Bring Your Own Device (BYOD)

Contents


    Executive Summary

    The concepts of BYOD – bring your own device – and BYOT – bring your own technology – seem straightforward. Employees simply use their personal devices for work purposes. In this way, BYOD is a quick, convenient policy that keeps employees happy and can even increase productivity. But despite their positive aspects, BYOD policies can have major downsides, mainly because they can expose companies and their insurers to significant cyber and operational risks. Nevertheless, many entities have forms of BYOD policies in place. It is important to recognize the ramifications of these policies as they gain acceptance in commercial environments.

    Background

    BYOD policies have the potential to provide employers with substantial savings by shifting technology costs from employers to employees and by increasing productivity. Employees might buy their own mobile phones for both personal and work use. Productivity can increase when employees save time by using their familiar devices instead of company-provided devices or choose to work outside of normal business hours because using personal devices makes working from home easier.

    BYOD policies offer benefits to employees. Personally-owned devices can be more sophisticated than employer-provided devices. BYOD programs promote mobile working and make after-hours coordination among employees easier. BYOD policies can benefit the employer by promoting increased worker satisfaction.

    While some BYOD policies allow employees to use any personal device for work, other policies are some variation of CYOD, short for “choose your own device,” or COPE, short for “corporate-owned, personally enabled.” CYOD describes policies in which employees can only use certain devices approved by management, while COPE items are provided by the employer but may be used for personal activities.

    According to some IT managers, COPE policies work better than CYOD because COPE policies allow managers to exercise control over documents, data and services. According to some industry observers, rapidly advancing technology means that the CYOD strategy often cannot give employees the same range of choice in personal devices in the workplace as employer-provided units.

    After the type of BYOD policy is selected it is relatively simple for companies to enforce the chosen policy. Employees under a CYOD policy can purchase their own devices from well-known hardware makers but allow the company to manage the devices under an IT-run mobile data management system to ensure compliance with mobile security policies. With respect to COPE environments, corporate-owned devices can be programmed to allow remote locking and wiping clean of data if the device is lost or stolen. In most BYOD situations the IT department can set policies for every device, such as allowed applications and password length and complexity.

    Injuries and Damages

    For all the positive aspects of BYOD environments, there are genuine risks.

    Potential Damages to Organizations and Employees
    BYOD programs can compromise the security of organizations, exposing them to cyber-attacks, ransom ware and other cyber-related threats. Companies that allow employees to use their personal devices for work expose company data and networks to potential losses. Organizations that have already implemented BYOD policies can face problems when the demand for improved user technology grows more quickly than the entity can create strategies to harness that technology.

    BYOD programs can impose unwelcome costs on employees. Employers might not want to invest in upgrading legacy technology or on purchasing mobile devices in the first place, no matter how useful they are, leaving this financial obligation in the hands of employees. Employees usually pay their own monthly device bills under

    BYOD policies even though the device is sometimes used for work purposes.
    How and when employees use their technology may present liability risks for employers. In 2012, a court imposed a multi-million judgment on Coca-Cola for an accident in which one of its truck drivers hit a Texas woman while the driver was using the cell phone, despite the company policy that only hands-free devices be used while driving.

    Security Concerns
    To be most effective, BYOD policies must strike a balance between convenience for employees and security for company systems and data. BYOD policies naturally undermine this security because they require workers to become part of the security chain protecting those systems and data. Potentially sensitive company data is at risk every time an employee accesses an open Wi-Fi network, uses insecure cloud storage services, or fails to keep security software updated. BYOD policies can even facilitate industrial espionage because nearly every cell phone that employees bring to work with them has a camera that can photograph sensitive information.

    Mobile device security is especially difficult to maintain. Some companies are implementing mobile device management policies, along with the BYOD policies, that restrict access to certain websites or prohibit the use of the in-device camera. Some organizations register personal devices with “locate and wipe” facilities or require strong passwords for personal devices, along with other security measures.

