During a roundtable discussion on the Bring Your Own Device (BYOD) trend, a tech leader candidly offered this bit of real-world insight: "My wife is a nurse. There is no BYOD policy at the hospital. But all of the nurses communicate with each other via SMS, because that's the most efficient way to do their job."
It's a good bet that those text messages, which are practically impossible for IT to monitor and record, are out of compliance with healthcare regulations. It's an even better bet that this kind of BYOD-related breach is happening en masse across the country, in virtually every industry.
BYOD Policy Needed but Do They Really Matter?
Organized by Wisegate, an IT advisory service, the roundtable discussion was chock full of contradictions. For instance, CIOs need a formal BYOD policy in place to give them some level of control and, presumably, to cover their butts when something goes wrong. Yet they're quick to point out that employees will do whatever they want regardless of the policy.
This has led many CIOs faced with BYOD to go into "a holding pattern," says Elden Nelson, editor in chief at Wisegate and a former Gartner analyst.
Even standard-fare BYOD practices are running into roadblocks.
A mobile device management (MDM) system is usually the first line of defense to ward off malware on the devices and prevent company data leaks from lost or stolen devices, but MDM has been met with resistance.
For instance, a Wisegate member says his company moved away from ActiveSync's total remote wipe to an MDM solution that identifies and segments corporate and personal data and apps and thus can remotely wipe only corporate data. Sounds like a win for BYOD-empowered employees, right? Wrong. Many employees saw MDM as the secret listening agent on their personal devices.
"There were many comments about a Big Brother approach," the Wisegate member says. "We found the users don't want the company they work for to know what is on their device. Some have chosen not to register with the MDM, either insisting on a company device or not having the access capability at all."
Most Users Don't Read BYOD Policies
Educating and training employees about BYOD policies is tricky business. Policies tend to be like every other IT policy, which is to say, excruciatingly difficult to comprehend. Most people scroll to the bottom of an IT policy, check the agreement box and click "OK" -- all without reading a single word.
"I don't think the users understand anything, because you have to read and learn," says another Wisegate member. "Generally speaking, our society no longer does that very well."
Then there's the Cochran v. Schwan's Home Service case throwing a monkey wrench into BYOD. In the first ruling to be binding in the BYOD space, the California Court of Appeal stated in August: "We hold that when employees must use their personal cellphones for work-related calls, Labor Code section 2802 requires the employer to reimburse them."
The ruling was a hot topic at the roundtable, and Wisegate has this to say about it:
"Several participants commented that this ruling had forced them to suspend or delay any BYOD policy while their legal departments work out what it actually means. The general feeling is that if you allow staff to use their own devices, you will have to pay for any use that was required for business purposes. But what would happen if a member of staff has not been told to use his personal device but does so and then claims it was necessary to do his job properly?"
CIOs might have to reward roguish behavior. In the case of the texting nurses working at a hospital without a BYOD policy, it's even worse. These nurses are clearly putting the hospital at risk by skirting healthcare regulations on patient privacy. Nevertheless, the nurses may still be entitled to reimbursement for those text messages, if they can show that they were necessary to get their jobs done.
"There's a wariness with BYOD," Nelson says.