Bring Your Own Computer: the Risks and Challenges
This emerging employee benefit represents an attempt by businesses to embrace the 'consumerisation of IT'
Company car allowances, gym memberships, bonuses and stock options are traditional benefits that many employers and their employees are familiar with. Less common, however, is the ‘bring your own computer’ (BYOC) concept, which involves businesses offering a sum of money towards a computer or other device - such as tablet or smartphone – for the employee to buy themselves and use both in the course of their employment and at home.
This emerging employee benefit represents an attempt by businesses to embrace the ‘consumerisation of IT’, i.e. the growing importance of the consumer technology market as a driver of IT innovation in business. By giving increasingly IT savvy employees the freedom to choose and purchase a computer or device that they will use for both professional and personal purposes, organisations are hoping to benefit from higher employee morale and productivity.
The BYOC model is made possible, in part, by the rise of virtualisation and cloud computing. Recent advances in these areas have enabled employees to access and use a virtual work desktop and/or certain business applications from almost any personal device, via a secure remote connection to the corporate IT infrastructure. Under this model, employees can potentially work more flexibly and – theoretically - from any location that has a wireless or other connection, while still allowing the organisation to maintain control over its IT infrastructure.
The model eliminates the need for any corporate data to be stored on the device, with potential benefits in terms of security and privacy. Other purported benefits of this experimental approach include potential CapEx and OpEx reductions, and better disaster recovery.
As with any cloud-based solution, however, there are some risks and challenges to consider before diving into BYOC, and employers will need to consider and manage these properly in order to make the model a benefit for the employer as well as the employee.
Scope of the scheme
Some employees may not actually see the benefit of buying their own computer for work purposes, and may instead prefer the traditional model where their employer buys and maintains it for them. In addition, employers may not consider it appropriate to offer the opportunity to certain types of employees. Any decision to introduce BYOC would therefore need to take in account the potential appetite for its uptake, and the scope of the scheme within the organisation.
In making this decision, care would need to be taken to minimise the risk of discrimination claims by employees. Risks for an employer could arise, for example, if employees were only allowed to choose from a limited range of devices that did not support visually impaired employees’ needs; or if the scheme was not open to those working part time and the majority of part time workers within the organisation were women.
Terms of the Scheme
Once the scope of the scheme is determined, the employer will need to deal with a host of issues in the relevant employment contracts and staff policies. For example, the employer would need to deal with the terms and conditions on which it provides the benefit, including:
- those relating to the payment of the employer’s financial contribution (e.g. when and how it will be paid, and whether the employer will fund any upgrades after a specified time);
- who is eligible for the benefit; and
- the employee’s use of the benefit (e.g. whether the employee must pay back the amount if they leave the organisation within a certain time, adherence to IT and other staff policies and the employer’s right to confiscate the device in limited circumstances).
As the virtual work desktop and network connection are segregated from the rest of the device, the user may - depending on the organisation’s BYOC model and the type of computer or device – be free to install applications selected (and licensed) by the individual, configure the interface and store personal data on it. In order to minimise the risks arising from this model, the employer may also choose to impose restrictions on the employee’s purchase, for example by imposing minimum anti-virus and other software requirements, minimum warranty and maintenance requirements and basic hardware levels.
The employer should also clarify the parties’ respective responsibilities in respect of software licensing, and whether there are certain types of software that the employee is restricting from downloading or purchasing.
In addition, employers should consider implementing an acceptable use policy (or widening the scope of an existing one). This would typically cover, for example, the use of non-work related websites (such as social media sites, personal email and auction sites) during working hours, and the prohibition of certain activities using the computer or device e.g. downloading illegal content.
The BYOC model may bring some challenges to an organisation in terms of security, and particularly to those in highly regulated sectors such as healthcare or financial services. However, aside from particular regulatory hurdles, most of these challenges can be dealt with by ensuring, for example, that the employer:
- selects any cloud provider carefully and conducts due diligence on its security practices (see 'Why the Clouds of Suspicion?');
- implements an adequate security policy which, among other things:
- includes restrictions on who can use the virtual desktop and/or certain business applications (e.g. to prevent friends or family accessing them);
- restricts or prohibits the local storage of certain types of data; and
- deals with the deletion or destruction of local data if the employee leaves the organisation or purchases a new computer or device;
- communicates the employee’s responsibilities properly in respect of security, including the maintenance of passwords and reporting any potential security breaches.
A key challenge for an employer will be to clarify the respective roles of the IT department and the employee in supporting and maintaining the BYOC devices. Any hardware problems will normally be dealt with by the vendor or manufacturer under the hardware warranty and any additional support package purchased, and this should be clarified in the terms of the scheme. Other issues to consider include:
- the ability of the organisation’s helpdesk to deal with faults and issues arising from the use of different computers or devices (as opposed to the traditional, more standardised environment); and
- whether the employer is responsible for providing a temporary replacement computer or device to the employee if the BYOC device is broken or under repair.
The BYOC approach is an emerging trend that is at an early stage of development. Many organisations will be unwilling to adopt it until the risks and challenges it presents, and the typical benefits it can provide, are more established and better understood. For others, the BYOC approach may simply not fit their corporate culture or it may not receive buy-in from employees. Nevertheless, for most organisations that are looking at it as a way to harness the potential benefits of the consumerisation of IT, the current legal risks and challenges – given due attention and managed properly - are not insurmountable.
"Until the law keeps pace with emerging technologies, the challenge will be to use the existing legal framework to support their adoption."
"As with any cloud-based solution, however, there are some risks and challenges to consider before diving into BYOC"