Understanding "Bring Your Own Device" (BYOD), Consumerisation of IT & Policy Management
Many companies are having difficulty managing and controlling how users deal with BYOD devices, particularly enterprises that operate across international boundaries. Peter Vogel, Partner at Gardere Wynne Sewell LLP talks to Jake Sagehorn, Managing Director of SCA Consulting, about his experiences in the Bring Your Own Device space.
Jake Sagehorn: Peter, we've got the opportunity to talk about BYOD. Given that BYOD is accelerating within enterprises across the globe, is this also true for your firm and what is the current situation surrounding BYOD there?
Peter Vogel: Well, I think my law firm, which is a regional Texas law firm with about 300 lawyers, BYOD is something that has confronted us obviously just like every other enterprise because we expect our employees to buy their own cell devices and tablets. As a result, we've had to come up with procedures and policies so that the users of their devices can access our secure network. And one of the things that we've done is that we've made a requirement that the only way someone could access our system with a remote device, personal device, is if they have a password. So, without any password, it just doesn't work. And this is true generally with, as I say, phones, whether it's an Android or an iPhone or any kind of tablet, iPad or otherwise.
Jake: Including in your BYOD policy, has your firm gone all the way to include laptops or PCs as part of that policy?
Peter: Yes, we think anything that is remotely attached to our network that is not owned by our law firm falls under this category. Actually BYOD is a new label for something that's been going on for a very long time. When the IT community went away from the mainframes and the personal computers started taking off 30 years ago, IT management of remote data and data sources changed dramatically. I think a lot of users are looking at thin clients and there's not much thinner than an iPhone/Droid I think in terms of the relationship to a server.
Jake: Let's move on to the next area. Usually firms have a watershed or an "aha" moment and there's a compelling event that forces a firm or builds momentum to make a shift from customer liable or corporate liable devices now to consumer liable or individual liable devices for BYOD. Was there such a particular event at Gardere?
Peter: Well, at our law firm I wouldn't say there was a particular event. I think there was a change in the waterfront. That is, I think everybody saw with the popularity of the iPhone and what Apple did to transform people's expectations of what a cell phone device would do, and then Google released the Droid operating system. I think those two device technologies drove BYOD to be in the forefront of my law firm's technology committee's decision that we had to get more control over BYOD. And it's certainly been a responsibility of our CIO to manage BYOD.
Jake: With BYOD, you are both a user and your firm licenses and litigates on a whole host of legal matters related to the internet, privacy issues, and intellectual property. In general, what trends have you seen as it relates to BYOD in the marketplace and what's the impact on the enterprise policies that you're involved with?
Peter: I think the trends that I've seen are that many companies are having difficulty managing and controlling how users deal with BYOD devices, particularly when that comes to enterprises that operate across international boundaries. If the operations are only in the United States, I think things are less complicated. But when we cross international lines, the laws become much more complicated. I have many clients who are in the EU, and communicating with them because the 1995 EU data directive is significantly different than just in the US.
When we have communications between the United States and the EU, for instance, or Canada or Japan or other countries that have these kinds of laws, the privacy laws make things much more complicated. I think the trend is that the companies have to manage that information more effectively in the country in which they are operating for those laws. So that if someone in the EU sends an email to the US, which law applies to the email when it's received in the US is a very complicated issue. And the courts are having difficulty with that as well. These legal issues are not black and white at all.
Jake: So, given that you practice not just in the US but your firm also does international global law, is there a specific BYOD policy that your firm has put in place and implemented or are there one or two things that you should tell firms that they should do or must do to have such a strong policy and communicate that to its employees?
Peter: What happens is, and particularly with the EU, the US Department of Commerce has set up safe harbour rules so that when US companies can operate with EU businesses, they are protected under the 1995 data directive. So what we try to encourage our clients to do is to follow those data directive rules or the safe harbour rules in the US.
Jake: Well, we're going down into more and more legal issues here, so I've got a couple questions in the legal framework. What are some of the new legal considerations being debated on privacy, given BYOD and individual liable use of devices in corporations today?
