February 21, 2012

Understanding Liability
All enterprises have long-standing approaches to assessing the risk of employee actions and the corresponding liability. These actions range from unsecured use of company data to accessing inappropriate applications or websites. BYOD introduces a new wrinkle: The device on which these actions may take place is not the property of the company. Now, the company must figure out whether moving device ownership from the company to the employee increases or decreases corporate liability.

There are several important considerations around BYOD liability that financial institutions should address:

  • Defining the elements of baseline protection for enterprise data on BYOD devices: All companies must protect corporate data on the mobile device, but different protections may be required on different devices. For example, more protection against overprivileged consumer apps might be required on the Android operating system compared to iOS.
  • Assessing liability for personal web and app usage: Employees expect to use their personal devices however they wish. Is inappropriate use still a liability for the company, even if it doesn’t affect enterprise data?
  • Assessing liability for usage onsite vs. offsite and during work hours vs. outside of work hours: When and where should mobile device usage be monitored within a BYOD program? The boundaries of work time and personal time blur for many workers, so this can be a difficult analysis with hard-to-enforce outcomes.
  • Evaluating whether the nature of BYOD reimbursement (partial stipend vs. full payment of service costs) affects liability: Many organizations have assumed that the level of payment doesn’t impact the level of liability, but this can vary by region.
  • Quantifying the monitoring, enforcement and audit costs of the BYOD compliance policy: If liability is lower then the corresponding compliance costs should also be lower, which could potentially contribute significantly to cost savings.
  • Assessing the risk and resulting liability of accessing and damaging personal data: For example, what if IT inadvertently wipes a user's personal data instead of just the corporate data? Most organizations will cover themselves legally in their user agreement, but at minimum, this type of situation can create employee frustration.

I have seen many large organizations, including financial institutions, decide that their liability on personal devices is limited to protecting corporate data, and that they are not liable for personal web, app, or other activity on those devices. In other words, their corporate liability decreases when they move to BYOD. However, I've also seen organizations decide that their corporate liability remains unchanged when they move to BYOD. Each organization should seek its own legal advice on how to frame and assess liability variances between BYOD and traditional mobile programs.

Ojas Rege is the vice president of products and marketing at MobileIron.