Watch it play out the next time there's an important announcement. No one heads to the water cooler to trade workplace gossip anymore. Boomers, Gen-Xers and Millennials alike go straight to the virtual water cooler, which could be an instant messaging group, social media site or chat room. And they may be using a personal smartphone, iPad or a laptop they also use for work.
As what was once spoken is now being written, it can be captured, preserved and end up as evidence. But the fact it may be all tangled up with personal information is challenging the traditional work product paradigm.
A single device used for both work and play creates uncertainty over who owns the contents, whether a company can retrieve information in the event of a dispute or remotely wipe the device if it is lost.
Monitoring content, as many organizations maintain the right to do, also raises troubling issues, such as whether someone using their own computer for work can join non-mainstream chat rooms, use online dating or gambling sites, do their banking or watch pornography on their own time with a reasonable expectation of privacy. Employers also run a risk of inadvertently collecting personal data when collecting work-related information.
George Waggott, Co-chair of the Employment & Labour group at McMillan LLP in Toronto, says using a personal device for work clearly blurs the boundaries and leads to “all kinds of questions about where the workplace starts and ends. And it’s becoming increasingly difficult to figure that out.
“Religious preferences, friends, sexual behaviour, political views are the typical sources of controversy, and the typical defence for someone whose behaviour is questioned is that ‘that’s all very interesting, but it has nothing to do with my work. It’s my personal life.’ People are saying it’s my phone, my iPad, my laptop, so butt out.”
Legally, he says, “it can be a nightmare.”
It can also become a security nightmare. Pornography and gambling sites are more prone to load malware, spyware, Trojans and viruses on to a device, exposing the company’s systems to cyber attack.
Some companies are implementing Bring Your Own Device (BYOD) policies that lay out the company’s rights and the employee’s rights and obligations. Others, such as Xerox Canada, avoid potential problems by not sanctioning the use of personal devices for work.
Any Xerox Canada employee who requires a smartphone to do their job is supplied with a company-issued BlackBerry, says the company’s Toronto-based Vice-president and General Counsel Dorothy Quann. Employees are also provided with Dell computers.
While iPhones and iPads and the like aren’t expressly banned, she says, “the ability to retrieve all the information is restricted. You’d have less open access to all the systems — and that’s for security purposes. We have restricted access to our specific computer when we’re working remotely and we have a very, very, strict policy on when we can access data.
“We can’t go into open chat rooms to access things, for example, or use a wireless network in an open café to access the Xerox systems. We have a lot of policies on security of data.”
Xerox does have a central document repository so employees can access their material remotely, but it’s not in the cloud as it is with some other companies. It is housed on Xerox’s mainframe computer.
Determined employees can sometimes find their way around these policies and quietly work on their own device without permission, says Waggott.
Someone who has a company-issued phone and computer may still have an iPad they bought for their music library or so their kids can watch cartoons in the car. One day they’re up against a deadline so they go into the company system and email the document to their home Gmail account. Or they install their work email on the iPad so they can monitor messages at night from upstairs while the phone is downstairs charging.
“There is your BYOD issue,” he says.
No BYOD policy? OMG. Practitioners active in this area warn that companies that permit employees to use their own devices without one may be flirting with real problems when it comes to risk management.
Corporations like Xerox Canada appear to be fighting a rising tide. Recent studies show three out of four Canadian businesses now support the use of employee-owned smartphones and tablets.
It can be cheaper for the company, which may pay a portion of the monthly bill, but even if it’s not employees prefer it. Those who like Apple can use iPhones, those who like BlackBerry can use BlackBerrys, and those who like Android can use Samsung or some equivalent.
While 75 per cent of Canadian companies permit employees to use their own phones, laptops and tablets, many didn’t start looking at detailed BYOD policies until very recently.
Sierra Systems is one example. While Sierra’s US operations have had a BYOD policy for some time, the company has been “slowly trying to introduce the concept into Canada,” says Sierra’s General Counsel, Robert Piasentin in Vancouver.
Uniquely Canadian issues, such as privacy laws and new software-updates legislation, “have caused a bit more of a challenge for us here in terms of implementation.”
Sierra wants to make sure it isn’t over-reaching on the one hand or losing access to relevant information on the other, says Piasentin, who calls it “a fine balance. The biggest challenge would be on some kind of dispute. How do we actually get relevant content off of a mobile device or laptop if it’s not company property that we could very easily go through and take control of? Luckily, we haven’t had to go there yet, but we’ve been dealing with how to manage that at a high level.
