Bring your own device, or “BYOD,” is phrase that has been adopted to refer to businesses that allow their employees to bring their personal devices to work, such as their personal computers or tablets, to serve as replacements for laptops or PCs provided by the employer. Rather than using computer hardware that is provided by the employer to access privileged company information through a company network, BYOD allows the employees to use their personal devices to connect to the company network and access this information. This often results in employees using and storing privileged work-related information on their personal devices.
At first blush, BYOD has some clear benefits. The most evident benefit, especially for large businesses, is that employers are able to cut costs by not having to provide computer hardware for each employee. Businesses are also able to cut costs through computer maintenance and repair. Computer hardware is bound to malfunction and due to the fact that the employee is using their personal device, the duty of repair mostly falls on the employee. Also, people are more comfortable with their personal devices since they personally invested in them; therefore, an employee may feel that using their personal device at work, rather than a computer provided by the employer, may make them more comfortable in the work environment, which could increase employee productivity and satisfaction.
However, BYOD poses some risks, specifically privacy and security risks. The fact that the employee is accessing and storing work-related information on their personal device may increase the chances of a security breach. For instance, an employee who has stored privileged work-related information on his personal device may accidentally lose that device, may inadvertently download a virus, or may just leave the company. In these instances, how can sensitive work information be protected? Some businesses that have implemented BYOD have required their employees to follow certain security requirements, such as having the device encrypted or having it configured with passwords. Some employers have even set up periodic audits of their employees’ personal devices. The biggest issue with BYOD is the diminished control that an employer has over the information that an employee is using and storing on their personal device, which is less of a problem under a system in which the employer provides protected and secure hardware for the employee.
If an employer decides to implement BYOD, there may be information security and data protection laws with which it must comply – depending on the type of business in which the employer engages. Some of these laws include the Sarbanes-Oxley Act (SOX), the regulations of the Payment Card Industry Data Security Standard (PCI DSS), and the Health Insurance Portability and Accountability Act (HIPAA).
In sum, the risks of a privacy and security breach may outweigh the benefits that BYOD brings. To ensure maximum security and privacy protection, it may well be the most prudent option for the employer to provide company-owned and managed hardware, which is connected to a main network that is secure and protected, to its employees. However, BYOD may work more effectively for other employers. Regardless of the circumstances, in a world where mobile devices are the norm and remote workplaces are becoming more common, employers should be mindful of the information security and data protection laws, rules and regulations by which they and their employees are required to abide.
© De Leon & Washburn, P.C. This article is provided for informational purposes only. It is not intended as legal advice nor does it create an attorney/client relationship between De Leon & Washburn, P.C. and any readers or recipients. Readers should consult counsel of their own choosing to discuss how these matters relate to their individual circumstances. Reproduction in whole or in part is prohibited without the express written consent of De Leon & Washburn, P.C.