Why users should be wary of BYO Computing

Employees bringing their own tablet, laptop and smartphone devices into the workplace risk exposing their private lives to IT administrators, human resource managers and lawyers, experts have warned.

As more staff choose to use their own devices in the workplace, CIOs have been asked to manage the risks associated with protecting corporate data on a wider range of unsupported devices.

But legal experts also note that this risk is shared by employees.

Many organisations are beginning to formulate BYO Computing policies that stipulate computer maintenance as the employee’s responsibility. But there are occasions when any device used for professional purposes might need to be inspected by the employer: for IT support, auditing or legal reasons.

Private computers are often the repository of a great deal of sensitive private information, including photos, videos, health and financial records, and internet browsing habits.

An organisation may have a policy of considering these private records to be out-of-bounds, but information found inadvertently may equally have to be acted upon, according to Sonya Black, senior associate employment lawyer at Blake Dawson.

Adverse health records, for example, must be considered when deciding an employee’s fitness for a job. Details of communication with a competitor or evidence of a staff member speaking against the company – even in private online conversations - may influence promotion prospects or even end careers.

“Part of the difficulty is that even if the organisation comes to the information unlawfully or against a (privacy) policy, it’s almost legally obliged to act on that information,” Black says citing an example of a company that discovers one of its drivers suffers from epilepsy.

In the event of a court case, employee devices will also be included in legal discovery – the process by which files and transaction records are scrutinised by the other party.

Employees may have no choice but to hand over their device, Black says, as courts are likely to extend company orders to cover employee machines.

Black’s colleague Amanda Ludlow, special counsel of technology, says employees should think twice before accepting BYO Computing agreements.

“It makes sense to have one device, particularly if you work remotely or from home a lot, but you have to be very aware there are implications and you may need to curb some of your (private) behaviour,” she said.

That becomes difficult when there is a “blur between your work and personal life,” Ludlow said.

Norton Rose, a legal firm that allows BYO Computing, uses remote access technologies to segregate corporate and private data.

“No data resides on local computers, reducing the security risks,” said Phil Scorgie, director of business information systems at the firm. “This approach also avoids the possibility that private data is discoverable.”

Jetstar CIO Stephen Tame says the airline considers employee devices as private, but the corporate data transmitted to it, mainly in emails, as business. He acknowledges that this creates a grey area.

“We have engaged MessageLabs to [protect against] viruses and spam, and also to journal all inbound/outbound mail,” he said. “So we can investigate (data) without actually reviewing the device,” he said.

Tame concedes that there is a risk to employees downloading inappropriate content to devices that may need to be handled by IT support, but said the company would not be concerned unless that content was shared on its network.

All the more reason to operate BYO Computing on a virtualised environment, he said.

“The challenge is how to protect the virtual machines - the Jetstar world - from attacks and viruses that may exist on the physical private world. This same separation challenge (applies) to the private world content.”

Justin Warren, managing director of IT management consultancy PivotNine said that whilst virtual machines help to segregate data, only strong encryption would protect private data from being physically accessed by interested parties.

“Multi-factor authentication that is resistant to theft of the device itself would also help,” Warren said.

Warren warns that cloud storage may also muddy the waters and increase the risk of data leakage.

“If you were to use your personal laptop with a backup service like DropBox, Mozy, or [Apple’s new] iCloud, you might copy corporate data onto the laptop,” he said. “You might unintentionally copy a budget or sales projection spreadsheet into the cloud as part of your regular backups. In this sense, keeping corporate data segregated from personal requires manual effort.”

Jo Pasqua, vice president at Symantec Research Labs said corporations have not yet thought through the implications for employee privacy. The security vendor is conducting its own small BYO iPad trials.

“What happens when corporations start backing up your personal files?” he asked.

“You can absolutely use a thin client approach, so in theory there is no corporate data in the device. But people have been known to email themselves files,” Pasquale said.

Black and Ludlow said they would reject BYO agreements.

“We’d never do it,” Black said. “Because we’re lawyers and we know the risks.”

This story is Part II in a series of articles by Lia Timson on the BYO Computing trend. Read Part I here.