“Some of the stuff we’ve done is policy. If it’s related to work, for example, all of our employees are required to make sure they use that information only on their work account. They’re not supposed to be sending emails from a personal email account like Gmail. Texts are slightly different, so we’ve tried to give people some guidance in terms of letting them know if there ever was a disclosure obligation, we may need to get that information from their phones.
“We’ve been trying to make sure people are educated in terms of what they can and cannot do if they’re using their own device.”
Software updates are also extremely tricky terrain. The second phase of Canada’s anti-spam law that came into effect last month has introduced a consent requirement, which stipulates software vendors cannot automatically update software if there’s a chance the update transmits back any personal data.
When employees use company-provided equipment, the software is licensed to the company so updates and patches are automatically done by the IT people. When they use their own devices, the new law means even if an update is critical to fix a bug or patch a hole to prevent a virus, the timing of the update is up to them.
That leaves the company vulnerable to someone using a laptop or phone that doesn’t have all the necessary patches or fixes in place, “where a hacker could somehow access our systems and put our entire network and data at risk,” Piasentin says.
“The problem is your work is only as secure as your weakest link. If you don’t have consistent updates of security patches or updates, you have those gaps where hackers can get into your system, and it becomes a big security risk.”
How is Sierra addressing that? “We’re working on it. But it creates a much bigger headache in terms of how you make these things work.”
Another potential Achilles’ heel with all the new communications channels is what employees do in chat rooms. You don’t need to look any further than the LIBOR scandal to see why.
Six banks have already paid US, UK and Swiss regulators US$4.3-billion to settle allegations they manipulated the inter-bank lending rate as well as key foreign-exchange benchmarks. Traders at competing institutions were found to be plotting strategy in unmonitored instant messaging chat rooms, helping the US Justice Department document its case.
The Wall Street Journal reported investigators found chat rooms with names like “The Cartel” and messages in which traders joked about being able to influence currency exchange rates and appeared to inappropriately share information with competitors.
That evidence in the LIBOR scandal has encouraged investigators and regulators around the globe to start scouring instant-messaging forums when they are looking into suspected wrongdoing.
At the same time, many corporations are cracking down on their permitted use — especially financial institutions that have employees who regularly swap trading information and gossip about potentially market-moving events.
Barclays, Citigroup, Deutsche Bank, JPMorgan, Lloyds, Royal Bank of Scotland and UBS are among those that have reportedly banned the use of multi-bank chat rooms. In Canada, Royal Bank of Canada, with about 2,500 traders, has been carefully considering its chat-room policy.
Jeffrey Francis, RBC’s Senior Counsel, says it’s important to differentiate between social-media chat rooms and those associated with legitimate trading platforms. RBC’s traders are permitted to use platform-based forums, such as Bloomberg’s instant message chat room, he says, because the bank can capture and store that information for discovery and production in case of a regulatory investigation or litigation.
“Obviously, with regular social media chat rooms you’re not always in a position to do that because we don’t in all cases have something to capture,” says Francis. “That’s where you can get into the dark places. That’s the potential danger, you’re off campus talking about things you shouldn’t that aren’t being captured by your record-retention system.”
New software has been developed that will allow banks to host and manage their traders’ access to instant message chat rooms and RBC has been looking at them. Meanwhile, the bank trains employees authorized to use chat rooms about some of the inherent risks and gets them to sign off on a code of conduct beforehand.
“Obviously talking trading strategies is one thing but issuing stock tips is something else, and something very problematic,” says Francis. “I think the whole LIBOR thing drove that home very quickly.”
RBC has also stepped up its monitoring, checking digital communications for specific words and types of information to make sure its employees are not even inadvertently conveying something they shouldn’t. Francis says a ban on instant messaging groups and chat rooms isn’t the answer because it might cut off an important source of information. “In our case, telling our traders they can’t enter these chat rooms and discuss things could potentially hamstring our own firm. So it’s finding the sweet spot between ensuring you’re complying with all applicable laws and, at the same time, not doing anything you shouldn’t.”
The challenge is the employee who decides to go into one of the “dark” chat rooms on their own time using their own device. “What can we do about that? The fact of the matter is nothing. We don’t monitor your personal use of your own device. There’s a line that RBC has not been willing to cross, which is to say if we do go down the BYOD route, and it looks like we’re going to go there, we can’t monitor people’s personal and private use of their own device because it’s theirs. So there is a risk.”
The risk that keeps Francis up at night is the cyber-security risk inherent in allowing employees to use their own phones and tablet phones.
