Bring your own device: managing the risks

Bring your own device: managing the risks

BYODBring Your Own Device (BYOD) - the practice of employees routinely using their personal laptops, mobiles and other internet connected devices for work - has become increasingly common over recent years, with one survey suggesting that BYOD has already been taken up by over half of UK workers. Using a single device at home and at work can pay dividends for both employees and employers in terms of convenience, increased efficiency and reduced cost. But there are also various risks that need to be managed, especially in the case of law firms which handle sensitive client data.

BYOD is an attractive option for lawyers who occasionally need to work remotely but practice managers should work with HR departments to ensure that appropriate policies are in place to minimise any negative consequences. Although there has been scant case law in the UK specifically dealing with BYOD issues, a few international cases can serve as good examples of what to look out for.

Protecting the data of clients and employees

In the case of Rajaee v. Design Tech Homes, the smart phone used by an employee was remotely restored to its factory settings by his company when he tendered his resignation. This deleted all of the data on the phone - both belonging to the company and to the individual. The former employee lodged a claim under the equivalent of the Computer Misuse Act, which makes it illegal to secure unauthorised access to data held on a computer. He lost his claim in the American court, but it’s uncertain as to how a UK court would view this situation.

Although it’s vital that firms protect sensitive client data – as well as any confidential information pertaining to the practice or its employees – they must also pay heed to the data of a departing employee. A BYOD policy should specifically cater for the situation of employees terminating their employment. It may be possible to partition a device, so that only company data is wiped.

But firms must remember to address data protection and client confidentiality implications of BYOD at all times - not just when a fee earner is leaving - in accordance with the Data Protection Act as well as SRA rules. This may involve requiring staff using their own devices to ensure that antivirus software is regularly updated or to use a secure company VPN when working via public Wi-Fi hotspots.

Who pays for the BYOD?

In the case of Cochran v. Schwan’s Home Services Inc, a Californian court held that employees who are required to use their personal smartphones for purposes of work are entitled to a reimbursement of a reasonable percentage of their mobile phone bills by their employers.

This case serves as an example of the importance of establishing who pays for what right from the outset in BYOD arrangements. Mobile minutes and data plans aside, the cost of purchasing a laptop or other devices can be contentious. Employers may offer to reimburse the initial outlay on certain conditions (eg. that the employee completes at least one year of service). A BYOD policy should set out these conditions clearly and provide for the various potential outcomes in terms of who owns what and if anything needs to be repaid.

BYOD and employee monitoring

A little closer to home, the European Court of Human Rights (ECHR) considered the issue of employers monitoring the communications of their staff in the case of Barbulescu v Romania. Mr Barbulescu was asked by his employer to set up a Yahoo Messenger account to communicate with customers. His use of the messaging app was monitored by his company and, when it was discovered he was also using it for personal communication with his fiancée and brother, he was dismissed on account of breaching their policy on the use of company resources. Mr Barbulescu lodged a claim against his employer, arguing that, in accessing his personal communications, his “right to respect for his private and family life, his home and his correspondence” under Article 8 of the European Convention on Human Rights had been breached. The ECHR held that no breach had occurred and that his employer had struck the correct balance between his right to privacy and their business interests.

Although not specifically related to BYOD, this case highlights the tricky nature of the increasingly blurred lines between work and personal life. BYOA (Bring Your Own App) goes alongside BYOD and employers must take care if they intend to monitor use of messaging apps (or other types of apps) by their employees. Having clear policies in place is vital.

Related Articles:
Latest Articles:
About the author:
Alex Heshmaty is a legal copywriter and journalist with a particular interest in legal technology. He runs Legal Words, a legal copywriting and marketing agency.