    Employees are often markedly unenthusiastic about data protection measures. Younger users might consider being allowed to choose their devices by brand and operating system more important than the available security features. Many admit to sharing their devices with others; a significant percentage of users do not use basic password protection because eliminating passwords makes sharing easier. Some employees assume that their company’s IT department will protect them from threats even though a significant number admit to having lost data from their mobile devices. Some users would rather attempt to self-service their devices instead of waiting for IT advice.

    Employers can help protect themselves against employees who are lax about security with customized BYOD policies that give employees differing degrees of access to their personal devices. At one extreme, some companies allow employees unlimited access to all the available applications for their personal devices; at the other, companies permit limited access and only with IT departmental control over all apps and stored data.

    Legislation and Regulation

    While BYOD and BYOT policies are established and enforced by employers, there are laws and regulations that must be considered in a BYOD environment. Some are dictated by the nature of the company’s data. If employees are allowed to download personally identifiable information to their devices, the company is liable for the handling of that information, a fact that is especially relevant in the healthcare and financial industries which carry more data-specific legal obligations than many other fields. All employers, however, must consider confidentiality obligations, breach notification rules, law enforcement access to data, trade secret protections, data security regulations, international data protection laws, court e-discovery rules, secure data retention and destruction policies, employer access to employee personal information, and ethics generally.

    Labor laws are implicated in BYOD situations. For example, the Fair Labor Standards Act (FSLA) mandates that non-exempt workers must be paid overtime for time worked beyond a regular workweek, such as for checking email that might contain work-related items, whether or not the employee was instructed to check email for work after hours.

    Stolen or lost personal devices present employers with another area of vulnerability if company-sensitive information has been downloaded; certain situations may leave the company with a legal responsibility to disclose a data breach to the public.

    BYOD also raises privacy concerns such as the issue of who legally owns the information on the personal device of an employee who has quit or been let go. Industry experts are considering whether the company is responsible for compliance with state and federal laws requiring that personal information present on a device, but no longer being used for business reasons, be destroyed. While software exists that allows the company to remotely destroy selected information on a device, that software may also remove personal information such as photos, which raises different privacy questions.

    Liability and Insurance

    Insurance in a BYOD environment is important to both the employee and the employer. While in the case of hardware loss, theft or damage, the employee’s homeowner policy might not cover devices for use outside the home, employees still need access to insurance that allows them to quickly replace the device and stay productive. The employer may seek protection from the insurer in relation to company intellectual property, data security, or lost employee productivity.

    In recognition of these situations, specialty insurance, or “cyber risk coverage,” has become available to protect against adverse outcomes. Cyber risk insurance might provide the financial resources to investigate incidents and advise companies how to minimize reputational and financial risks. A cyber liability policy may also cover legal defense costs, regulatory fines and penalties, the expenses of notifying parties of the breach, and computer forensics to determine the scope of a data breach. Some policies offer coverage for business interruption, cyber extortion, media liability, or data restoration costs.

    Litigation

    BYOD policies in the workplace have not generated a significant amount of litigation, but the issue of compensating employees for the use of their personal devices to benefit the company was considered in Cochran v. Schwan’s Home Service, Inc., B247160 (Ca. App. Ct. August 12, 2014). The court held that when employees must use their personal cell phones for work-related calls, the state Labor Code required the employer to reimburse them “a reasonable percentage of their cell phone bills.”

    If a company with a BYOD plan becomes involved in court action, it must take extra steps to assure compliance with litigation discovery rules. If litigation is reasonably foreseeable, the company must identify, preserve and produce relevant information that is within its custody or control. This raises questions about the scope of the company’s duties, for example, about what the employer’s discovery obligations are with respect to business voicemail or email that was left on an employee’s personal cell phone or computer, and what data storage systems should be searched.

    Future Outlook

    The future of BYOD is uncertain. Some industry observers predict a growing acceptance of BYOD environments. Even if an employer bans BYOD practices, however, some experts believe that some workers will still use personal devices for work purposes -- but that as workers obtain more advanced devices from their employers, the incentive to use personal devices for work will be reduced. More cyber-attacks aimed at portable devices are likely, but so is the development of more robust mobile security applications to combat emerging threats. As technology advances, it is becoming critically important that firms both manage the risks presented by BYOD programs and explore insurance policies that mitigate the risks.