“When I have an RBC-issued BlackBerry it’s very restricted what I can download on to it. But when you have your own phone you can download all kinds of crazy stuff, and that could host a virus which could mutate, it could actually record your keystrokes, figure out what your password is. There is that level of cyber risk but it’s one we’re working with because this is what everybody seems to want.
“Nobody wants to be forced to use a particular type of personal device they’re not comfortable with. People want to be able to use their own device and just have an RBC icon they log in with. I think people are going to be really pleased with our BYOD solution.”
There is a much more mundane risk that companies should also be concerned about as employees increasingly use their own devices for work, says Lisa Stam, of Toronto-based Koldorf Stam LLP.
She ranks the ownership of content, such as Microsoft Outlook contacts and LinkedIn connections, as the biggest issue, saying it has essentially become part of a company’s intellectual property.
“We’re in a new world where we’re all networking our own brand within a larger organization’s brand. The problem with BYOD is that everyone’s using all kinds of social media on their own device and there’s a grey area over who owns that,” she says. “We really don’t have enough clarity yet in Canada over who owns things like LinkedIn connections.”
While the user agreement is between the employee and LinkedIn, with the company a third party, she says, “historically, it’s been pretty obvious you can’t walk out with the Rolodex list or the customer list.
“LinkedIn has become our customer list. So is it your network as an individual or is it your network as an employee of the company you’re working for — especially if you’re in sales or a department where you have to generate business? You could argue there’s a real business need to hang on to what could be considered a customer list, so for employers it might be worthwhile fighting over it.”
Another reason ownership of content matters is in case an employee loses his or her phone or laptop. The home emails, family photos and music library may be mixed in with private and potentially sensitive company information, such as emails, documents on strategic plans or not-yet-released PDFs, being annotated. But it’s not clear the employer will be able to remotely wipe the device, says Stam. “The employee is exposing the company, but most still have an expectation of privacy because it’s their own device. A BYOD policy can really clarify or significantly lower the expectation of privacy by the employee.”
Policies should also stipulate there be certain basic security features, such as locking out users after a certain amount of time, and “that only you will use it — not your children or your friends and family,” she says, advising it should also set out what happens in the event the employee leaves.
“Where it’s the person’s own device, there’s some ambiguity between the parties at the moment of termination and it’s a pain in the neck. Does the employer have the right to review everything on that personal device to take off company-related information before they hand it back? The employee could have an argument it’s their phone and they’ll do what they want with it, unless there’s been some sort of agreement or policy in place.
“The other practical reality is if you fire someone and they leave, how do you get it back after the fact? Do you go to their house? It’s critical you have a policy you can point to in the termination meeting so you can get access while the person’s still in the workplace with their device. It’s hard to get your hands on it after they’re gone.”
But at the end of the day, Stam says, companies that want to ensure they have 100 per cent ownership of employee’s work product should forget BYOD. “Just give phones and laptops as any other tool. We used to give employees pens and pencils with no problem. Smartphones and laptops are no different. If you want full control over content, that’s still the best way.”
Creating A BYOD Policy
Creating a “Bring Your Own Device” policy for employees may help mitigate potential legal issues down the road
Here are some of the elements expert say companies should consider when drafting a byod policy for employee use of personal electronic devices for company purposes:
- Define activities that constitute acceptable business use.
- Personal devices that have been rooted (Android) or jailbroken (iOS) should be forbidden from accessing the company network.
- The company’s IT department should be permitted to install anti-virus and mobile device management software on all personal mobile devices.
- The company should, at its discretion, be able to block employees from accessing certain websites during work hours or while connected to the corporate network.
- Provide a list of approved apps or categories of apps that are permitted, such as Facebook, Twitter, Instagram, weather apps or productivity apps.
- Provide a list and categories of apps that are not permitted, such as peer-to-peer file-sharing apps.
- Spell out that the device may not be used to store or transmit illicit materials, proprietary information belonging to another company or engage in outside business activities.
- Stipulate that, while at work, employees are expected to exercise the same discretion on their personal devices as they would using company devices.
- Stipulate that no employee using a personal device should expect any privacy other than that which is due by law.
- Reserve the right to review personal and company-related data on personal devices and release the data to third parties during an investigation or litigation.
- Employees should be prohibited from knowingly disabling any network software or system identified as a monitoring tool.
- The company may want to add a clause prohibiting friends and family from using personal devices that are also used for company purposes.
- The device should lock after five failed login attempts, with the employee required to contact IT to regain access.
- Think about requiring “remote-wipe” software to be installed on personal devices prior to their use for work.
- Reserve the right to take appropriate disciplinary action up to and including termination for noncompliance with the BYOD policy.