Question (and answer) of the month

When a client comes to you, they won’t usually say ‘Please can you explain the implications of the Svensson case to me?’; they are more likely ask ‘When is it lawful to link to other websites?’.

In Lexis®PSL IP & IT we have developed a series of Q&As that are typically scenario-based and phrased in terms of the question or conundrum a client will typically come to you with.

The LexisAsk service in Lexis®PSL delivers answers to typical and topical problems or issues that our customers face.  The ‘best’ (ie most popular, interesting, relevant or topical) of these questions and answers are then modeled into a ‘Q&A’ style format, and published.

The purpose of a Q&A is to provide a quick overview of the relevant key considerations, together with links into useful information (from Lexis®PSL and LexisLibrary), allowing either a quick refresher or a starting point for deeper research.

You can also sneak a peek at the types of questions that other lawyers are asking (anonymised of course!)

Each month WIPIT will be fetching you a sample Q&A.

Against a backdrop of data security scares arising from increasing use by employees of their own devices, we respond to the query:

How do I develop a bring your own device (BYOD) policy?

1. Focus on the policy objective—protecting company information

The objective of a BYOD policy should be to ensure company information is adequately protected, while facilitating more flexible working by users. Any security measures adopted by the company as part of BYOD should only go so far as is necessary to achieve this objective and be proportionate, considering individuals' personal privacy.

2. Define who is covered by the policy

Limit BYOD to those users who it is desirable to allow to work in this way, eg allowing suppliers/partners/customers to connect to the company network using their own devices adds complexity and potentially increases risk. Give BYOD users access only to the specific company IT systems they need to use in this way, rather than the entire company network.

3. Specify the devices covered by the policy

Detail the relevant technical specifications for devices that can be used under BYOD. Outline any procedure for registering devices and implementing any security measures required before devices can be used to connect to work systems. Blacklist any non-permitted apps or activities (eg 'jailbreaking') that may interfere with functionality of company IT systems or pose a security risk.

4. Adapt depending on how company systems are accessed

If company information on company IT systems is accessed via a web portal and no local copy is saved on the user's device, the information security risk to the company is minimised and (apart from possibly initial set-up) there is generally no need for the company to access data on the user's device. Alternatively, if users can save company information onto their personal devices, stricter (and accordingly more intrusive) security protections may be needed.

5. Encourage users to separate their data from company information

If company data is saved on users' personal devices, direct users to implement appropriate protocols for filing company information separately from personal information. This minimises potential intrusion for the user and makes it easier for the company to identify and ringfence company information. Encourage users to regularly back up their data on personal devices, so this can be restored if necessary.

6. Be clear on what will happen if the device is lost or stolen or users stop working for the company

Identify clearly who in the company the user need to contact if a device is lost or stolen or if they cease to work for the company, and what will happen in that situation. Notify the user in advance if data wiping technology is to be used—use this only if there is no viable alternative, as generally it is not possible to selectively wipe company data, therefore user data will be lost as well.

7. Consider who is responsible for costs and support

Clearly set out who is responsible for the cost of repairs and service provider charges relating to the user's device—these may be shared proportionately on an agreed basis or specific costs may be allocated to one party or the other. Outline any obligations the company may have to support user devices, eg for connectivity issues at the company's end, restoring backed up user data after data wiping by the company, or downloading or updating company-prescribed software/apps on users' devices.

For Lexis®PSL IP & IT  Subscribers, a checklist of issues to consider in a BYOD policy are outlined in precedent: Bring your own device (BYOD) policy and a more detailed discussion of the considerations and risks relating to BYOD is contained in Practice Note: Bring your own device (BYOD).




Area of Interest