As I set out in my previous blog posts, the demand for bringing your own device to work continues, and is largely driven by the many benefits of embracing BYOD. In this post, I set out some of the costs and risks of BYOD.
- INCREASED TECHNOLOGY COSTS: For every benefit to embracing BYOD, there is the other side of the coin. While BYOD may eliminate some hardware costs, your IT team now has to be up to speed on more than one system. This may involves costs for more than one security regime, as well as ongoing training to support different software and hardware requirements.
- OVERTIME EXPOSURE: The after hours productivity may also create exposure for unapproved and unintended overtime pay. The slow death of the 9-5 work day and increasingly blurred lines between work and play require clarity around expectations for after-hours work. BYOD could mean more non-work related activities by day and more work related activities by night.
- CONFIDENTIALITY: Not every position is BYOD appropriate. For positions that involve particularly sensitive information or in a smaller company where there aren't the technical resources to let one rogue employee have their own technological infrastructure, the risks and costs may outweigh the benefits.
Emergency service providers are a category of worker that may present practical obstacles too tricky to overcome. See my post on “Social Media and the EMS Employee” from last October. Some EMS employers are simply banning all electronic gadgets so that their employees can focus on driving and/or on the patient in front of them, and to avoid liability issues along the way.
In determining whether a position is “appropriate” for BYOD, I would hesitate to draw conclusions from how senior a person is in the organization. I recall seeing President Obama using his Blackberry during his first presidential campaign and wondered then about the confidential and sensitive nature of the information on that device. Presumably someone has figured out the security and confidentiality issues in that case.
- PRIVACY: Employers must recognize that they can lower but not fully eliminate expectations of privacy on a workplace computer through effective policies (see my blog post on R v Cole, "Privacy & Porn on Workplace Computers"). Having said that, employees must realise that they give up some privacy when plugging into the mothership.
Security protocol, for example, might demand that the IT folk be able to remotely wipe a device clean when it goes missing on the subway. There goes the picture of your daughter losing her first tooth or the video of your boyfriend’s drunk dancing at your co-worker’s wedding (which probably shouldn’t have been on there in the first place, but then, you weren’t exactly sober either when you filmed it).
- SABOTAGE (OR MORE LIKELY, IMPROPER USE) : While electronic sabotage more frequently happens in those novels that you have a fake slip cover for, permitting personal devices in the workplace could lead to heightened risk of industrial sabotage, or at the least, a pain in the neck unauthorized access of the server through a personal device.
For example, in Hendrickson Spring v United Steelworkers of America, Local 8773, the employee connected his cell phone to a company laptop to access the internet and watch videos unrelated to company business. He was caught again two weeks later, and during the ensuing investigations, denied everything. He was terminated for misappropriation and improper use of company computer hardware/software, improper access of the internet through the company’s computer system, and improper skirting of the company firewall, all on company time.
His termination was upheld at arbitration: he had a relatively short service with three previous disciplines. The deal breaker appears, however, to have been the arbitrator’s finding of dishonesty and lack of credibility. While no data was lost and no industrial sabotage occurred, the employer had to expend resources and time to defend the termination. Whether the employer had banned all devices or embraced BYOD, the cost remains that there will always be those vexing employees who take the issue too far.
While not at the top of likely risks to actually unfold in your workplace, sabotage does happen. In an older labour arbitration case out of Quebec, Telebec Ltee and ACET, the employee was terminated for the sabotage he committed when he wiped his computer clean of information on his way out the door. His termination without cause due to a restructuring made this otherwise discipline-free employee lash out at his computer, and he deleted ten days worth of work data and various formats and methodology for which only the employee was responsible. This converted his termination to cause.
The case is not strictly a BYOD case, but it does highlight the vulnerability of electronic information when accessed by a ticked-off employee. Increasing electronic entry points to the server through BYOD will force your IT folk to stay on their toes. (And to show that the more things change the more they stay the same, the Telebec case relies on knitting machine caselaw to set out the threshold for upholding a termination for industrial sabotage.)
Weighing the risks, costs and benefits of embracing BYOD will vary from industry to industry, and company to company. All of your employees no doubt already have some sort of device in their pocket, already putting the company at risk of inadvertently tweeting, posting or emailing out confidential information during or after work hours. Pulling that device into workplace and setting up transparent and engaging policies may help mitigate the risks of a phenomenon that will likely continue to gather speed, with or without workplace blessing.
Okay, fine, I give – BYOD it is. Now what? Stay tuned for my next blog post:
- Developing a BYOD Program