Bring your own device (BYOD) – the digital trend with pitfalls

In today’s digitalized world, professional and private life are increasingly intertwined. This can be seen by the US-born trend BYOD – bring your own device. Many employees already use their own laptops, tablets, and smartphones for business reasons, which is actually more convenient and can boost productivity. At the same time, BYOD is proving to be a real nightmare when it comes to data protection.

“Bring Your Own Device” means that instead of working on a company-owned computer in the office, you use your own device, be it a laptop, tablet, or smartphone. However, this is always voluntary, since a company boss cannot force their employees to work with their private devices. The boss is generally obliged to provide all operating resources required for work tasks.

The BYOD term is not only used in an office context, but also in relation to universities, libraries, schools, and other (educational) institutions. In these establishments it’s also about connecting your own device to the internal network of the respective place instead of using available hardware. Implementing BYOD requires clear guidelines known as a BYOD policy. These determine how many users are allowed to use their own devices in the network, which safety-related specifications exist, and what the rules of conduct are.

In a company, guidelines are usually drawn up in cooperation with the employee or the works council and laid down in an additional agreement in the employment contract. This is also necessary because BYOD involves numerous complex issues that require precise clarification, such as control and access rights, employee privacy, and company data protection. The employer needs to create the necessary legal basis so that all parties involved have something official to refer to.

It makes sense to implement a “Bring Your Own Device” policy wherever electronic workstations are available whose functions can also be found on private devices. To date, BYOD has been primarily used in the educational sector and within companies.

At many universities, students bring their laptops to campus to prepare presentations and homework in the time they have between lectures.  More and more schools are also integrating computers and smartphones into the curriculum as a tool. However, when it comes to the actual educational benefit of BYOD systems, the pros and cons balance each other out.

In 2013, it was estimated that 25% of US schools had a BYOD policy, which has no doubt risen over the years. 73% of teachers said they used mobile technology in their classrooms, with English teachers being the most likely to use it. 54% of students admitted they get more involved in classes that use technology.

An argument against BYOD in schools was revealed in the OECD study: “Students, Computers and Learning: Making the Connection.” It showed that students who rarely used digital media actually achieved better exam results. The counter argument to this is that electronic devices in the classroom are not just intended to improve performance in tests, but primarily to impart IT skills for everyday life in digital form and for the modern working world.

For employees, the introduction of the BYOD principle means one thing in particular: greater comfort in everyday working life. Instead of working with sometimes slower, rarely updated company hardware, you can rely on your own devices, which are often state-of-the-art. On business trips, it is also a relief to not have to bring a second device on top of a private laptop. It’s therefore usually the employees that come up with the idea of a BYOB policy, especially younger ones who grew up with mobile devices.

For this reason, employers who are open to “Bring Your Own Device” have a valuable incentive in the search for applicants – after all, the company is demonstrating that employee satisfaction is important to them. BYOD pioneers like IBM are also hoping for higher productivity when employees work with the devices they know best. In addition, the integration of private devices into everyday working life offers an ideal prerequisite for home office and flexible working. The economic and ecological advantages are also worth mentioning: employers save procurement costs of new office equipment and therefore also reduce their negative impact on the environment.

On the other hand, there is a lot of effort involved when it comes to implementation and maintenance as well as the costs. BYOD can lead to more complexity in operations and stands in the way of the widespread strategy of standardizing the IT infrastructure in organizations. How implementable the policy is therefore depends on the intensive cooperation of employees. This is the only way to master the various technical and organizational challenges that come along with it.

BYOD can also have some downsides for employees: after the complex setup of all the necessary services on your home PC, you will have to accept that the company has some control over the device in order to ensure the security of business data and the in-house network. In addition, the employee sometimes has to cover some of the costs. A further problem is the potential impairment of work-life balance: if you have continuous access to office applications such as the e-mail inbox from home, you tend to feel compelled to be constantly available – professional and private matters are becoming more mixed. The question is whether it is easier to be distracted when working on a private laptop than on a company computer.

Although BYOD has obvious benefits for teachers and students as well as employers and employees, it does involve some security and legal risks.

Whether in a company or any other type of organization – “Bring Your Own Device” always represents security risks that should not be underestimated. To understand how controversial the topic of data protection is in this context, imagine the following scenarios:

• Scenario 1: Sensitive customer, employee, and company data is stored and processed on an external device that cannot be controlled, or just partly controlled. Since this is hardware and software that was previously used primarily for personal use, the owner may have installed weaker security mechanisms than a company would like. The owner might also be laxer with spam messages and dubious links out of habit. This can improve the success of phishing. The device might also be lost or stolen, which could be disastrous for data protection.
   
• Scenario 2: On the other hand, a private device is also a security risk for the internal company network. If an unencrypted connection is used or has already been infected with malware, it can disrupt the IT infrastructure or even spy on sensitive information.

