The legal ramifications of moves towards corporate Bring-Your-Own-Device policies extend far beyond simple issues of IT security and the legal discovery issues of locally held commercial data. The biggest challenge facing the commercial world is how far businesses will have to go in regulating the online life of an employee.
Most companies have a dusty old clause in their employee contracts which states that there is no privacy in the use of firm equipment. Recent proposed legislative amendments in the US and cases in Canada (R. v. Cole, 2012 SCC 53) clearly show that the use of social media on corporate platforms is (a) increasingly permissible and (b) restricted from company access. More importantly, it highlights how corporate and personal data are being blended together in a socio-corporate online collage.
Previously, companies and government departments have been able to ignore personal cries for BYOD due to: (i) enterprise security concerns, (ii) legal risks around e-Discovery (iii) a perception of limited utility in social media and (iv) cost pressures relating to IT support costs. However, now:
- Enterprise security is no longer an excuse. Increases in corporate cloud-based applications and desktop virtualisation mean that limited data is stored or cached on local devices. In addition, any security breaches can be isolated to a certain user profile. In the end, Bradley Manning and Wikileaks highlight the fact that there is little that will stop a disgruntled employee if they are intent on data theft. Heavily layered, holistic security is the only answer.
- Mobile connectivity and enterprise workflows reduce local data storage. Previously, compliance requirements for eDiscovery have limited the ability to store data locally. However, mobile coverage is now better and costs have reduced for 3/4G and wifi acess. Coupled with cloud/virtual apps and the ability to sign-in/sign-out documents from company portals means that firms can reap the benefits of extended and flexible working along with greater Discovery compliance.
- The benefits of social media have extended the boundaries and time of the corporate workplace. Corporate blogging has now, apparently, increased to 38% with two-thirds of companies having a social media presence (beyond the 50% level in 2009). Social media not only provides additional channels for marketing but it also increases both external and internal customer/stakeholder engagement (and such engagement extends both beyond the doors and timeframes of the office).
- Multi-Device support does not require bigger IT departments. In fact, support is far more user-friendly (e.g. Salesforce.com, MS 365 etc) and has not resulted in burgeoning IT departments. Companies can specify what devices they do support and outsource platform support to infrastructure providers.
The fact of the matter is that companies and government departments must move to BYOD sooner rather than later. In a recent article, Elizabeth Johnson of law firm Poyner Spruill LLP notes that in the US:
- 87% of people confirm that they use personal devices at work.
- 48% of companies state that they will not allow it.
- 57% of the same companies acknowledge that employees do it anyway.
- 72% check email on their personal devices.
- 42% check email on personal devices even when sick.
In fact, many US college students claim that they would accept lower pay for the flexibility to use personal devices at work. Whatever the case the creeping cloud of BYOD will take hold, if only due to the cost benefits of not having to pay for new devices enabled by better enterprise apps and improved enterprise security.
I would posit that much of blame for limited uptake can be laid on the fact that organisations are simply unwilling to deal with the additional layer of complexity. BYOD lies at the nexus point of enterprise trust: their data in your hands. How far are companies willing to let go of their information in order to reduce costs and increase productivity? Will the law protect commercial interests in data rather just IP? Or computer based personal records? In the case of Phonedog v Kravitz the employers (Phonedog) set up the Twitter account “@PhoneDog_Noah”, which the employee used “to disseminate information and promote PhoneDog’s services.” During his employment, Kravitz’s Twitter account attracted approximately 17,000 followers. When he left he kept using it and gained another 10,000 followers. Phonedog claimed that the account was theirs and sued for damages. The court was satisfied that an economic interest was established and that harm was done.
In brief, the answer is that companies need to define the touchpoints where their data meets the social sphere. If businesses are to reap the benefits of increased customer/stakeholder management through wider adoption of emerging social software platforms, enabled by BYOD then they need to deal with the added complexity at the nexus point of security, legal and information management.