Bring Your Own Device policy: Legal considerations and pointers

The BYOD policy that has increasingly found favour among companies today poses many questions with regard to the law. Companies simply cannot afford to ignore questions of security and privacy.

Nowadays, companies permit employees to bring their personal devices, such as laptops, smartphones, and tablets, to the workplace and incorporate them into the company’s network, rather than providing company-owned devices. Employers have increasingly adopted the Bring Your Own Device or BYOD policy citing flexibility, convenience, and easy portability of devices. Particularly in the case of startups, BYOD has come as a boon as it limits their costs on hardware, software, and IT support. However, without proper checks and balances, issues relating to data security, ownership, and privacy can result in a potential liability for the employer.

Legal framework

Unless there is a contract to the contrary, the ownership of all work created by an employee during the course of employment will automatically vest with the employer. Unlike employees, though, intellectual property created by independent consultants does not automatically vest with the employer and requires specific assignment thereof in favour of the employer. Accordingly, companies must ensure that contracts with independent consultants contain specific IP assignment provisions.

In addition to protection under IP laws, the Information Technology Act, 2000, also affords protection to the employer, as owner of the data, against any unauthorised downloading, copying, or extraction of data from a computer system or network by making the offender liable for damages.

While there are no specific case laws in India pertaining to BYOD issues yet (as data protection and privacy laws are relatively nascent), a district court in Texas (Rajaee vs. Design Tech Homes) recently dealt with questions on this point. The plaintiff, Rajaee, was an employee of Design Tech Homes, the defendant. The company configured the employee’s personal phone and connected it to the company’s server, allowing the employee to access company emails, contact manager, and calendar. A couple of days after the employee’s resignation from the company, the company remotely reset the phone, wiping out not only all work-related data, but the employee’s personal data as well. Aggrieved by this, the employee approached the court, seeking damages from the company.

The court, however, dismissed the employee’s claim on the grounds that he could not produce any evidence of losses incurred as a result of the actions of the company. In the present instance, the court required evidence of the 'loss' or 'any cost' incurred (including any costs involved in responding to, investigating, or remedying the deletion of data, restoring the data, etc.) to award damages to the employee.

Potential issues and risks

Companies can lose some or all control with respect to their data when employees use personal devices to store and transmit such data and, in the absence of appropriate systems in place, are dependent on the employees to secure their devices.

Companies dealing with personal data or information (including “sensitive personal data or information”) are obligated to implement reasonable security practices and procedures, i.e. policies that contain managerial, technical, operational, and physical security control measures commensurate with the information being protected. Implementation of such measures could be problematic when it comes to the personal devices of employees. For example, the company’s policy could require encryption of all sensitive data on company-owned computer devices; however, an employee’s BYOD mobile device may not comply with this requirement. If the employee’s personal device is hacked and unencrypted personal data is taken, the company could face potential liability for not implementing reasonable security practices and procedures as required. Therefore, where a company’s security policies require certain security measures to be implemented, it should be determined whether the same measure can be applied to the personal devices of the employees.

There are also employee privacy-related issues, as they will be using the same devices for all non-work related activities as well. The devices will contain personal emails, messages, photos, user names, passwords, and personal and financial information for which the employees will have a certain expectation of privacy. While it is common for companies to monitor the activities of employees on company-owned devices or company networks, the same level of scrutiny may not be appropriate in the case of personal devices of employees. This could hamper the ability of the company to effectively monitor, investigate, or address data security concerns or issues. Investigations, especially those in connection with data breaches, will be difficult if the company is unable to get access to, and possess, the physical device in question.

Measures to implement when adopting a BYOD policy

A comprehensive written BYOD policy that clearly spells out the rules on the use of personal devices by employees for work is imperative. The policy should detail the manner in which the personal device is used for work and personal use. For example, blocking access to certain sites at work, allowing employers to install monitoring software on personal devices or undertake a remote lock or deletion of data that could include company data, prohibiting the installation of certain software on the device, requiring certain types of data on the device to be encrypted, having protocols to be followed at the time of severance of the employment relationship.

Software is also available that, when installed, would enable the compartmentalisation of personal and work-related data on a personal device. It would also allow for selective deletion of company-related data without affecting personal data.

The BYOD policy must also be accompanied by consent/waiver forms, whereby employees consent to the employers accessing their personal devices in the manner provided in the company BYOD policy, and waive any claims that the employee may have for loss of personal data or damage resulting from such access. Post employment as well, it is advisable to have the employee certify, in writing, that all company-related data and information has been scrubbed from the personal device and no back-ups have been made on a personal cloud network or hard drive. This undertaking will help in defending any potential claims that employees may raise relating to the BYOD policy.

Conclusion

While adopting a BYOD policy, a company must consider all the risks associated with such arrangements and ensure that they have proper policies in place to adequately protect their data. The company should conduct periodical audits to determine compliance of the personal devices of employees with the BYOD policy of the company. A carefully thought out BYOD policy, and its proper implementation, will greatly reduce any legal risks that a company may face in this area.

Pallavi Thacholi is a Senior Associate and Deepthi Bavirisetty is an Associate at Khaitan & Co. Apart from being a part of the corporate practice, they both also advise domestic and international clients on regulatory and legal aspects of employment and labour law, including on issues of data privacy, data protection, intellectual property, and compliance and risk management.