13 December 2012 | Martin Sloan
‘Bring your own device’ (BYOD) is a hot topic, but what legal implications should a firm in favour of this bear in mind?
A growing number of firms are allowing staff to use their own smartphones and tablets at work, but there are legal aspects a company should consider when allowing employees to use personal devices to access the corporate network.
The primary concern of any organisation considering a BYOD rollout is likely to be security of corporate data.
By definition, employee-owned devices are outside the control of the corporate IT function. So giving staff direct access to the corporate exchange server, or allowing them to download corporate documents on to their devices, raises a number of information security issues.
One way of managing this risk is to use mobile device management (MDM) software. This enables an organisation to apply approved enterprise device security policies, defining the minimum security settings required to enable remote access to corporate data (for example, encrypted back-ups and secure passwords) without the need for a virtual private network (VPN). MDM software will also allow the organisation remotely to delete the corporate data from the device in the event that it is lost or stolen.
Many organisations consider providing corporate access on employee-owned devices through a virtual desktop interface (VDI) such as Citrix, which allows the user to access his or her corporate desktop from another device. But VDI access can raise software licensing issues, as the organisation will need to be licensed for the use of enterprise applications through the VDI.
Microsoft’s standard product licences, for example, operate on a per-device basis. This means that an additional licence is needed for each mobile device used by employees remotely to access the corporate environment. In the case of Microsoft products, such licensing may be provided through a Software Assurance contract (which provides ‘roaming’ rights for existing licences), or a Virtual Desktop Access licence.
Other software vendors may charge extra for a mobility version of their application, or for a mobility server that enables access through a mobile app.
Are your licences restricted to use only on enterprise-owned devices? If so, then BYOD may cause a problem.
For those considering a widespread roll out of VDI access or corporate applications, it is essential to review software licences and BYOD licensing needs when enterprise licences are up for renewal.
Ensure you have a clear policy setting out how your BYOD scheme operates. This will require input from the IT, HR, legal, procurement and compliance departments. This should address questions such as:
- What happens if a device is lost or stolen? Who pays to replace it? What happens to the data on the device?
- Who is responsible for maintaining device back-ups?
- What happens if you wipe the device remotely? Is the employee aware of the consequences, including the potential loss of non-business data?
- Who will provide user support and at what level?
- Will you contribute towards the costs of the device or data/voice tariff? What about apps that have to be purchased by the user?
- What are the tax implications of adopting BYOD (for both the employer and the employee)?
- Do your employees understand the data protection consequences of opting in to a BYOD scheme?
☛ Martin Sloan is an associate in the technology, information and outsourcing group at Brodies