The Risk Manager, Summer 2015
If you don’t know what BYOD means, this article is for you. BYOD stands for Bring Your Own Device to Work. Devices includes personally owned laptops, iPhones, iPads, smart phones, and tablets that are used for both work and personal use. Apple even has an “iPhone in business” feature on its website to facilitate its use at work.
This article is intended to alert you to the risk management considerations of allowing firm lawyers and staff to turn their personal devices into ones used for both personal use and firm activities. The source for this information is The Littler Report: The “Bring Your Own Device” To Work Movement. This report is a comprehensive treatment of BYOD directed at all businesses and equally applicable to law firms. What follows is an overview of the issues discussed and risk management advice offered.
The overarching risk of BYOD is that firm data is no longer stored on devices the firm owns and controls. This risk includes client confidentiality breaches, loss of records retention control, loss of privacy for firm members, and more. The Littler Report identifies BYOD risks as follows:
- Lost or stolen devices: This is the greatest risk of loss of firm data.
- Malware: The opportunity for the introduction of malware in firm IT systems is significantly increased.
- Friends and family: Friends and family using the device is counter-intuitively a greater security risk than hackers.
- Gateway to the cloud: BYOD allows firm members to store data in the Cloud in a variety of ways that exposes firm data to a security breach far beyond any Cloud secure service the firm is using. It in effect can amount to complete loss of control of firm data.
- Implications of a security breach: Any of these risks can expose a firm to violation of numerous laws such as HIPPA.
The Littler Report includes a list of considerations in developing a risk management program. The key ones from a law firm perspective are:
- Decide which employees should be permitted to participate in a BYOD program: Not everyone in a firm needs to BYOD. Tight control over who is authorized to do so is essential.
- Reduce expectations of privacy: Firm members must understand that the firm may need access to their device and may need to copy the entire device.
- Require employee consent: Do so in writing, including consent to monitor the device, copy it, and remotely wipe it.
- Authorization to use BYOD is a privilege not a right.
- All other firm policies apply when firm members use their dual-use device during work hours or on work premises.
- Firm members must provide to the firm dual-use devices upon demand, preserve data, and delete backups.
- Firm members must follow good security practices: This includes using strong passwords, not disabling security settings, and no upgrading of device without coordination with the firm.
- Immediately report lost or stolen devices.
- Compliance with firm IT configuration instructions: Firm members must comply with all instructions on device configuration.
- No friends and family sharing BYOD.
- Limit BYOD use of cloud-based storage for company data: Use the Cloud only with firm approval.
- Firm help desk support: Whether a firm should provide help with device technical problems concerns the risk of firm members seeking support from outside technicians thereby exposing firm data.
- Mobile device safety: Establish firm safety rules for use of BYOD while driving on firm business.
The Littler Report: The “Bring Your Own Device” To Work Movement is recommended risk management reading for all firms allowing BYOD. It is readily available on the Internet – just Google the title. (last viewed on 6/9/2015)