preferred approach, organisations need to acknowledge that their employees and users are likely to store some corporate data on their devices at some point. It is then about putting in place an approach to train such employees and ensure that they take all reasonable steps to protect the security of their devices including regularly updating passwords and installing virus patches, etc. Such obligations are important to include in any BYOD program and related policies.
Intellectual property issues
In a past life the ownership of the content on corporate owned devices was fairly clear-cut. If you were using a corporate owned device and you created content on that device your employer was in a good position to claim the intellectual property rights in such content. That position is now no longer so straightforward. Whilst employers may lay claim to intellectual property developed in the course of employment by an end user, who owns the intellectual property where end users create materials using a personal device outside of working hours? What about contacts gathered by users on LinkedIn?
With the advent of BYOD there are now more and more situations which are grey rather than black and white. Organisations will need to seek advice on their existing contracts of employment and ensure that any and all intellectual property created by an employee on a BYOD device whether at work or outside work is owned by the organisation. There will always be exceptions which will conflict with the policy but not addressing the situation is likely to pose more risk to an organisation.
Litigation and data retention obligations
Organisations are required to comply with numerous legal obligations to retain corporate records for litigation or regulatory purposes. Organisations need to appreciate that technology is likely to impact these obligations. Where enterprise data is physically stored on a personally owned device, complying with such obligations may prove more of a challenge. Organisations need to understand the risks associated with requiring employees to grant them full and ready access to personal devices. Tech saavy employers will be able to navigate the technology hurdles whilst also effectively complying with any discovery obligations or document retention requirements.
The 2011 ban by ANZ Bank on directors using Apple’s iPad to manage board papers was seen at the time as a slight overreaction by many commentators. Many of the concerns about the security of documents could have been avoided by ensuring documents were able to be securely accessed virtually from the device and not physically stored on it. If the iPad was ever lost or stolen, then the device would have nothing on it which could compromise the bank. Further, there would be less risks around complying with data retention obligations as the records would be stored securely within the organisation and not physically on the device.
It is quite likely that an organisation’s existing software licensing arrangements may not cater for a move to BYOD. Existing licence terms may be granted on a per user or per device basis. They may apply only in respect of corporate owned or leased devices and may not extend to use of applications by employees on multiple devices including on smart phones or tablets owned by users and accessed from home or remotely.
It is critical for organisations to review their existing licensing arrangements and liaise with technology vendors to update or renegotiate terms.
What happens if the user owned device is lost or stolen? Will it be covered by an organisation’s existing insurance policy? Who should be responsible - the employee or the organisation? These are important issues to address within any BYOD policy. It will be important to speak directly to your insurers to update any relevant policies. Many policies will currently apply only to company owned or leased equipment and do not extend to user owned devices.
Perhaps the greatest number of legal issues arise in an HR context. Organisations will have to come to grips with the following HR issues all of which will need to be considered in any BYOD program or policy:
- What organisation and user responsibilities apply when users cease working as employees or contractors? How does this tie in with your organisation’s existing contracts of employment or contractor services agreements?
- Who should the organisation make the BYOD program available to? All employees or only those who meet certain criteria? Should it extend to contractors also? If to a select pool, you will need to ensure you properly comply with the Anti-discrimination Act 1991 (Cth) and related State laws. You will need to ensure you consider obligations for users with special needs including users who work part time or flexibly already. Should the program be optional or mandatory? You will need to be particularly careful in relation to the selection criteria for employees if the program is not open to everyone.
- What minimum security measures and obligations do you need to include for users i.e. password and virus updating obligations? To what extent if any will you take responsibility for security measures and how will this flow down to your employees?
- Will you allow users to access third party applications outside the organisation such as Dropbox or Evermore? If so, on what basis? How will you monitor compliance?
- What minimum support obligations will you include for the support and maintenance of BYOD devices (if any)? What about support for the applications on the devices? You may consider having an approved list of devices and providing minimal support only? Some organisations seeking to retain more control over such devices will offer to fully support them, some will not make support available at all.
- What content and acceptable use obligations will you need to include? Users accessing inappropriate materials in the comfort of their own home is one thing. Users bringing devices into the workplace containing such material is another. You have a duty of care to your employees and others in the workplace and it will therefore be important to have clear requirements in relation to such obligations. So too with the use of personal information and confidential information of users and the organisation. Both parties will typically take on responsibilities to ensure the adequate protection, use and disclosure of such information.
- To what extent, if any, will your other policies be affected by BYOD? Such policies may include Internet and Email policy, Business Continuity and Disaster Recovery Plans, Data Security policy, HR polices more broadly etc. Have you updated these policies to ensure a consistent approach across their organisation? In particular your security/ data breach policy will need to be updated to cover BYOD specifically.
- Depending on the BYOD program, what payment obligations (if any) should you include in the policy? Do you intend that users will own the device outright? Who will be responsible for meeting initial device costs and ongoing costs? Will you pay a stipend? If so, how much and on what basis? Have you considered FBT or other tax implications for making such a payment? Who will be responsible for excess use or roaming charges for each device?
These are just a few of the issues that are important to advise on from a legal HR perspective. So what are some of the broader implications for Australian businesses in relation to BYOD?
Implications for Australian Businesses?
Organisations and some technology advisers wrongly assume that BYOD is a technology issue only. This is not the case. BYOD affects the whole business and any BYOD program needs to involve representatives from technology, management, legal, finance and HR.
As seen above the legal risks to Australian businesses are extensive. Any BYOD program will need to take into account the regulatory and operational requirements of the organisation and businesses would expect to have to deal with the following:
- Understanding the raft of employee related issues arising in relation to BYOD including in relation to existing and required changes to employment contracts and independent contractor agreements;
- Ensuring an effective working relationship with technology, finance and management on creating and implementing an effective policy and program which achieves the organisation’s business objectives whilst also meeting any legal and compliance obligations;
- Identifying relevant third party arrangements and working closely with third party organisations including insurance, technology vendors (licensing) and government authorities which will impact on the BYOD program; and
- Putting in place frameworks and processes which protect the legitimate interests of the organisation against the rights of individual users, particularly in relation to data security, privacy, confidential information and intellectual property rights.
BYOD is an exciting trend and is happening whether organisations like it or not. Those that embrace the trend and put in place effective processes and procedures to manage the likely risks are well placed to take advantage of the benefits with BYOD. Those that ignore the trend or are overly prescriptive in their approach not only put the organisation at risk at a number of different levels but risk losing the very people who will see that organisation into the future.