A minefield of legal risks come with “bring your own device” policies

If there’s one buzz word Reed Smith attorney Tim Nagle hears a lot, it’s “BYOD.”

The acronym stands for “bring your own device,” the term businesses use when they have their employees use personal cellphones and tablets to access work-related e-mails, servers and data rather than using company-issued mobile devices.

It sounds simple, but BYOD comes with a minefield of legal questions and risks: How do we prevent trade secrets and client lists from getting leaked if an employee loses his or her phone? How do we keep personal information about workers — bank accounts, Social Security numbers, spending habits — secure? What happens if a personal cellphone infected with a virus gets integrated into the company network? To what degree can a company monitor the searches and personal contacts of their employees?

It is that maze of legal do’s and don’ts that Nagle helps companies navigate. Nagle joined the Washington office of Reed Smith two months ago from Bank of America, where he was the first lawyer hired by the bank to focus specifically on data security. That was in 2006. Since then, the demand for legal services for data privacy and security issues has skyrocketed, as the workforce increasingly moves toward a more mobile, “anytime, anywhere” work ethic.

“BYOD is a reflection of a larger movement ... of the ubiquity of the devices and the ubiquity of data,” said Nagle, who at the time he left Bank of America was the institution’s assistant general counsel. “If you lose your wallet, you call the credit card company and they hold the account. Your cellphone may just become a fatter wallet with more information on it.”

Data privacy and security — once thought to be a concern primarily for health care and financial services providers that collect sensitive data — has become an issue that companies across all industries are grappling with, in part because of the rise in personal smartphone use on the job.

“A decade ago, people had BlackBerrys and were accessing e-mail, but not accessing files or doing a lot of work [on their phones],” said Mary Ellen Callahan, who chairs the newly formed privacy and data protection group at Jenner & Block. “Now with the bandwidth and the ability of PDAs, people are able to work remotely and they’ve become so comfortable with their own smartphone, they’d rather work off of that than the company-provided PDA. It complicates the landscape.”

Law firms are responding to accommodate the demand. Firms such as Venable, Hogan Lovells and Covington & Burling, which have long had data privacy and security practices, are growing. Callahan said she’ll be adding attorneys to Jenner & Block’s privacy group over the next two to five years.

Eric Bosset, a privacy lawyer and co-chairman of Covington’s employment practice, said businesses are increasingly turning to lawyers to help create policies for what exactly employers and employees must do if they use their own smartphone for work. Bosset, who represents large and mid-size financial institutions and software companies, said he gets calls from clients asking whether they should require employees to install software that would allow the company to wipe out data remotely if they lose their phone.