Many organizations permit (or would like to permit) their employees to use their personal mobile and computing devices for business as well as personal purposes. Although such “Bring Your Own Device” or “BYOD” programs have a number of important benefits (including reducing costs and increasing employee satisfaction and productivity), it is also important that organizations consider the various risks associated with a BYOD program and develop appropriate risk-mitigation strategies. These risks are significant and can include financial loss, reputational harm, loss of sensitive business information, privacy breaches, and cybersecurity incidents – to name only a few. As such, it is important to ensure that these risks are appropriately addressed in your BYOD program.
The following is a brief summary of some of the key considerations for organizations in implementing (or reviewing) a BYOD program:
Have you reviewed the key considerations in planning your BYOD program?
Some important items to consider in planning a BYOD program include:
- Get executive buy-in when planning and implementing your BYOD program – this will ensure that you have the resources to plan and successfully implement a BYOD program that appropriately addresses privacy and security concerns.
- Assess privacy and security principles and risks – given the nature of BYOD programs and the blurring of lines between business and personal, organizations must consider that they may inadvertently collect personal information from employee-owned devices in a BYOD program. As such, it is important to consider the rules that apply to your organization’s collection, use, and disclosure of personal information when considering implementing a BYOD program. Further, given their nature, there are a range of privacy and security risks associated with BYOD programs. As such, completing a Privacy Impact Assessment and Security Assessment before implementing your BYOD program can help to identify, prioritize, and mitigate privacy and security risks. Various Information and Privacy Commissioners have published useful guidance and forms for organizations to use during this process (e.g. Saskatchewan, Alberta, British Columbia, Federal, and Ontario).
- Pilot the program – testing your BYOD program on specific platforms or with specific staff members can help you to identify and address privacy and security gaps prior to full implementation.
Do you have appropriate safeguards in place to protect your business network and information?
Appropriate safeguards (including administrative, technical, and physical safeguards) should be developed or updated to appropriately reflect the realities of a BYOD program. Some of the key safeguards to consider are:
- Develop a customized BYOD policy. A BYOD policy that addresses the risks inherent in BYOD programs can go a long way to mitigating these risks. Although your BYOD policy should be customized to your organization, some key items that should be considered include: user responsibilities, monitoring, privacy expectations and consents, acceptable uses, sharing of devices, applications (apps), cloud-based services, device settings, security features, BYOD program restrictions (for example: limitations on permitted devices), access to information on devices, access requests, processes for when an employee leaves the organization, and employee discipline.
- Develop or update related policies. Your customized BYOD policy should be accompanied by related policies relating to privacy, confidentiality, acceptable use, social media, and storage and retention of information. These other policies should address your BYOD program and appropriately reflect the separation between business and personal use and information on employee-owned devices.
- Consider and implement technical solutions that satisfy the goals of and address the risks associated with your BYOD program. Adopting appropriate technical software solutions (including, for example, encryption, anti-virus, and “Mobile Device Management” solutions) can be very helpful to mitigate risks associated with BYOD programs. These solutions have a number of functions that can assist with device management and administration, as well as with minimizing privacy and security risks (including, for example, “containerizing” the device to separate personal and business use). The appropriate software solution for your organization will need to be determined on a case-by-case basis.
- Communicate and obtain appropriate consents. It is important to clearly communicate and have appropriate documentation in place with employees prior to installing software on their devices (for example, the requirements and implications of Canada’s Anti-Spam Legislation (CASL) must be considered before this type of software is installed).
- Implement the program well. Just as developing a good BYOD framework is important to mitigating risk, the framework must be appropriately implemented and supported. This includes developing appropriate training materials and programs, including regular training for employees (and documentation of such training) as well as technical support for BYOD programs.
Have you considered all employment related issues?
The fact that employee-owned devices are used for both personal and business purposes raises a number of employment related issues. Some of the key issues include: responsibilities for costs associated with employee-owned devices, including the cost of the devices or data and voice plans; ownership of devices; acceptable uses of devices; monitoring protocols for devices; obligations with respect to work performed outside of office hours using devices; discipline for misconduct using devices – both during and outside of office hours; and processes for employees leaving the organization temporarily or permanently – for example, what happens to the device or the information on the device when an employee is away on a temporary leave, is terminated, or resigns?
Does your BYOD program appropriately reflect your employees’ reasonable expectations of privacy in their devices?
The Supreme Court of Canada recognized in R v Cole, 2012 SCC 53, that employees can have a reasonable expectation of privacy in work devices, and that the extent of such expectation depends on the particular circumstances. Generally, where personal use of a device is permitted or can reasonably be expected (as is the case with BYOD programs), employees have a reasonable expectation of privacy in the device. Further, the Court held that an employer’s policies can diminish – but not entirely remove – this expectation. As such, any proposed monitoring of employee-owned devices should be carefully planned and restricted to ensure that such monitoring is appropriate.
Do you have a plan for when things go wrong?
It is important to consider and outline a clear incident management process that outlines responsibilities with respect to detection, containment, reporting, investigation, and correction of cybersecurity incidents and privacy breaches in a consistent and timely manner. Such a process – including a current inventory of devices in the BYOD program – will assist your organization in managing and mitigating damages if things go wrong.
While a BYOD program can be attractive, there are a number of risks that should be considered and addressed prior to implementing such a program. Further, there is no “one size fits all” for BYOD programs, and the framework that is right for your BYOD program will depend on your organization. As a result, organizations may wish to consult legal counsel with respect to implementing BYOD programs to ensure that they are mitigating, to the extent possible, the risks associated with such programs.
Note: This article was originally published in November 2015 and has been updated to reflect current best practices.
This article is of a general nature only and is not exhaustive of all possible legal rights or remedies. In addition, laws may change over time and should be interpreted only in the context of particular circumstances such that these materials are not intended to be relied upon or taken as legal advice or opinion. Readers should consult a legal professional for specific advice in any particular situation.