Bring your own device (BYOD) – the digital trend with pitfalls

In today’s dig­i­tal­ized world, pro­fes­sion­al and private life are in­creas­ing­ly in­ter­twined. This can be seen by the US-born trend BYOD – bring your own device. Many employees already use their own laptops, tablets, and smart­phones for business reasons, which is actually more con­ve­nient and can boost pro­duc­tiv­i­ty. At the same time, BYOD is proving to be a real nightmare when it comes to data pro­tec­tion.

“Bring Your Own Device” means that instead of working on a company-owned computer in the office, you use your own device, be it a laptop, tablet, or smart­phone. However, this is always voluntary, since a company boss cannot force their employees to work with their private devices. The boss is generally obliged to provide all operating resources required for work tasks.

The BYOD term is not only used in an office context, but also in relation to uni­ver­si­ties, libraries, schools, and other (ed­u­ca­tion­al) in­sti­tu­tions. In these es­tab­lish­ments it’s also about con­nect­ing your own device to the internal network of the re­spec­tive place instead of using available hardware. Im­ple­ment­ing BYOD requires clear guide­lines known as a BYOD policy. These determine how many users are allowed to use their own devices in the network, which safety-related spec­i­fi­ca­tions exist, and what the rules of conduct are.

In a company, guide­lines are usually drawn up in co­op­er­a­tion with the employee or the works council and laid down in an ad­di­tion­al agreement in the em­ploy­ment contract. This is also necessary because BYOD involves numerous complex issues that require precise clar­i­fi­ca­tion, such as control and access rights, employee privacy, and company data pro­tec­tion. The employer needs to create the necessary legal basis so that all parties involved have something official to refer to.

It makes sense to implement a “Bring Your Own Device” policy wherever elec­tron­ic work­sta­tions are available whose functions can also be found on private devices. To date, BYOD has been primarily used in the ed­u­ca­tion­al sector and within companies.

At many uni­ver­si­ties, students bring their laptops to campus to prepare pre­sen­ta­tions and homework in the time they have between lectures.  More and more schools are also in­te­grat­ing computers and smart­phones into the cur­ricu­lum as a tool. However, when it comes to the actual ed­u­ca­tion­al benefit of BYOD systems, the pros and cons balance each other out.

In 2013, it was estimated that 25% of US schools had a BYOD policy, which has no doubt risen over the years. 73% of teachers said they used mobile tech­nol­o­gy in their class­rooms, with English teachers being the most likely to use it. 54% of students admitted they get more involved in classes that use tech­nol­o­gy.

An argument against BYOD in schools was revealed in the OECD study: “Students, Computers and Learning: Making the Con­nec­tion.” It showed that students who rarely used digital media actually achieved better exam results. The counter argument to this is that elec­tron­ic devices in the classroom are not just intended to improve per­for­mance in tests, but primarily to impart IT skills for everyday life in digital form and for the modern working world.

For employees, the in­tro­duc­tion of the BYOD principle means one thing in par­tic­u­lar: greater comfort in everyday working life. Instead of working with sometimes slower, rarely updated company hardware, you can rely on your own devices, which are often state-of-the-art. On business trips, it is also a relief to not have to bring a second device on top of a private laptop. It’s therefore usually the employees that come up with the idea of a BYOB policy, es­pe­cial­ly younger ones who grew up with mobile devices.

For this reason, employers who are open to “Bring Your Own Device” have a valuable incentive in the search for ap­pli­cants – after all, the company is demon­strat­ing that employee sat­is­fac­tion is important to them. BYOD pioneers like IBM are also hoping for higher pro­duc­tiv­i­ty when employees work with the devices they know best. In addition, the in­te­gra­tion of private devices into everyday working life offers an ideal pre­req­ui­site for home office and flexible working. The economic and eco­log­i­cal ad­van­tages are also worth men­tion­ing: employers save pro­cure­ment costs of new office equipment and therefore also reduce their negative impact on the en­vi­ron­ment.

