Considering the information governance implications of BYOD programs
As companies work to control costs and mitigate risk, bring your own device (BYOD) programs create as many questions as solutions. Employees are looking for faster and more fully integrated mobile devices – while corporate law and IT departments work to control costs, mitigate risk and to control the flow of information to and from those devices. We asked iDS’ BYOD expert, Brandon Leatha, to discuss the types of issues that BYOD programs could present for a company facing an investigation or litigation. His responses have been edited for length and style.
MCC: Why have companies moved from company owned devices to BYOD programs?
Leatha: Employees have been the primary driver behind BYOD programs. Demand for the latest and greatest devices that support audio, video, social media, games and the ever increasing variety of mobile apps has prompted companies to allow employees to use personal devices for business purposes. The BlackBerry and other outdated corporate issued devices are just no longer cutting it and carrying two devices is just not an appealing option.
As companies have evaluated the risks and the benefits, many have made the decision to fully adopt BYOD programs. Significant cost savings can be realized by shifting the cost of the device to the employee, reducing or eliminating user training, and minimizing the time spent on managing and deploying corporate owned devices. Companies such as Intel and VMWare have conducted studies that have also shown significant productivity and efficiency gains when employees use their own devices. Intel concluded that employees saved an average of almost one hour per day by using their own devices and VMWare estimated an annual savings of $2 million.
MCC: Are there solutions to help manage the risks inherent with BYOD programs?
Leatha: A combination of policy, training, and technology can help mitigate the risks associated with a BYOD program. First, organizations must have a strong BYOD policy that covers all aspects of personal device usage, including password and security requirements, acceptable use, continuous monitoring, data ownership, and separation procedures. In addition to a well written policy, employees must also be educated and trained on the policy. It is not enough to receive a signature at the time of hiring, a strong training program is essential to employee compliance.
Fortunately, several technology solutions have emerged that can manage, monitor, and even enforce the corporate-defined BYOD policies. These technologies fall into a category of software and services called enterprise mobility management (EMM) and they can significantly reduce the risks introduced by the use of employee’s personal devices. EMM software offers a range of solutions from device configuration and software updating to policy monitoring and enforcement. Strong password policies and data encryption can be centrally managed and devices can be partitioned to separate personal and business use. Monitoring solutions can help detect and even prevent intentional, or even unintentional data sharing or leakage. At the time of separation, EMM software can be used to securely wipe or eliminate corporate owned information from the device while leaving personal data intact. EMM software can even be used to locate or wipe a lost or stolen mobile device.
MCC: Has the shift to bring your own device paid off, and relative to this answer, is there either data-based or even anecdotal information to back up this perception?
Leatha: It really depends on the type of company, the company’s appetite for risk, the types and sensitivity of data that it works with, and the policies and solutions put in place to manage the BYOD program. Companies that work with highly sensitive data or those with a low appetite for risk will need to invest more in policy, training, and technology solutions. In some cases, the investment required for a strong BYOD program can exceed the cost savings and thus it is ultimately a financial decision.
For those companies that adopt a BYOD program without taking the appropriate steps of policy development, training, and technology implementation, BYOD can backfire and incur unexpected costs. For example, a BYOD program could have a significant and quantifiable cost if it were to be responsible for the loss or breach of data such as personally identifiable information (PII) or other sensitive information. According to the 2016 Ponemon Institute study, the average cost of a data breach was $4 million or $158 per record.
Another potential financial impact of a BYOD program is the risk of having unique data on a wide variety of personally owned and managed devices. If a company needs to respond to a discovery demand, the unique and unmanaged data from personal devices may be relevant and require forensic collection that can cost several hundred dollars per device. Adding to this challenge is the fact that devices in a BYOD program typically vary significantly in make, model, size, and functionality. This variation, along with the fact that passcodes are typically managed by the users, may cause additional challenges in collecting data from individual devices.
MCC: What new types of data are created by mobile devices?
Leatha: Mobile devices today are collecting a substantial amount of data, a lot more than just call logs, text messages, and emails. Modern mobile devices have many sensors built in – GPS, barometer, accelerometer, gyroscope, compass, thermometer, to name a few – that can constantly record information such as location, speed, ambient noise and light, the temperature, and much more. In addition, mobile device applications track and store most aspects of a user’s activity, including browsing the internet, posting on social media, communicating by chat and voice, and even game play.
This information recorded by the mobile device applications and sensors can have a considerable impact on investigations, especially when an employee’s location or activities become important. Knowing if an employee is at a specific job site when they are billing the customer or if they are posting on Facebook while driving a company owned vehicle can be significant. This information can become very valuable in wrongful termination matters, wage and hour disputes, and other types of litigation.
MCC: How has the cloud impacted these programs?
Leatha: The cloud is one key innovation that has enabled mobile devices to become so useful. Applications that allow instant communication with colleagues, access to corporate data, industry specific tools, and other productivity solutions are made possible by the public and private cloud. If a BYOD program is not properly implemented, it is very likely that sensitive corporate information is being stored or synchronized to non-sanctioned cloud accounts that are managed by the employee and not the company. Mobile devices require a user account to allow access to these cloud accounts and if the employee uses their own Apple iCloud, Google, or other service account, sensitive and protected data such as email, contacts, text communications, documents, photos, and even passwords can be backed up or synchronized to these employee-managed accounts. If the employee leaves the company or if these personal accounts are breached, this can introduce significant risk to the company.
MCC: After all of that would you still advise embracing a BYOD program?
Leatha: A well-managed BYOD program is a great solution for most organizations. When making the decision to move from a corporate owned to an employee owned device program, it is important to first understand the goals, the risks, and the benefits of making the change. The success of a BYOD solution depends on a thorough design, skilled management, and an equally robust information security and information governance programs. For some companies, keeping a traditional corporate owned program or even a hybrid corporate owned personally enabled (COPE) program will be the better solution.
Brandon Leatha is a Director with iDiscovery Solutions (iDS). He can be reached at firstname.lastname@example.org.