BYOD may become the dominant model for provisioning devices, but that doesn't mean it's a slam-dunk; BYOD legal issues are nothing to sneeze at.
Companies see that the bring your own device (BYOD) trend has the potential for cost savings and improved end-user satisfaction, both of which allow everyone involved to go home happy. But there are many BYOD legal issues that come with workers' access to corporate resources via devices that are not under IT's control. Corporate resources include files that contain sensitive information, plus access to networks, applications and servers. The integrity of these resources is paramount to the daily operations of IT.
From a legal perspective, not all the aspects of consumerization have fallen into place yet, so many BYOD legal issues don't have resolutions. This means that IT has to have a comprehensive BYOD management strategy that enables users to be productive without crossing legal lines.
Policies and basic agreements have been the primary tools to establish mutual understanding of rules between management, IT and users and to enforce those rules. It's a good idea to have some policies in place, such as a security policy, social media policy, acceptable-use policy and a BYOD policy or agreement. But it's also important to cover your bases when it comes to thinking about the legal implications of BYOD.
I recently spoke with Justin Castillo, a technology lawyer with Levine, Blaszak, Block and Boothby in Washington, D.C., who represents enterprise customers in legal matters. Castillo presented a surprising set of considerations, including the following:
Work versus personal use. There may be overtime or other considerations under the laws governing wages and hours. If hourly employees use their phones after working hours, their employer may need to pay them overtime, depending on what specific tasks workers are performing. When an hourly employee continues work after his hours, he is entitled to overtime pay.
Privacy. Companies should evaluate how they use tracking technologies and access to users' personal information stored on devices because problems around the invasion of workers' privacy may arise. Privacy laws with respect to BYOD are still amorphous, so the line between managing and supporting a user's device and invading his personal privacy is blurry.
Liability. There are numerous considerations here, such as a worker using a wireless device while driving. Talking or texting while driving are never advisable, but an employer might become a party to legal action if an employee using a mobile device for business purposes has a collision.
Castillo's suggestions for successful operations in spite of BYOD legal issues include establishing a focus on data, not the device policy. Secure containers are a step in the right direction. Ham-fisted solutions such as device wiping are not. IT should also limit BYOD to workers who truly need access to sensitive information or who travel extensively. Companies may want to exempt workers from using personal devices for work to avoid overtime claims.
While organizations can try to impose whatever policies they want, employees won't agree to or abide by them if they are unrealistic or rigid. All parties involved -- human resources, legal, IT, finance, operating departments and individual staff members -- need to have input. Common sense and access to good advice regarding BYOD legal issues should prevail.