How “Bring Your Own Device” Policies Increase Privacy Concerns

Crystal N. Lowery

Associate Editor

Loyola University Chicago School of Law, JD 2020

With the increased integration of laptops, cellphones, and tablets in both work and personal life, many companies have started adopting a “bring your own device” (BYOD) policy into employment protocols. BYOD policies allow employees to use their personal device for work, removing the need for employers to provide work devices. Although BYOD policies allow for easy transition from home to work, they increase security risks for employers. BYOD policies create differing advantages and disadvantages for employees and employers; thus, it is important that they are carefully assessed before implementation. If a BYOD policy is adopted, strict regulation and oversight of company policies and procedures is required.

Privacy Concerns for Employees

For the employee, a BYOD policy can be a mixed bag. A BYOD policy allows employees to easily integrate work onto familiar devices, without the hassle of learning a new platform. However, it also brings a new concern of potentially giving employers access to personal data. Some companies have implemented BYOD policies that respect employee’s data privacy more than others; for instance, only allowing complete access to personal data in the event of discovery requests arising from litigation. In contrast, other companies caution that all information on technology used for work can and will be accessed by the company and must comply with company protocols, severely limiting employee data privacy. Additionally, many BYOD policies include assumption of risk for any data breaches, placing a high burden on employees to monitor the security of their devices.

The primary way to ensure security on personal electronic devices is via company mobile device management (MDM) technology. MDM allows employers to limit access to or fully restrict websites, applications, and any non-work-related activities on personal devices. MDM also restricts employee privacy by allowing employers potentially unfettered access to personal data and allowing remote wipe of personal devices. Remote wipe of devices can be useful in the event of a lost device or potential security breach, however it also risks loss of all personal data. MDM essentially limits employee access to their own technology and privacy in their own data for the benefit of company security.

Finally, BYOD policies encourage a blur in the work-life balance. This “blur” is often disguised as increased productivity, and is a benefit to the employer. With work continuously at your fingertips, employees feel responsible to immediately respond to emails, texts, and other employer communications, even while at home or on vacation. BYOD policies may also limit or refuse reimbursement for data use on personal devices; however, some policies provide for the company to pay partial or full data plans. Ultimately, because many BYOD policies limit employee privacy, increase risk, and increase employee demand by diminishing work-life balance, it is not likely that the implementation of such policies benefit the employees.

Privacy Concerns for Companies

For companies, BYOD policies offer increased productivity and cost reduction, but they come with a high price in security risks. Even the most rigorous BYOD policy cannot prevent all data breaches. Allowing employees to use their personal devices for work increases the risk of accessibility to company data outside of the office in areas that are not secure. When employees work from home or over unknown, unsecured networks, the risk of a data breach is prevalent. Companies must account for storage and transmission of company data over unsecure networks by implementing MDM.

MDM allows the employer to restrict data loaded to the phone, allow for remote wipes upon potential breaches, and monitor usage; however, it does not account for all potential security breaches. MDM cannot discriminate between authorized and unauthorized access to phones independent of whether a password is required to access the device or not. There is also a risk that a device may not be supported if the operating system is newly updated or when new device upgrades are available. MDM requires employees, or third parties, to manage the system and allows access to personal and company information. Many employees are hesitant to allow MDM when it limits privacy and allows full remote wipes of personal data, and remote access to personal data leaves companies vulnerable to legal challenges of privacy.

While BYOD policies leave companies susceptible to breaches in security, such breaches could be prevented by providing the technology required for employment, such as phones and computers. Additionally, the cost for implementing MDM and oversight of the technology must be balanced with the increase in cost for providing individual devices for each employee.

Appropriate Regulation of Personal Devices and Limitations to BYOD Policies

If BYOD policies are to be implemented, they must be strongly regulated. It is important that both the employees and the employer understand its terms and provisions. The policy should be offered as an option to employees wishing to use their personal device, but may pose both legal and security issues if BYOD is mandatory for all employees. Further, there should be a restriction to accessing company data outside of work hours to uphold the work-life balance.

Although BYOD policies are becoming more prevalent, many companies are not yet equipped to handle the regulatory dangers that come along with it. Companies must make greater steps in implementing a robust policy that provides for training, monitoring, breach notification and response prior to allowing employees to use personal devices for work. Such policies must include the addition of either a Chief Technology Officer or Chief Security Officer who is able to monitor and assess the technology. There must be an efficient technology and security department with experts who are able to utilize MDM effectively, without risking employee and company privacy, and to ensure that personal data is not destroyed when there is a change in employment and a data wipe is necessary. Finally, there must be a sound policy on breach response, notification, investigation, and corrective action plans for all potential methods of security breaches. Companies must be aware of the pitfalls of BYOD policies prior to implementation and take steps to ensure security of employee and employer information.