Summary: From intellectual properly ownership to data security, companies need to tread carefully when formulating a BYOD policy, according to Madgwicks Lawyers partner Dudley Kneller.

Legal risks around issues such as intellectual property (IP) ownership and data security can present major hurdles for organisations that want to implement an effective bring-your-own-device (BYOD) scheme, according to Madgwicks Lawyers partner Dudley Kneller.

BYOD is in vogue right now, and many companies are keen to put a program in place to facilitate staff bringing their personal devices into a corporate network, giving them more flexibility to work remotely.

But a number of legal issues must be addressed when it comes to BYOD, according to Kneller, who was speaking at the Informa BYOD: 2012 Conference in Sydney.

Yesterday, Tech Research Asia principal analyst Tim Dillon raised some legality issues around BYOD, specifically complications of remotely wiping a personal device of a departing employee and data retention compliance issues for companies.

Another legal concern organisations need to grapple with is who owns any IP that was created on an employee-owned device for work, according to Kneller. Traditionally, employees would do their work on a company owned PC sitting in an office during the old nine-to-five working hours. Any tangible work done by the employee would belong to the company.

BYOD complicates things since staff can be doing work on their own devices outside of traditional working hours, Kneller said.

"The move to mobility and BYOD makes the comfortable position we are used to around IP ownership more challenging," he said.

IP ownership becomes even more muddled when bringing contractors into the workforce, which is now common practice by many companies.

"When they produce IP, unless an organisation specifically arranges for the IP to be assigned to the company in writing, that IP will remain with the contractors," Kneller said.

Then there is data privacy, which will become even more critical next year when the Australian Privacy Act is amended to give the Privacy Commissioner more teeth when companies compromise the personal information of customers.

High profile data breaches suffered by companies such as Sony and Telstra have put data security high on the radar of the Privacy Commissioner, which has recommended a mandatory breach notifications system be put in place.

While data security has traditionally been ensured by IT departments, with BYOD, staff have to take care of it themselves, Kneller said.

"This wouldn't be much of a problem for the tech savvy employees, but for a lot of users, that's going to be a very uncomfortable road, and they will need some hand-holding," he said. "A lot of confidential information comes into an organisation in different ways, so from an organisational perspective, you need to know what the obligations are in respect to that information, and have processes around that manage it effectively.

"Technology can assist you in allowing access to relevant information and denying access of information to certain users that don't need to see that information."

Kneller acknowledged that BYOD is a reality, and rather than avoiding it, companies should embrace it, but ensure the proper policies are in place to avoid possible legal complications.

"This is a journey that doesn't give you the luxury of starting from scratch," he said. "You need to look at what you currently have in place so you can update, modify, and build upon those existing policies."

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances. Madgwicks is a member of Meritas, one of the world's largest law firm alliances.