BYOD creates potential software licensing issue for businesses, new government guidance warns

Out-Law News | 07 Oct 2014 | 5:08 pm | 2 min. read

Organisations that allow staff to carry out work tasks on their own personal mobile devices should review their software supplier agreements to make sure they permit use of the software on those devices, according to new government guidance.

The guidance on 'bring your own device' (BYOD), the trend which has seen an increasing number of businesses allow staff to carry out work on personal devices, highlighted the impact that BYOD can have on existing commercial arrangements.

"You will … need to consider how any commercial or second party agreements are affected by adopting BYOD," the guidance said. "For example, there may be existing commercial agreements between organisations that restrict the running of business software on personally owned devices."

The new guidance highlighted data privacy and security concerns that businesses need to manage if they implement BYOD in their organisation. It pointed to existing data protection guidelines issued by the Information Commissioner's Office (ICO) to address the BYOD trend and backed the ICO's suggestion that every organisation adopt a specific BYOD policy to set out to employees what data they are permitted to share from their personal devices.

"You should design your network architecture so that staff can only access the information that you are willing to share," the guidance said. "Start by: preventing any unauthorised devices from accessing sensitive business or personal information; ensuring that authorised devices are only able to access the data and services you are willing to share with BYOD employees. Use these requirements to form your organisational policy for BYOD, which you should document to clarify organisation and employee responsibilities. You may want staff to sign this to show they acknowledge and understand their obligations."

"Polices that are too restrictive, in that they impact on the usability of the device, will drive down adoption and so undermine the approach. Such policies may encourage staff to find workarounds which increases security risk. A BYOD implementation requires new policy to cover the specific aspects of the BYOD approach, and changes to existing policy if your organisation is to fulfil its corporate and legal obligations," it said.

Employees should have to verify their identity to access business data on their personal devices, the guidance said. It also advised against allowing business data to be stored locally on those devices and warned organisations to avoid using overly-restrictive "technical services" to protect data. Controls that impact too heavily on usability could cause staff to look for "workarounds" or to "use unsafe alternatives to achieve their business goals".

The government has published a number of BYOD guides that address separate issues, including device security and network architecture. Some of the guidance also addresses BYOD issues in the context of Microsoft's Windows operating system and Blackberry's Secure Work Space application One guide recommended that businesses deploy "defensive network architectures" to ensure access to business systems from personal device is "brokered via a service mediation layer" and that attempts to gain unauthorised access to systems and data is monitored for.

"To prevent devices from accessing data they are not permitted to, network separation should be used within the organisation’s networks," the guidance said. It recommended the use of technical controls to "prevent users from accessing data they are not permitted to access from personally owned devices" and said "services holding data not intended for consumption by personally owned devices should not be reachable from those devices" either.