It has become practically impossible to separate the use of personal devices at the workplace due to the growing dependence on electronic devices for formal and informal communications. As a result, many companies now authorize the cross-use of electronic devices for professional and personal usage. This practice is known as “Bring Your Own Device” (BYOD).
In general, it refers to the practice of employees connecting to their organization’s networks and accessing work-related systems and potentially sensitive or confidential data via personal devices.
Earlier, employees solely utilized company-issued gadgets in the workplace. With the introduction of BYOD, employers cut costs on the business’s daily operation, including reduced expenditure on hardware, software licensing, etc. Now that smartphones and other portable devices have become so common in the consumer sector, practically every employee brings their own internet-connected gadgets to work.
Employees that follow BYOD model at the workplace don’t carry separate devices as they utilize similar devices for personal and professional uses. Consequentially, this increases the chances of posing a security risk to the organization. In light of the given situation, this article aims to tackle the privacy concern involved in implementing BYOD, while also discussing the potential measures to be implemented by employers to mitigate the security risk associated with the practice.
EMPLOYER’S DATA SECURITY CONCERNS UNDER BYOD
Data theft is one of the most common methods used by interested or unrelated third parties to compromise a company’s personal and confidential information. If employees are allowed to use their own devices without supervision, some of the personal applications are likely to fall short of security requirements.
Additionally, in case the employee’s personal account is hacked, company data and confidential information could be exposed, and potentially critical corporate data and poorly managed personal devices can be the ideal target.
Moreover, employees download numerous information and files, such as PDFs and programs, to their own devices. If an employee fails to discern between valuable corporate data and data utilized for personal gain, security may be jeopardized. When the employee logs in from the infected device again, the malware could be transmitted to the workplace network, further infecting other devices with similar malware, and putting more corporate devices at risk.
Similarly, if an employee does not follow proper corporate security standards when using their device, loss or theft might result in a massive security breach of privacy-sensitive data kept on the device.
For example, the employee could be saving their passwords (both personal and corporate) in an unprotected notes app, making it simple for someone who gains access to the smartphone in order to gain illegal access to corporate accounts. Besides the technical error related to security breaches under BYOD, the human error also plays a role in many security flaws and breaches.
THE CHALLENGES WITH EMPLOYEE DATA PRIVACY
Identifying to what extent an organization can lawfully monitor and access its employees’ personal devices is perhaps the most essential aspect of implementing a BYOD strategy. When employees cannot assess what employers can see or access on their personal devices, the apprehension of data privacy violation is usually amplified.
It is up to the employer and the organization’s BYOD policy to assuage these fears by keeping work and the personal applications distinct on employee-owned devices. Organizations can no longer afford to rely on old-fashioned security approaches, given how quickly mobile technology has surpassed enterprise security.
When an employee uses his personal device for work and the company needs to extract corporate information from the device, a forensic study may be required. Furthermore, it would be complicated, if not impossible, to discern between the employee’s personal information and the employer’s corporate information because both would have merged.
As a result, the employer may access the employee’s sensitive personal data during the forensic analysis, infringing on the employee’s Right to Privacy. Hence, it is for these reasons that while maintaining the employee’s privacy and maintaining records for the corporate compliances, the right balance should be struck with the help of an effective BYOD policy.
Obtaining consent is of pivotal importance in such circumstances. It is one of the few ways to avoid legal issues by directly obtaining the informed consent of the concerned employees. The employer can prevent any legal difficulties from tracking or monitoring the devices by taking the easy step of gaining informed consent from all employees before launching the BYOD policy. This way, the BYOD policy can be utilized fully to its full potential without worrying about employee privacy.
CONFLICT BETWEEN DATA PROTECTION AND PERSONAL PRIVACY
In the event an employer excessively monitors an employee’s daily activity on a personal device, it can be seen as invading employee privacy, and in some countries, it may even be breaking the law for the same. Conversely, if it is not monitored and controlled enough, it places the company’s data at considerable risk.
Balancing these two seemingly opposing interests is the greatest challenge to successfully implementing a BYOD policy.
One of the few ways available to avoid corporate data infringement through technological solutions includes;
- Mobile Device Management (MDM)
It is a solution that provides a mix of total control for companies and complete flexibility for employees by allowing them to install, secure, and integrate devices into a network, as well as monitor and manage those devices from a central location.
