Legal Considerations of BYOD for the IT Pro

Take My Wife . . . Please! Okay, so it’s an old joke.  And, I’d venture that many of you reading this may not understand my reference to Henny Youngman, dubbed “the king of the one-liner” by Walter Winchell.  In fact, my own CTO admitted that he had to google the phrase to understand it. But, I digress.

So, why did I pull this out of the “old joke archive” to introduce a blog about the legal aspects of BYOD?  It simple, really.  It’s because in the world of BYOD, there is a lot of FUD being spread around about what enterprise IT can or will do with your personal data, all in the interest, of course, of selling you software that protects you from this problem . . . oh, wait, um protecting your privacy and making sure you don’t lose that photo of Sally’s last lacrosse goal or that video of Johnny’s recent piano recital. So, I’ve stepped back up on my soapbox to say, “stop with the FUD about how your personal data is going to be “owned” by your employer and let’s talk about an aspect of BYOD that doesn’t get enough attention – legal liability.

Before I go any further, my legal advisor (aka, me) requires that I provide the following disclaimer “I am not a lawyer and my comments are NOT intended to give legal advice or to replace the advice of your legal counsel”. That said, here are some thoughts on the legal aspects of BYOD.

To begin, BYOD is here already and it’s here to stay – whether you want to admit it or not. So, if you’re a corporate IT/security professional and you’re not proactively dealing with employee-owned devices as part of your day-to-day responsibilities, you’re needlessly exposing your company to increased risks with legal ramifications.

Don’t believe me?

Following is a partial list of Federal laws and regulations which directly impact BYOD – The Health Information Portability & Accountability Act (HIPAA), Health Information Technology for Economic and Clinical Health (HITECH), Graham-Leach-Bilely Act (GLBA), North American Electric Reliability Corporation and the Federal Energy Regulation Commission.  A number of state enacted laws and regulations have similar requirements.

So, what’s a corporate IT security professional to do?  Well, there are a number of things:

  1. Set policies and standards around what comprise acceptable devices, networks and service plans, how to configure and enroll acceptable devices, and the support parameters. This should happen BEFORE allowing BYOD to the extent possible (or, you may find yourself with the same problem IBM had a few months ago when, after they OK’d BYOD, subsequently discovered that 100,000 employees were using DropBox to store company data).
  2. Define security standards such as the minimum security required to access corporate networks, authentication parameters, how to deal with (and report) lost passwords and lost devices and what to do when an employee leaves the company.
  3. Define privacy standards.  Specifically, make it clear that, by policy, corporate data (what’s important to corporate IT) is segregated from personal data.
  4. Monitor compliance with established policies and standards.

BYOD does not have to expose the corporation to unacceptable risks if corporate IT/security administrators take straight-forward actions to minimize them.  These actions include, among other things, an assessment of how BYOD users will use their devices and identifying the possible risks associated the individual use cases; implementing security policies, keeping them up-to-date, and making employees aware of such policies; using easy to comply with and easy to administer security technologies; and monitoring compliance with policies with appropriate remedial actions taken when non-compliance is discovered.

Oh, and just to re-emphasize my early premise. I don’t want to see the photos of your family vacation, videos of your kids doing the Harlem shake or, God forbid, “cute” pictures of your cat.  Your enterprise IT security professional doesn’t want to either.