“If you can’t beat them, join them.” That adage fairly
summarizes the results of a recent Forrester study of the legal implications
related to a bring your own device (BYOD) policy, “Navigating the Legal and Compliance
Applications of BYOD.” According to a January 13 Forrester blog by David Johnson, a
co-author of the study, technology attorneys participating in the study agreed
that “once you learn that BYOD is happening in your organization,
you have a legal obligation to do something about it, whether you have
established industry guidance to draw on or not.” In other words, you must take
action to minimize the risk.
If only it were as easy it
sounds. As pointed out by Johnson:
- The more
restrictions you put in place, the more incentive people will have to work
around them and the more sophisticated and clandestine their efforts will be.
- There is no data
leak prevention tool for the human brain, so arguably the most valuable and
sensitive information walks around on two legs and leaves the building every
night. Accepting this is important for keeping a healthy perspective about
information risk on employee-owned devices.
Despite the challenges,
organizations need to address the issue. Intellectual property misuse and
accidental data loss are the top BYOD risks cited by Forrester. Patent,
trademark, and copyright infringement may be very common, writes Johnson, but
they also are next to impossible to police with technical controls.
For example, Johnson writes,
if attorneys can prove that employees are using for the organization’s business
purposes software they know is not properly licensed, it can be considered “willful
and illegal misuse of someone else’s property” and the organization can be held
liable for past licensing fees and damages.
According to Charles F.
Luce, Jr., partner at Moye White in Denver, it doesn’t matter whether the employee
or the organization owns the device on which the software is installed. Johnson
writes that according to Charles Gray, practice manager for Accuvant's risk and
compliance business, any device used in a regulated business needs to adhere to
the same regulations and industry standards as company-owned equipment.
is little specific guidance for BYOD policies and technical controls. Johnson
says auditors tend to look to the U.S. National Institute of Standards and
Technology’s (NIST) technical control specifications for guidance, but “it's
often subjective because device and platforms evolve so quickly that it renders
the guidance obsolete almost immediately.”
governance starts with a clear policy and education. Johnson says a signed BYOD agreement with each employee, along with
adequate education on the risks and employees' responsibilities, are the
absolute minimum controls that should be in place. He also recommends electronically
enforcing policies for employees incapable or unwilling to do their part.
“A viable BYOD strategy addresses culture,
responsibilities, education, policy, and technical controls. It recognizes the
value that BYOD brings to employee engagement and performance and features a
clear agreement between the organization and each BYOD employee that outlines
what each is responsible for. Technology's role is to help foster safe
behaviors, control information access, and verify ongoing compliance – all without getting in the way of creativity,
productivity, collaboration, or other daily activities,” Johnson writes.
Forrester suggests creating a technology
approach that promotes engagement while enforcing the policy. This means
keeping employee-owned devices off of the corporate trust network while
allowing access to information through secure proxies and interfaces. In
regulated environments, it also means sensitive data is never stored on
employee-owned devices, but in less stringent environments it can mean simply
controlling access to systems of record such as customer databases to prevent
anyone from walking away with a data dump.
The ARMA International technical report Mobile Communications and Records and Information Management (ARMA TR 20-2012) also offers advice on BYOD policy design, security,