“Bring Your Own Device” Policies for Law Firms

“Bring your own device” (BYOD) is a policy that allows (or requires) employees to use their own personal mobile electronics such as smartphones, laptops, and tablets to access privileged company information.

A lot of demand for BYOD comes from employees. Most professionals own mobile devices that they understand well, enjoy working with, and greatly prefer using over company-issued devices. Although BYOD usually shifts hardware costs from businesses to their employees (absent a stipend for purchases), this hardly represents a significant burden for the majority of professionals, given the increasing variety, affordability, and ownership of mobile devices.

Executives are also increasingly interested in BYOD because of its potential to allow job responsibilities and communications to reach beyond the walls of the office and the constraints of business hours. When mobile devices are used solely for work tasks, it is easy for employees to turn them off and forget about work as soon as they leave the office. But when personal and business email and phone calls all happen on one device, a well-connected employee cannot help but think about work periodically throughout the off-hours. This is, of course, a mixed blessing to the worker: mobile electronics allow greater flexibility in working remotely and on flexible hours, but personal lives can suffer from a lack of pure free time.

The primary concern for any business with a BYOD policy is security risk. When a business distributes a single model of laptop or phone with only pre-vetted software installed or permitted, security is far tighter than under a system of many devices with any of a huge world of available applications installed. In fact, the most liberal BYOD policies make obsolete traditional relationships between IT departments and end users. Employees, rather than depending on IT to protect them from themselves, must be educated and encouraged to provide for their own security. Well-developed, written policies concerning data security must be in place, and employees should be required to brush up on security regularly.

Three common approaches to security for mobile devices are virtualization, the “walled garden,” and limited separation. Virtualization, the most secure option, allows devices to access the corporate network and data through an encrypted virtual private network (VPN) connection. No data is stored on the personal device in this case, and required software installations are minimized. This is an approximation of cloud software in which the “cloud” is operated by your firm as opposed to a software vendor. A “walled garden,” also called a “corporate sandbox,” is a segregation between corporate and personal data that mitigates the risk of breaches of confidentiality and damage from malicious software or viruses. Limited separation, the least secure of these options, permits intermingling of personal and corporate data and applications but still employs minimum security controls.

Cloud software is beginning to lower the barriers to adoption of BYOD policies and lessen the burden of implementing them.

Traditional desktop software: requires installation of a full-fledged application; stores data locally, where it is vulnerable to corruption, loss, accidental disclosure, or theft; and must be updated by the end user or IT professional when bug fixes and security updates are released, which means downtime.

Cloud software, on the other hand: installs only a small “app,” if anything; stores data remotely, on highly secure servers; and if entirely web-based, loads the current version of the software from remote servers every time you log in.

Thus, the more cloud-enabled your legal practice is, the less work will be involved if you decide to implement BYOD.

BYOD is spreading at very different rates in different industries. Those full of creative types or tech-savvy employees likely never issued company devices at all, while highly secure and conservative industries are much slower to adopt the policy. Law firms likely fall somewhere in the middle of this spectrum. Because security of privileged information is of the utmost importance to attorneys, that is clearly the main sticking point preventing some firms from taking the plunge. But a little research into cloud software and VPNs might convince you that IT security is not quite so device-dependent as it once was.

With a careful, methodical review of security policies and available software solutions, your firm can reap all the benefits of cost, productivity, and communication that BYOD has to offer.