On the other hand, there is a lot of effort involved when it comes to im­ple­men­ta­tion and main­te­nance as well as the costs. BYOD can lead to more com­plex­i­ty in op­er­a­tions and stands in the way of the wide­spread strategy of stan­dard­iz­ing the IT in­fra­struc­ture in or­ga­ni­za­tions. How im­ple­mentable the policy is therefore depends on the intensive co­op­er­a­tion of employees. This is the only way to master the various technical and or­ga­ni­za­tion­al chal­lenges that come along with it.

BYOD can also have some downsides for employees: after the complex setup of all the necessary services on your home PC, you will have to accept that the company has some control over the device in order to ensure the security of business data and the in-house network. In addition, the employee sometimes has to cover some of the costs. A further problem is the potential im­pair­ment of work-life balance: if you have con­tin­u­ous access to office ap­pli­ca­tions such as the e-mail inbox from home, you tend to feel compelled to be con­stant­ly available – pro­fes­sion­al and private matters are becoming more mixed. The question is whether it is easier to be dis­tract­ed when working on a private laptop than on a company computer.

Although BYOD has obvious benefits for teachers and students as well as employers and employees, it does involve some security and legal risks.

Whether in a company or any other type of or­ga­ni­za­tion – “Bring Your Own Device” always rep­re­sents security risks that should not be un­der­es­ti­mat­ed. To un­der­stand how con­tro­ver­sial the topic of data pro­tec­tion is in this context, imagine the following scenarios:

• Scenario 1: Sensitive customer, employee, and company data is stored and processed on an external device that cannot be con­trolled, or just partly con­trolled. Since this is hardware and software that was pre­vi­ous­ly used primarily for personal use, the owner may have installed weaker security mech­a­nisms than a company would like. The owner might also be laxer with spam messages and dubious links out of habit. This can improve the success of phishing. The device might also be lost or stolen, which could be dis­as­trous for data pro­tec­tion.
   
• Scenario 2: On the other hand, a private device is also a security risk for the internal company network. If an un­en­crypt­ed con­nec­tion is used or has already been infected with malware, it can disrupt the IT in­fra­struc­ture or even spy on sensitive in­for­ma­tion.

Now, according to the GDPR, es­pe­cial­ly personal data must also be preserved. It’s the company, and not the employee, that is re­spon­si­ble for this. This can pose major leg­isla­tive, technical, and ad­min­is­tra­tive chal­lenges for both man­age­ment and IT, es­pe­cial­ly when a variety of different devices with different operating systems and programs need to be in­te­grat­ed into the same network.

In these cir­cum­stances, it is def­i­nite­ly le­git­i­mate for the boss to have some control over the devices. This includes making sure the necessary data pro­tec­tion measures have been im­ple­ment­ed properly and to ensure that business and private data is strictly separated and, in case of doubt, that it can be deleted or restored remotely.

All relevant questions need to be clearly answered e.g. “May an employee’s family also use the device?”, and “What happens to the company data if the employee quits?”. Removing these initial am­bi­gu­i­ties can be an ad­di­tion­al effort for the company that should not be un­der­es­ti­mat­ed. The finished BYOD policy must then be com­mu­ni­cat­ed openly and trans­par­ent­ly to the staff in order to reduce the risk of data leaks and breaches in data pro­tec­tion law. However, a certain residual risk always remains, as the employer gives up part of their control by trusting the employees.

As far as the technical side is concerned, IT de­part­ments entrusted with the task of im­ple­ment­ing a BYOD concept use various ap­proach­es:

• Common access hurdles: These include encrypted con­nec­tions via VPNs, limited service offerings, and two-factor au­then­ti­ca­tion.

• Container solutions: To ensure the security of sensitive data on private devices, many companies rely on encrypted “con­tain­ers.” These are isolated and re­strict­ed par­ti­tions on the local hard disk space where data is stored and from which the con­nec­tion to the company network is es­tab­lished.
   
