BYOD/BYOT in Law Firms: Risks and Recommendations, by Sara Anne Hook, M.B.A., J.D., Indiana University

28 Apr 2014 1:26 PM | Chere Estrin (Administrator)
BYOD, or Bring Your Own Device, is not really a new concept. Law firms have allowed employees to work from home for years and provided them with remote access to whatever software and systems were needed. The new twist is that employees are now connecting through tablets and iPhones, many of which are owned by the employees. Issues related to BYOD are expected to increase, especially if law firms begin requiring their employees to provide their own devices. Certainly, this saves the law firm from the expense of purchasing devices as well as the cost of robust, centralized IT support. If the law firm gives employees a stipend to purchase devices or network services, this further blurs the line between who owns or controls the device, how it is used and its contents. Recent articles indicate that this phenomenon should be referred to as BYOT - Bring Your Own Technology - because employees are choosing the software and apps they want to download onto their devices, not all of which provide sufficient security features. ITLA’s 2012 survey highlighted the security vulnerabilities of the BYOD movement, especially for law firms.1

 Whether a law firm adopts a partial or fully deployed approach to BYOD, there are several risks that the lawyer should be aware of. When an employee “owns” the device, even if the law firm has paid for it, the law firm loses control and oversight over how the device is used, what software and apps are downloaded onto the device, what information is stored on the device and how and to what extent the device is able to access the law firm’s resources. In addition, the law firm has to trust that the employee is mindful of the many security issues presented with mobile devices, including the risk of theft or loss, the threat of malware, the insecure nature of wireless connections, the extra steps such as encryption needed to protect the information on these devices, especially confidential client information, and the requirement to follow the law firm’s procedures for backing-up and archiving information as well as its document retention and destruction policy. Other risks of BYOD include former employees taking data with them and running afoul of wage and overtime rules, which can subject the law firm to liability if employees are expected to respond to work-related communications outside of their normal work schedules. Another difficulty is separating what information the law firm should be entitled to because it is work-related versus the employee’s personal information, so that an employee’s right to privacy is not impinged upon. Special considerations are needed with respect to electronic discovery, not only for the law firm’s employees who are working on a case, but particularly related to the lawyer’s responsibilities in overseeing the client so that proper collection and preservation procedures and litigation holds are communicated to the client’s constituents and are being followed.

Instead of just allowing it to evolve, a law firm should be very intentional in its adoption of BYOD and have a plan and appropriate technology systems and support in place. Although some question its effectiveness, the first task should be to develop a comprehensive BYOD/BYOT policy for employees or to amend the firm’s Acceptable Use Policy to include BYOD devices, software and apps. In an article on how to make MYOD for in law firms, one of Magliato’s primary recommendations is to deploy enterprise software known as Mobile Device Management (MDM), which at a minimum should include software distribution, policy management, inventory management, security management, encryption, access to business applications and data loss prevention.2 He also advocates the implementation of database management systems, law practice management systems and secure file transfer and file-sharing services. Another important facet of proper BYOD/BYOT management is ongoing training for law firm employees, especially in this fast-changing era of smaller and more powerful devices.

1. Charles Magliato. Making BYOD Work for Legal. Peer to Peer, Vol. 28, Issue 3, September 2012, p. 22, 23.
2. Id. at 24-26.


Authored by Sara Ann Hook, Esq., Professor of Informatics, School of Informatics and Computing, IUPUI.
Powered by Wild Apricot Membership Software