In many companies, it is common for employees to use their own devices for professional purposes. This practice is called BYOD (Bring Your Own Device). But what happens if such a device puts the security of the infrastructure at risk and the employees’ private devices need to be examined in IT forensic? Is that allowed?
Many companies made their employees working at home and were therefore also dependent on the use of personal devices. In this short period of time, hardly a company was able to buy laptops for all employees. Cohesion was in demand and was also lived. Only employees with no equipment at all received a company device. Few employees who work with a computer at the office do not have a computer at home. 2019 around 58 million people used a smartphone (according to Statista).
BYOD saved costs. Especially at this time, when every entrepreneur turns the penny 4 times to steer the company through the stormy waters of the pandemic in order to survive with as little damage as possible.
What are the security risks associated with using personal devices?
BYOD devices are not tailored to fit in the companies safety net. The has usually no control over these devices. A uniform level of IT security cannot be implemented. Despite the lack of security, Personal data and trade secrets are processed on these devices. It is difficult for companies to protect the data according to GDPR Article 32. In the event of a data breach, the controller is obliged in accordance with Art. 33 and Article 34 of the GDPR and must clarify the incident. He is obliged to notify the Authority and has to data subjects concerned if there is a high risk of negative impact on them. He also must take steps to ensure that no further such incident occurs in the company. For these actions, he needs information from the BYOD device.
Personal devices — and now?
In the case of the usual constellation — professional devices — professional examination of the person responsible — an IT forensic investigation is usually no problem. If a serious incident occurs, there is no alternative. In this case, the controller may rely on his legitimate interest in accordance with Art. 6 para. 1 lit. f GDPR or, depending on the case in Germany, § 26 para. 1 sentence 1 or page 2 BDSG .
But what happens if a BYOD device needs to be accessed to resolve the incident? In the case of the employee’s private property, the employee may object to the company’s private device for understandable reasons.
Is there a duty of surrender for the employee?
No, the employee does not need to give out his device. However, the device can be confiscated as evidence. The problem is that privacy and IT security incidents are often about minutes to mitigate the threat. A judicial order on confiscation often comes too late and the evidence can be removed in time. The fact is that if the employee refuses, the company has practically no chance to get to the device on time.
If the use of BYOD devices is planned or implemented despite security and privacy concerns, a strategy needs to be developed. This consists of technical and organisational measures and can at any rate mitigate a risk. In the technical field, virtualization techniques and container solutions are available. The advantage of container solutions is that private individuals are separated from professional ones. But that alone is not enough. Information processed on workstations or laptops must be stored only on the company’s network drives. This allows you to have technical access to the device in the event of an emergency in order to be able to delete official content in the worst case. Remote access to certain system resources for IT forensic investigations is also important.
Such access must also be legally valid. It requires the conclusion of a suitable user agreement with the respective employees. If an employee refuses and does not want to grant the right of access, he must be provided with a device. Otherwise, the company will have a problem with the necessary voluntariness, as the aforementioned legal bases reach their limits when it comes to private and personal data. You can’t avoid automatically processing this in an IT forensic investigation. This means that only voluntary consent for the procedure justifies access to this data.
At BYOD, we have issues with IT security, legal basics, device access, and IT forensic investigations. If these points are not implemented, the company will ultimately have to bear the damage. Therefore, it is important to carefully consider whether it is not expedient to deploy devices to the respective employees. If this is not possible, then precise usage rules must be established to be prepared for conflict situations.