LEGAL
An increasing number of the nation's most successful businesses now routinely permit employees to use their own personal computing and communications devices (e.g., smartphones, tablet computers) in the workplace for business activities. Large, medium, and small businesses often encourage their employees to use their personal computing and communications equipment for business purposes. The growing acceptance of this "bring your own device" ("BYOD") environment carries important business advantages; however, it also presents significant risks.
Use of personal devices by employees can result in security breaches, legal liability, and loss of business. To guard against these significant threats, many businesses now apply specific policies governing employee use of personal information technology devices and applications. The following are some of the key provisions included in those policies:
Employee use of public systems that support file-sharing (e.g., systems such as Dropbox) increases the risk that proprietary material will be inappropriately disclosed, as they facilitate storage of business-related materials on third-party computers. Accordingly, prudent businesses now prohibit or limit employee use of public file-transfer systems for business purposes.
Automatic routing of business e-mail messages to public webmail services increases the possibility of improper disclosure of proprietary information. By moving large numbers of business-related messages to external computers and networks, automatic e-mail forwarding significantly reduces the ability of a business to manage the security of its communications. Many organizations now routinely ban automatic e-mail forwarding.
Smartphones and other mobile devices enable users to create Wi-Fi hotspots at a wide range of locations to provide mobile Internet access. However, those mobile hotspots are often not properly secured. As a result, material communicated at those locations can be accessed by unauthorized users. To address this security threat, businesses now frequently prohibit their employees from conducting business through unsecured Wi-Fi hotspots.
Lost or stolen devices constitute a significant threat to business security. To deal with this problem, many organizations now apply policies that require all personal devices to be modified so that their memory can be erased remotely before the device can be used by the employee for business purposes. This remote-disabling capability enables the business to reduce the risk of unauthorized access to the content of devices and the network in the event that equipment is lost or stolen.
Mobile devices carry a range of applications and perform numerous functions that can present security threats. For example, the "iCloud" and "Siri" (voice activated personal assistant) functions offered by Apple devices can pose security risks. The "iCloud" capability permits public file-transfer functions and "Siri" uploads spoken queries made by users to servers controlled by Apple. Both of these functions can result in unauthorized disclosure of proprietary material. Once disclosed, the proprietary material is generally retained by the service provider for a significant period of time and thus remains accessible to a variety of different parties.
Employees commonly make use of a variety of information technology devices as they perform their business duties. Often they use a combination of devices owned and provided by their employers along with their own personally owned equipment as they do their work. The environment is made more complex by the increasingly common practice of employers subsidizing the purchase of computing and communications devices by employees and permitting the employees to select their own devices and to use those devices for both business and personal purposes. Policies and practices addressing information and communications technology use in the workplace must recognize and address this wide range of equipment. They should specifically speak to all equipment used for business purposes by employees, including both company-owned and personally owned devices.
BYOD strategies can be efficient and effective for businesses. They must, however, be accompanied by clear authorized use policies and practices which are effectively enforced. Without adequate oversight, BYOD systems will not make an organization more effective, but will instead expose it to significant legal and commercial threats.
-->