    In the News

    2017

    2016

    • BYOD Policies: What Employers Need to Know - Paul G. Lannon & Phillip M. Schreiber, Society for Human Resource Management (02/01/2016)
      Many forward-thinking companies are now adopting bring-your-own-device (BYOD) policies that allow employees to work on their personal laptops, tablets and smartphones instead of on company-issued equipment.

    2015

    • BYOD security still lacking - IT-Online (06/24/2015)
      A recent BitDefender survey has revealed that BYOD policies, aimed at securing personal devices, and the business data stored on them, are not nearly as comprehensive as they should be, and have a way to go if they hope to protect the business effectively
    • Are you being risky with your BYOD security? - Computer Business Review (05/19/2015)
      A study found that two-thirds (62%) of business owners and employees now use personal mobile devices for work, but many of the employees believe that device security is their company's responsibility.
    • What HRC's Use of BYOD at DoS Means for PYTS – Protecting Your Trade Secrets - Venable LLP (03/26/2015)
      With all the to-do about former Secretary of State Hillary Rodham Clinton's work-related use of her personal email account and server, little has been said about what such use means for private employers.

    2014

    • The New Frontier: Preparing for the Surge of Wearable Technology in the Workplace - Tracy L. Moon Jr., EHS Today (12/12/2014)
      Wearable technology is a new frontier that employers and safety professionals must prepare to address.   While the business use of wearable-technology devices such as glasses, barcode readers and high-definition cameras is in the early stages, consumer devices such as fitness watches, Google glasses and Apple watches are being sold or soon will be available to the general public for purchase.
    • Bring Your Own Device - No Longer An Issue, Or Still A Headache? - BW Bureau (05/09/2014)
      Conducted across 20 countries, the survey of 3,200 employees aged 21-32 showed that over the last year there has been a strong upward trend in the overall number who view BYOD as something that empowers them in the workplace.
    • Bring Your Own Device: The Risks - Lloyds.com (05/02/2014)
      [T]he "bring your own device" (BYOD) mode of working is already well underway. At a time when privacy and data protection laws are being strengthened, the likely implications of this new technology for organisations and risk managers could be far reaching.
    • BYOD (Bring Your Own Device) trend spreading across workplaces - Paula Burke, The Oklahoman (04/21/2014)
      When a computer in Davis Merrey’s church came down with a virus, staff were astonished because the computer is located in the church’s audiovisual booth and has no Internet connection. But Merrey, owner and chief executive of TeamLogic IT of Oklahoma City, instantly suspected what he eventually confirmed: Someone plugged a flash drive into the computer’s USB port to upload, what were infected, files.

    2013

    • 65 percent of Global Companies See Personal Mobile Devices Used at Work as a Threat - Heena Jhingan, ExpressComputer (12/10/2013)

      About 65% of companies see the Bring Your Own Device (BYOD) trend, where employees use their personal mobile devices for work purposes, as a growing threat to business.

    • Bring Your Own Device... at Your Own Risk - Privacy Rights Clearinghouse (09/01/2013)
      Bring your own device ("BYOD") policies are making a significant impact on the workplace. Employers create BYOD policies to meet employee demands and keep employees connected. They may also do it to save money by eliminating the need for company plans and devices.

    Additional Items

    By far and away the most well rounded and useful Cat-focused industry conference out there. Perfect for all levels within the industry. From the conference content, the presenters and the attendees, this conference is a can’t miss for those interested in expanding their knowledge and learning more about cat related insurance and reinsurance modeling topics Nick DiMuzio, Everest

    "Fantastic, enriching conference - brilliantly planned and run, illuminating talks and excellent opportunities for networking across multiple areas of catastrophic risk.” Gary Ackerman, University at Albany

    “From a treaty underwriter's point of view, RAA presented relevant topics related to today's macro events. Scientific presentations provided insight that I can incorporate in underwriting and share with my clients.” Eric B. Silberman, Munich Re

    "Great conference with some of the biggest names in the business presenting their work. What more could you ask for?” Ron Nash, Nash Consulting

    “A perfect introduction to the world of reinsurance. Relevant topics, great speakers and the opportunity to network with industry peers makes this a must go event.”
    Tom Barrett, Everest Re

