Bring Your Own Dilemma: The Implications of BYOD for Lawyers

I don’t often write about technology, a reluctance I blame on a liberal arts background and a traumatizing early exposure to FORTRAN. But there’s an interesting technology trend underway that has implications for how lawyers interact with their clients.

It’s sometimes called the consumerization of IT (CoIT), but I prefer the more colloquial BYOD (Bring Your Own Device). Primarily, it’s about enterprises losing control of their IT environments because employees insist on using their personal devices and systems rather than those issued and/or approved by the enterprise.  ComputerWorld has a good summary, while CIO Dashboard explores potential responses and Law Technology News considers the legal implications.

This is not going to be fun for law firms and especially for their IT personnel. Mary Abraham sizes it up as a potential “nightmare scenario” in terms of security: “Suddenly, we have a situation in which the IT department no longer is in complete control and may well have trouble imposing a locked-down computing environment.  Now, if you’re working in the financial or legal services industries, consider what happens when you couple the move to CoIT and external IT providers with growing incursions by hackers.”

But it’s the business-model implications that are most intriguing to me. James Surowiecki in The New Yorker astutely analyzes many of Research In Motion’s difficulties in the context of the BYOD trend.  The BlackBerry, he writes, was designed for businesses: “Its true customers weren’t its users, but the people who run corporate IT departments. The BlackBerry gave them what they wanted most: reliability and security. It was a closed system, running on its own network. The phone’s settings couldn’t easily be tinkered with by ordinary users. So businesses loved it, and R.I.M.’s assumption was that, once companies embraced the technology, consumers would, too.”

Essentially, this is a top-down strategy: sell to one business and get hundreds of users. As Surowiecki points out, it’s a time-honoured strategy in the technology industry, driving the growth of everything from the telegraph to Microsoft Office. But then came the bottom-up explosion of consumer-focused personal devices, starting with the iPhone and erupting from there. These devices “have always been targeted at consumers, and tend to come with stuff that IT departments hate, like all those extraneous apps. Yet, because employees love them, businesses have adapted (and the iPhone and Androids have upgraded security to make themselves more business-friendly). As a result, the iPhone and Androids now control more than half the corporate mobile market.”

It may be that only a series of security catastrophes will slow this trend. But even at that, personal technological autonomy has proven to be an extremely addictive feature of modern life. And I think it reflects a growing reality to which lawyers and law firms will have to adjust. Individuals, including both employees and customers, are forging new relationships with companies and institutions, based on the concept of “Not your standards, but mine. Not your terms and preferences, but mine.” It scarcely matters whether people are wise or justified in adopting this philosophy: they’re doing so anyway. And service providers will be forced to adjust.

For law firms of all sizes, this will mean joining the worldwide technological struggle to balance autonomy with security. But it will also mean new communication and service protocols: websites and electronic messages adaptable to numerous (mobile) consumption environments, information and services equally accessible through multiple channels, on-demand standards for both content and format, and so forth. Ultimately, it will mean an acceleration of the loss of control, a relentless ceding to users of the power to decide how content, applications and eventually services are provided and processed.

Top-down is losing out to bottom-up; command-and-control is yielding to choose-your-own-adventure. This will create many tactical challenges and headaches for law firms in many different respects. But in the larger sense, it will really be a philosophical change, a structural adjustment that favours individual autonomy over institutional responsibility, with everything that implies. Permanently? I have no idea. But right now? Yes. And the legal profession will need to come to terms with that.


  1. John Flood said:

    Jordan, a timely post! I have little sympathy for IT departments as in my experience they are often more concerned about their concerns rather than getting it right for the user. In this I come down on the side of autonomy. The idea that an organization can control my use of blogs, twitter or any other social media is too restrictive. Maybe they need to build better filters but things have gone too far for them to halt it now.