Peter: Well, probably the most significant impact was a US Supreme Court Decision in June 2010. It was the City of Ontario, California against Officer Quan. In that case the US Supreme Court ruled that an employee who uses a company issued device is not entitled to a constitutional right of privacy.
Now, if an employee is using a BYOD device, it gets fuzzier because if the employee is doing personal things using their iPhone or their iPad clearly the business doesn't have a right to that. But if that employee is doing company business on their own device, it's not so clear about whether or not they're entitled to privacy or whether or not they own that data. The privacy issues is something the courts have yet to really be confronted with and I think that's something that will come before the Supreme Court sometime soon.
Jake: Well, given that we deal in global and international affairs almost from any company or situation, if we look at the next step or next layer of the onion that we peel back as it relates to countries that may not have safe harbour rules, could you identify a few countries that our international firms should be aware of that they really do need a communications plan and a policy in those countries, especially if they're not in the EU or say maybe in the G20? Who would be on the top of the list of the gotchas or please be aware of?
Peter: Well, ironically enough, I don't think there's a simple answer to that because virtually the entire world except for Africa and the United States has very strict privacy laws. And as I indicated earlier, I think the more complicated issue is not so much what's going on within that country, it's when the communications leaves that country and crosses international borders.
For instance I had a US based client who found out that their data network had been pierced in Tunisia, but there was an intrusion and whoever got in managed to get to the email servers in the US through Tunisia. I think this is incumbent upon all IT management, to be more vigilant - not that they're not vigilant, I'm not suggesting they are - but I think that the law that applies to the privacy of particular information is just a very complex and not a simple straightforward area that we all are confronted with.
Jake: At Gardere, is there a group or an individual person responsible for the BYOD strategy and the policy responsibility?
Peter: At my law firm and I assume this is true in most other law firms, we have a technology committee. The technology committee is made up of the management of the law firm, the chief managing partner, chief financial officer, executive director, and the CIO. I think that's probably pretty common that the role of the CIO would be in charge of managing this information and making sure that there's an adherence to it.
Jake: So, Peter, , maybe you could share a couple of the best legal practices that enterprise should implement to protect themselves from business risk while also protecting employees' privacy rights.
Peter: Well, my sense is that one of the best strategies is that a company if they don't already have a chief privacy officer, that they consider creating the post. The chief privacy officers specialises in this area and as a result has a better handle on what's going on with the courts and legislation around the country because different... not just federal law, but there are some states that have different laws dealing with privacy. California has very strict laws dealing with privacy. A chief privacy officer would be helpful regardless where the enterprise has operations. Every company needs to make sure they're in compliance with state law, federal, and international laws.
Jake: As we ended there on the legal questions, I've got one in the security and security guidelines area for you, Peter. What have you found to be the largest security issue that your firm struggles with, whether it is for the smart phones, tablets or PCs in your BYOD environment?
Peter:The largest security issue is loss of smart phones, tablets or PCs. When someone accidentally loses or someone steals their phone, tablet, or laptop, it's an incredible problem. If the device is not, encrypted, or doesn't have a password, there's an exposure to the content of that device. One of the things that we have worked very hard at in our firm is to make sure that all the devices are secured. And I know that my friends who are CIOs, this is probably the most important thing that they work at. Because it's so difficult to be able to monitor and protect theses personal devices when they're not owned by the company. So, that's why I was saying earlier that if the only way you can access a network is through some security measure and you have to be password protected, it goes a long way in helping the security.
Jake: In summary, if you could improve one or two things related to the BYOD policy implementation that you have done at your firm, what would it be?
Peter: I think probably the most important thing for a BYOD practice on a day-to-day basis is to make sure that the employees are aware of what the rules are, where the foul lines are. One of the things that we have done that I think is critical, which I also encourage my clients to do, is to periodically, and I mean at least once a year, have the employees sign an agreement about their adherence to the company BYOD policies because that way if nothing else, you're reminding them that the policy is in place. When, and if, they change devices, and they have to get support internally to move to the new device, that's another opportunity for them to sign up and renew that pledge that they will abide by the policies.