    Demystifying Reinsurance was an excellent tool to clearly understand and break down the basics. Very good class and recommend it for beginners and even as a refresher course for the intermediate student.”
    Chenessia West, TransRe

    “Re Basics is the ideal opportunity whether an industry professional or student of insurance to understand the in and outs of reinsurance while being able to network with persons spread across the whole industry.”
    Darius Zuill, Bermuda Monetary Authority

    “This has been the best reinsurance seminar that I have been to! Whether a reinsurance seasoned vet or new to the field, this is an engaging seminar that addressed specific issues of the reinsurance market.”
    Michelle Thimm, Church Mutual Insurance 

    “Re Underwriting provided a comprehensive and interesting overview of underwriting in the current market with a major (and interesting) focus on trends. Very useful for underwriting and non-underwriting alike.”
    DeVika Bourne, PartnerRe

    “Very informative experience, and a great way to keep up to date on current underwriting events and trends.”
    Steven Whalen, Aspen Re

    “Time well spent in learning the updated underwriting business and networking!”
    Christine Chen,  Everest Re 
    “The panels and presentations were thought provoking and fascinating as numerous topics were covered affecting the industry. I’m leaving the conference with a greater insight of the future market.”
    Brittany de Frias, AXIS Capital 

     

    “RAA Re Finance was the first RAA seminar I attended, and I was thoroughly impressed with the speakers and content. I learned a great deal from the presentations and intend to bring some new ideas back to my company and share with the team!”
    Taylor Robinson, ICW Group

    “Fantastic slate of instructors who thoughtfully walked us through financial reporting and other aspects of reinsurance finance. They used terminology that non finance people (lawyers) could understand. Really great program.”
    Steven Bazil, The Bazil Group

    “If you are in Reinsurance Accounting/Finance, you need to take this course to help you with your job.”
    Frank Borawski, Markel  

    “The speakers were excellent! There is something to be said about a person, and in this case a group of people, who can take time away from their busy schedules and explain to everyone something they feel passionate about in a manner that's understandable. My only complaint is that I wish we had more time with them.”
    Jessica Mieles, Sompo International

    “The RAA ReContracts is the most comprehensive reinsurance contract wording training available in the U.S. market.”
    David Kragseth, Guy Carpenter   

    “The course was very helpful in addressing different viewpoints and important things to consider in contract design and review.”
    Andy Martin, AmericanAg 

    “The RAA contract course was very informative and interesting. It covered a wide range of Reinsurance Contracts Types. In my Reinsurance Career, I have had the opportunity to work on a limited type of contracts, so I learned a lot.”
    Vivian Castro, Arch Insurance Company 

    “The RAA Contracts course provides the opportunity to engage with relevant topics, taught by industry experts, in both seminar and small group environments. The course material and industry experts provide an understanding on a wide range of subjects.” 
    Kevin English, LMRe

    “Participation in Re Claims should be mandatory for all P&C reinsurance underwriters. It’s truly an eye-opener, providing an in-depth look from a claims manager’s perspective on what happens to the business that we underwrite. There are lots of do’s and don’ts to pay attention to. Re Claims answers all the hard questions."  Michael Delacruz, China Re P&C

    “I absolutely love this program. I learned so many new things. Reinsurance from the industry’s top executives, interactive activities, interesting panels, and innovating presentations makes for an intriguing few days. Well worth the time and money.” Chenessia West, TransRe

    “As a reinsurance attorney I find Re Claims highly valuable to stay abreast of emerging issues. Also, being walked through practical case studies is extremely helpful in creating a thorough understanding of how contracts work.” Steven Bazil, The Bazil Group

    Become a Re Scholar!

    The Re Ed Institute's Re Scholar Program seeks to recognize those who achieve a high standard of reinsurance education by completing the Re Scholar curriculum. Learn More.

    Become a Re Ed Sponsor

    The RAA’s Reinsurance Education Institute programs attract professionals from the world’s leading insurance/reinsurance companies, brokers, law firms and consulting firms. Interested in sponsoring? Contact Carolyn Fahey.