Now, according to the GDPR, especially personal data must also be preserved. It’s the company, and not the employee, that is responsible for this. This can pose major legislative, technical, and administrative challenges for both management and IT, especially when a variety of different devices with different operating systems and programs need to be integrated into the same network.

In these circumstances, it is definitely legitimate for the boss to have some control over the devices. This includes making sure the necessary data protection measures have been implemented properly and to ensure that business and private data is strictly separated and, in case of doubt, that it can be deleted or restored remotely.

All relevant questions need to be clearly answered e.g. “May an employee’s family also use the device?”, and “What happens to the company data if the employee quits?”. Removing these initial ambiguities can be an additional effort for the company that should not be underestimated. The finished BYOD policy must then be communicated openly and transparently to the staff in order to reduce the risk of data leaks and breaches in data protection law. However, a certain residual risk always remains, as the employer gives up part of their control by trusting the employees.

As far as the technical side is concerned, IT departments entrusted with the task of implementing a BYOD concept use various approaches:

• Common access hurdles: These include encrypted connections via VPNs, limited service offerings, and two-factor authentication.

• Container solutions: To ensure the security of sensitive data on private devices, many companies rely on encrypted “containers.” These are isolated and restricted partitions on the local hard disk space where data is stored and from which the connection to the company network is established.
   
• Mobile device management:MDM software such as AirWatch or MobileIron is used for central integration and administration of private devices in the company. The professional user interfaces are used to manage data, install updates, and configure locks for unsecure WLAN connections and apps from unknown third parties. However, since employees have to switch back and forth between their private and professional workplaces, mobile device management is at the expense of the user experience. The stronger control exercised by the employer also has negative implications on the private sphere.
   
• Sandbox solution: A frequently used alternative to the above-mentioned solutions is also virtual desktop infrastructure as well as web applications that allow remote access from the private device to the company computer and therefore do not store sensitive data on external devices. These include cloud services and online collaboration platforms such as Microsoft Exchange.

BYOD is becoming more and more popular in the US since employees are increasingly using (or are asking to use) their personal devices to carry out their work tasks. Although it sounds like a win-win situation with employees benefitting from using a familiar device, and employers benefitting from increased productivity and saving on technology costs, there are things to consider regarding BYOD and the law.

Some employers have strict policies declaring that the device must be wiped if it is lost or if the employee leaves the company.

Here are two case studies highlighting legal problems that can arise from implementing BYOD:

Case study 1

This case study is of Saman Rajaee and his employer, Design Tech Homes. The company remotely wiped personal data from his iPhone after he resigned. Rajaee attempted to sue on the basis of federal and state law violations, but lost the case. It did, however, make others think more about the implications of simply reverting an ex-employee’s phone back to factory settings. Apparently, it is okay for a company to remotely wipe an employee’s device if there is already an agreement in place with the person owning the device and that they 100% understand what the BYOD policy entails.

Case study 2

Since employees have access to their own devices around the clock, there’s never really a clock-off time, leading to the employee racking up overtime. The employee then hopes to be paid for this overtime whereas the boss maybe wasn’t expecting the employee to work after leaving the office.

In the case of Mohammadi vs. Nwabuisi, the employer was found guilty of not compensating an employee for overtime completed on their own device. If employers don’t want the same happening to them, they could limit BYOB to certain employers or make sure that all time worked is logged and then paid accordingly.

The majority of employers don’t reimburse their employees for using their personal devices to perform their work tasks. In California, for example, labor law requires employers to reimburse a percentage of the employee’s phone bill if they use it often for work-related purposes. Even if the employees don’t end up paying an extra for using their device for work, this reimbursement is still mandatory.

The educational, entrepreneurial, security, and legal aspects of BYOD make it clear that the advantages of the principle seem to be counterbalanced by just as many disadvantages. In the following table, we summarize the pros and cons of BYOD:

Obviously, the BYOD principle offers many advantages for both employees and employers, but there have been a few hiccups including former employees suing their bosses for various reasons linked to BYOD. The freedom to use your own device and save the employer having to fork out for new company hardware is quickly marred by the fact that employee privacy could be on the line. Some states even rule that a company can wipe the employee’s device when they leave the company, leaving many people wondering if it is worth it.

In the US, where the concept originally came from, there are also signs of companies turning their back on BYOD policies. The end of private devices at work could soon be here. There are two counter-concepts in particular that have been established to give employers more control over their data:

• Choose your own device (CYOD): Employees can choose from a wide range of equipment financed by the company and therefore de facto owned. However, the use for private purposes must be explicitly granted in a policy.
• Corporate owned, personally enabled (COPE): Employees are expressly permitted to use a company device privately. However, since they are then responsible for the basic setup and support of the device, this principle requires a certain technical skill.

It remains to be seen whether the BYOD trend in the US will fade away from what originally started out on a good foot.