As a result of the COVID-19 pandemic, remote access has now become a life line for maintaining an organization’s ability to conduct business. As a result, “bring your own device” (“BYOD”) policies should be top of mind for both employer and employees. While different organizations will approach BYOD from different perspectives, each and every organization requires some form of BYOD strategy.
Organizations are now accepting BYOD as the new “normal”. Some may fail, however, to appreciate the risks that can arise with an employee’s use of their mobile device. To address these risks, organizations should review, update and revise accordingly the remote access, security and other policies in response to the increased use of personal mobile devices that access an organization’s information technology. Where there are no such policies and procedures, while not ideal, now is the time to adopt procedures and policies governing the use of personal mobile devices for work related activities.
It is important that while conducting these reviews, companies not overlook the specific and unique IP risks that these personal mobile devices and remote access present. To assist with company’s risk IP mitigation strategies, we have put together a list of key considerations to address. The following is designed to provide some suggestions and guidelines on how to strategically manage and reduce the associated IP risks.
It’s Not Just About Email Anymore
Smart phones, tablets, PCs and laptops are now being used for work in addition to personal uses. Common office software and applications for word processing, spreadsheets and multi-media presentations are being used to take work outside of the office. As a result, employees may be using their own hardware and software, in all likelihood purchased for personal use, for commercial use. There is also the ability of the employee to create and disseminate information outside of the normal protections of the workplace (e.g. restricted access, firewalls, etc.). With employees being able to create, use and disclose information across multiple platforms, there are a number of IP ownership and disclosure issues that arise.
Software vendors tend to licence their products with a number of price points and/or restrictions depending on the nature of the licence. For example, the same word processing program may be available under a student licence for $50, a home licence for $100, a small business licence for $250 and an enterprise site licence that allows for installation on 10 workstations for $5,000.
In each case, the licence will define the permitted uses of the software. Any use of the software that is not permitted may be a breach of the licence and an infringement of copyright. A breach of a license term between the employee and the software vendor may also be of concern to the employer because, under provisions of the Canadian Copyright Act, the employer may be “authorizing” the employee to infringe.
Virtually every business will also produce, own, and use a wide variety of assets and resources that are created internally and may be protected as a trade secret and/or under IP legislations such as the Canadian Copyright Act and Patent Act. These assets can include software, marketing plans, databases, instruction manuals, employee handbooks, audiovisual materials for use in social media or traditional broadcast, web materials and photographs.
Employees may be creating, using and disseminating these materials via their personal devices. In the BYOD environment, therefore, company assets may be passing outside of the corporate firewall and residing on the personal devices of employees or on non-company servers. The ability of cloud storage, for example, provides a particularly efficient manner for the control over the publication or dissemination of trade secrets to be lost.
What Are the IP Risks of Not Addressing These Concerns?
If an employee is doing work for their employer with their own personal software that is licensed to that employee for non-commercial activity, the employee is in breach of the conditions of licence attached to the software and potentially liable for copyright infringement. If the employer knows that the employee is using a program on their personal device for work-related tasks and also knows that this device is not covered under their own licence for the software, the employer could be found to have “authorized” the infringement. In Canada, a software vendor could elect to recover statutory damages of between $500 and $20,000 per work.
For copyrighted works (e.g. software), the first owner of copyright on any material produced by an employee in the course of their employment is, by default, the employer ─ regardless of where and how that material was produced. There is one gap, however, as this provision does not apply to independent contractors.
In the context of patentable invention, the employee is more akin to an independent contractor. Unless there is a written agreement to the contrary or the employee is specifically hired to invent, any invention developed by the employee is the property of the employee and not the employer.
Beyond ownership issues, the ability of the employee to easily disclose prematurely a patentable invention or other pieces of confidential information of the employer can have a negative impact on company assets. If an employee discloses the invention, then the ability to obtain patent protection and any possible trade secret protection may be lost. Just imagine what would happen to the owner of the formula for a famous soft drink if it was disclosed via social media.
As such, potentially important company assets may flow out of the company’s hands as a result.
What Can Companies Do to Mitigate These IP Risks?
Companies should develop and implement clearly written and easily accessible BYOD policies for the identification and mitigation of potential IP risks. Once the policy has been developed, it should then be incorporated into the company’s daily business practices and procedures. Companies should also endeavour to effectively communicate these policies to their executives, employees and independent contractors. Once the policy has been developed, it should be updated on a regular basis as technology will likely change over time and may present new risks that had not been considered previously.
With an effectively conceived and implemented policy, companies can reduce the IP risks associated with BYOD. At minimum, an effective BYOD policy should address and provide for the following:
- Provide employees with appropriately licensed copies of software if they are using their devices for business purposes;
- Require employees to submit their devices for periodic audits and indicate when/how to report and track devices when in use, lost or stolen;
- Establish clear guidelines for when and how devices may be wiped (e.g. employee termination, lost or stolen device) and when/how employees should back up personal data (e.g. photos, music, videos, etc.);
- Define “acceptable use” from the company’s perspective, develop a white list and a black list of approved and prohibited software/apps and indicate whether technology will be used to enforce such policies;
- Establish policies to explain and address confidentiality and privacy concerns and the need for effective enforcement of each;
- Establish a security policy for all devices (e.g. password logins, lock screens, etc.);
- Establish a recommended approach to content storage (cloud vs. device); and
- Clarify ownership of any developed copyrighted works, patentable inventions (e.g. particular software apps) or data and provide for employees/contractors to execute written assignment agreements to that effect.
Companies need to identify and manage the IP risks associated with employees’ BYOD. By having effective IP risk management in place, companies can avoid the potential losses, headaches and costs associated with inappropriate use of ubiquitous mobile devices (e.g. possible costs of “authorizing” IP infringement claims). The costs of not providing effective IP risk management tools are too great to ignore.