• Mobile device man­age­ment: MDM software such as AirWatch or Mo­bile­Iron is used for central in­te­gra­tion and ad­min­is­tra­tion of private devices in the company. The pro­fes­sion­al user in­ter­faces are used to manage data, install updates, and configure locks for unsecure WLAN con­nec­tions and apps from unknown third parties. However, since employees have to switch back and forth between their private and pro­fes­sion­al work­places, mobile device man­age­ment is at the expense of the user ex­pe­ri­ence. The stronger control exercised by the employer also has negative im­pli­ca­tions on the private sphere.
   
• Sandbox solution: A fre­quent­ly used al­ter­na­tive to the above-mentioned solutions is also virtual desktop in­fra­struc­ture as well as web ap­pli­ca­tions that allow remote access from the private device to the company computer and therefore do not store sensitive data on external devices. These include cloud services and online col­lab­o­ra­tion platforms such as Microsoft Exchange.

BYOD is becoming more and more popular in the US since employees are in­creas­ing­ly using (or are asking to use) their personal devices to carry out their work tasks. Although it sounds like a win-win situation with employees ben­e­fit­ting from using a familiar device, and employers ben­e­fit­ting from increased pro­duc­tiv­i­ty and saving on tech­nol­o­gy costs, there are things to consider regarding BYOD and the law.

Some employers have strict policies declaring that the device must be wiped if it is lost or if the employee leaves the company.

Here are two case studies high­light­ing legal problems that can arise from im­ple­ment­ing BYOD:

Case study 1

This case study is of Saman Rajaee and his employer, Design Tech Homes. The company remotely wiped personal data from his iPhone after he resigned. Rajaee attempted to sue on the basis of federal and state law vi­o­la­tions, but lost the case. It did, however, make others think more about the im­pli­ca­tions of simply reverting an ex-employee’s phone back to factory settings. Ap­par­ent­ly, it is okay for a company to remotely wipe an employee’s device if there is already an agreement in place with the person owning the device and that they 100% un­der­stand what the BYOD policy entails.

Case study 2

Since employees have access to their own devices around the clock, there’s never really a clock-off time, leading to the employee racking up overtime. The employee then hopes to be paid for this overtime whereas the boss maybe wasn’t expecting the employee to work after leaving the office.

In the case of Mohammadi vs. Nwabuisi, the employer was found guilty of not com­pen­sat­ing an employee for overtime completed on their own device. If employers don’t want the same happening to them, they could limit BYOB to certain employers or make sure that all time worked is logged and then paid ac­cord­ing­ly.

The majority of employers don’t reimburse their employees for using their personal devices to perform their work tasks. In Cal­i­for­nia, for example, labor law requires employers to reimburse a per­cent­age of the employee’s phone bill if they use it often for work-related purposes. Even if the employees don’t end up paying an extra for using their device for work, this re­im­burse­ment is still mandatory.

The ed­u­ca­tion­al, en­tre­pre­neur­ial, security, and legal aspects of BYOD make it clear that the ad­van­tages of the principle seem to be coun­ter­bal­anced by just as many dis­ad­van­tages. In the following table, we summarize the pros and cons of BYOD:

Obviously, the BYOD principle offers many ad­van­tages for both employees and employers, but there have been a few hiccups including former employees suing their bosses for various reasons linked to BYOD. The freedom to use your own device and save the employer having to fork out for new company hardware is quickly marred by the fact that employee privacy could be on the line. Some states even rule that a company can wipe the employee’s device when they leave the company, leaving many people wondering if it is worth it.

In the US, where the concept orig­i­nal­ly came from, there are also signs of companies turning their back on BYOD policies. The end of private devices at work could soon be here. There are two counter-concepts in par­tic­u­lar that have been es­tab­lished to give employers more control over their data:

• Choose your own device (CYOD): Employees can choose from a wide range of equipment financed by the company and therefore de facto owned. However, the use for private purposes must be ex­plic­it­ly granted in a policy.
• Corporate owned, per­son­al­ly enabled (COPE): Employees are expressly permitted to use a company device privately. However, since they are then re­spon­si­ble for the basic setup and support of the device, this principle requires a certain technical skill.

It remains to be seen whether the BYOD trend in the US will fade away from what orig­i­nal­ly started out on a good foot.