The employer’s administrator will remotely access the employer’s corporate information on the employee’s device once the MDM software is installed on the employee’s device. However, the employee’s privacy may be violated because the individual may not know what or how much information the employer’s IT administrator collects from their personal device.
Whitelisting permits only access to a list of permitted apps rather than prohibiting access to a list of individual applications. Because of the large number of programs and websites available, it’s generally seen as a more efficient method.
It is sometimes too late to establish whether an app poses a security concern after an employee has downloaded it and used it to transfer data. Whitelisting solves this problem by denying access to anything that has not been pre-approved as safe by the IT department of the organization.
The process of restricting or prohibiting specific programs that are assessed to constitute a danger to business security is known as blacklisting. Some firms use blacklisting to limit employee access to programs that can reduce productivity, such as gaming or social networking apps.
File-sharing services are another category of applications that frequently appear on blacklists, as employers fear that employees would share sensitive information with unauthorized third parties, either purposefully or unwittingly.
While blacklisting might help limit access to programs that don’t match the company’s security criteria, it’s not commonly employed for BYOD because the procedure involves managing access to applications on employees’ personal devices both during and after work hours.
It is becoming more widely available in conjunction with MDM systems. Containerization is a mechanism for isolating a piece of a device from the rest of the device’s programs and content into its own protected bubble, protected by a separate password and governed by a distinct set of policies.
It allows employees to use their devices unrestrictedly on their own time without posing a security risk to the company’s network. Personal apps and other container-operated features are inaccessible while a user is logged into the containerized area. Other standard security measures include installing anti-virus software on individual devices as one of the standard measures.
FORMULATION OF EFFECTIVE BYOD SECURITY POLICY
Despite the wide acceptance of the BYOD model, many firms that have adopted the model fall behind in adopting an effective BYOD policy, which results in many employees utilizing personal devices with privacy-sensitive information without any security feature in place.
After opting to enable corporate usage of employee-owned devices, the next step should be adopting an ideal BYOD policy. BYOD policy is intended to guarantee that employees utilize strong security practices when connecting to the workplace network, not just to eliminate the need for employees to carry multiple devices.
Overall, an effective policy should focus on the need for security, and provide clear guidance on what actions are permissible and unacceptable on personal devices with access to corporate information systems. Furthermore, a firm’s BYOD policy should state that “any company information and emails” on all personal devices remain “the exclusive property” of the company, and that the employer may access and remove any company data that “may be in peril” “in its discretion”.
There is no such thing as a minor risk when it comes to business usage of personal devices, and giving employees advance warning is the best approach to avoid legal exposure.
An ideal BYOD policy shall include the following:
- IT-approved mobile devices, any incentives or cost reimbursement for using personal data plans for work-related activities, a clear definition of the termination policy, and software that must be installed to help secure the device, such as MDM or mobile application management (MAM) tools; security measures such as password requirements, user responsibilities around the device and its network access; and an exit plan.
- Many organizations, particularly those that handle sensitive data, are turning to MDM service providers to offset the technical hazards of allowing employees to access company data on their own devices. MDM, in essence, extends BYOD protection and is “intended to plug security vulnerabilities” in employee personal device use. MDM allows businesses to exercise device control, monitor applications, and remotely wipe the device if it is lost or stolen is now clearly proving to be a valuable addition to any BYOD strategy until other better alternatives are discovered.
Due to the convenience accrued by employees and the cost-effective nature of the BYOD model for employers, the BYOD model has a long way forward in streamlining the day-to-day activities in corporate and other relevant sectors. The model comes with its own set of issues that cannot be ignored and require close scrutiny from legal and technical perspectives.
The risk associated with BYOD can be mitigated to a certain level by adopting an effective policy, which, when put in place, adheres employers and employees to a similar level of scrutiny in relation to privacy and data protection, respectively.
As the laws relating to privacy protection in India are still at a nascent stage, there is no particular judgment relating to the impact of BYOD employee privacy in India. However, such practices are followed across the globe, and the organizations functioning in India can try to implement the best practices followed by other organizations internationally.
-Team AMLEGALS assisted by Mr.Vishal Lodhi (Intern)
For any queries or feedback, please feel free to get in touch with firstname.lastname@example.org or email@example.com.