    Let me give an example. I’ve tried using dropbox to transfer documents at my university. Apart from some simpletons ineptitude in using easy apps–and they don’t come easier than dropbox–our departmental manager tried to stop the use of dropbox because of “security issues”. He meant downloading viruses etc, if one installed the dropbox app on your computer. I explained to him that one didn’t even have to install dropbox to use it, so it was entirely pointless. Moreover, we have it on our phones, ipads, laptops, etc.

    I don’t think it’s feasible for organizations to go into lockdown mentality anymore. So they should come up with solutions instead of griping about those who “don’t use technology properly”.

    Sorry, I feel quite strongly about this!

    @ 11:58 am
  2. John Varghese said:

    Perfect timing and apt analysis! IT departments of service industry world wide have the notoriety of being over conscious about security issues and thereby delaying technological changes.I have always felt that the issue is more about redundancy than about security, and redundancy is bound to happen unless the managements and the IT department itself start viewing IT department as testers of technological change rather than as drivers of the change. In this testing role, they can be more flexible and adaptable to change,and the change can happen either through them or someone else!

    @ 12:40 pm
  3. Robyna May said:

    There are a number of ways to support byod securely, virtual desktops being prime amongst them. This is likely to be the way that most firms allow byod without the security nightmare. Having an IT team that can support a myriad of different devices is another issue all together. The issue with Dropbox security is around secure and controlled access to the document itself being saved to Dropbox. Dropbox has had issues in the past with this and I wouldn’t recommend it for confidential documents.

    @ 5:09 pm
  4. David Canton said:

    I was on a panel at a local tech conference yesterday discussing BYOD. Other panelists were from Cisco, Info-Tech Research Group, and the IT dept of a school board and the City of London. BYOD is here, and is the new reality. Security and privacy are big issues. In part that should be addressed by policy – such as requiring device locks and remote lock-down. But also by considering how access happens – the more that can be accessed from servers rather than residing on the device, the better.

    @ 5:44 am
  5. Jason said:

    As a member of a Legal IT dept I feel we’re sometimes made to be the “bad guys” in this field. BYOD is here to stay, I want the same user expeience of work content on my device as I get with my own content. We in IT need to accept this end goal and look to provide it in a secure way.

    IT depts who try and stop “consumers” getting to this goal will fail. It is possible, today I am able to bring my laptop into our office, plug it into the network and get presented with my desktop (via Citrix). A full desktop, with no data stored on my laptop.

    @ 6:51 am
  6. Mark Raabe said:

    @John Flood:

    If your departmental manager tried to say that the security concerns around Dropbox were about downloading viruses, he didn’t do a very good job. The day has long passed when the primary security concern of IT was the stability of desktop and laptop computers. Nowadays, that’s still there, but it’s in the background. What keeps us up at night now, instead, is the security of information stored in the cloud (on systems whose design and management we can’t vouch for) or on mobile devices that can easily fall into the wrong hands. Lawyers who don’t appreciate these worries are doing their clients a severe disservice and may be exposing themselves and their firms to crippling liability.

    Dropbox’s short history has been fairly checkered with regard to these security issues (a statement which a Google search on “Dropbox security” will quickly confirm) — so much so that not just IT, but law firm risk management counsel and even state ethics boards have been forced to take note. Multiply this by the number of cloud service vendors cropping up, and you may begin to appreciate what we’re up against.

    That said, your strong feelings are not unjustified. IT is wrong if it attempts to ignore or squelch users’ demands for new capabilities and greater convenience. This is a tide that simply cannot be held back, and one that can bring great value to both lawyers and their clients.

    IT must now work not to outlaw cloud services, but to confirm their security or find better alternatives. In the case of Dropbox, competitors are emerging that are trying to combine its ease of use with greater security. IT also needs to look for ways to put its own extra security layer on top of Dropbox itself, ideally in a way that doesn’t make it harder to use.

    The original post is absolutely right that this must be a “struggle to balance autonomy with security,” not to view one side or the other as completely right or wrong — or even to view these as different sides. IT’s concerns must be yours as well, and yours must be IT’s.

    @ 8:05 am
Legal FAQ Collections