Blurring Lines with a Mobile Workforce

Bring Your Own Device, Face Your Own Discipline?

By: Ruwan Adikaram, PhD, Roger Reinsch, JD and Alan C. Roline, JD

In the realm of information technology, “Bring Your Own Device” (BYOD) is the practice of allowing employees to use personal technology devices such as laptops and smartphones for work purposes. In one form of BYOD, employees use personal devices at work or off-site locations (client sites). In the other form of BYOD, organizations provide devices that employees use for personal purposes outside of work (Richard Oliver, “Why the BYOD Boom is Changing How we Think About Business IT,” Engineering Technology, vol. 7, no. 28, November 2012). The common theme in both forms is that these devices are used for both work and personal tasks, which blurs the lines between personal and official use. This dual-use means that these devices essentially share software, data, applications, cloud services, and connect to networks at home, work or anywhere else. Although BOYD offers many benefits, CPA firms should also be cognizant of BYOD risks. [See, for example, Steven M. Puiszis, “Can’t Live With Them, Can’t Live Without Them—The Ethical and Risk Management Issues For Law Firms That Adopt A “BYOD” Approach to Mobile Technology,” 2015, Journal of the Professional Lawyer, vol. 33, 2015.]

BYOD Benefits

Both CPA firms and their employees benefit from BYOD due to the flexibility it offers in terms of work hours and locations. Firms see higher job satisfaction and greater productivity from employees due to the flexibility in terms of both time of work and location of work. Auditors who travel are free from the distractions and responsibilities of home tend to work extra hours in their hotel rooms. BYOD also improves communications and response times within the organization and with clients. Firms can offer BYOD devices as employee fringe benefits—thus, serving as an attractive recruiting tool. Employees benefit by not having to carry multiple devices.

Due its many benefits, BYOD use is widespread and growing. A 2018 survey shows that 85% of enterprises allow employees to access data from personal devices (James Sanders, “85% of Enterprises Allow Employees to Access Data from Personal Devices, Security Risks Abound,” TechRepublic, November 20, 2018, https://tek.io/3cjlFlO). BYOD programs are not limited to smaller companies. Intel Corporation, for example, has close to 10,000 officially sanctioned devices (Ronald E. Miller, and Varga J., Benefits of Enabling Personal Handheld Devices in the Enterprise, Intel white paper, 2011, https://intel.ly/3ccZBZQ). Actual BYOD usage is likely higher, since employees often use unsanctioned personal devices. For example, 36% of employees admit ignoring organizational policies and using devices they feel are suitable (J. Harris, Ives B., and Junglas I., “IT Consumerization: When Gadgets Turn into Enterprise IT Tools,” MIS Quarterly Executive, vol. 11, no. 3, pp. 99-112, 2012, https://bit.ly/3Pts3VO). CPA firms that embrace BYOD can better engage their workforce and offer better service to clients (Claus Thorsgaard, “Why Accounting Practices Should Be Encouraging a BYOD Culture,” CPA Practice Advisor, Oct. 5, 2012). Management at CPA firms who recognize these benefits has fully embraced BYOD (Ellen Messmer, “How BYOD Has Changed the IT Landscape,” Network World, Sept. 5, 2012, https://bit.ly/3PvCbNx).

BYOD Risks

BYOD brings many challenges and risks. Security experts sometimes even characterize BYOD as “Bring Your Own Disaster.” These risks are exacerbated when CPA firms are oblivious to them. BYOD-related information security risks are a strategically pertinent issue for CPA firms. Problems could arise from integration with existing technology, device support, and increased exposure. Because employees tend to work from home using BYOD devices, it may also increase employee stress and burnout. Firms’ main concern, however, is information security. Exhibit 1 lists some common risks.

Exhibit 1: Eight Mobile Device Risks

• Mobile Devices often not password protected.
• Two-factor authentication (2FA) is not always used.
• Unencrypted wireless transmissions
• Mobile devices may contain malware.
• Devices might not have security software installed.
• Operating systems or software not updated.
• Mobile devices often do not limit internet connections.
• Unauthorized modifications to devices

Source: “10 Common Mobile Security Problems to Attack,” by Michael Cooney, Sept. 21, 2012, Network World, https://bit.ly/3ALU1rH

BYOD employees have access to the firm’s technology from anywhere 24/7. This essentially extends the company’s network to the world and exposes CPA firms to risks related to client, employee, or firm data. Incidents of lost, stolen, hacked, or improperly discarded BYOD devices are common. Criminals used to sell stolen laptops, but have now realized the value of data. It is much easier for hackers to conduct a data breach with a stolen device than actually hack into network or database. Consequently, stolen laptops account for 45% of healthcare data breaches. One-quarter of bank data breaches in the United Kingdom were due to lost phones and laptops (https://bit.ly/3yAMEk6); only 20% were due to hacking. The technology research firm Gartner found that a laptop is stolen every 53 seconds. Ponemon Institute reports that over 12,000 laptops are lost at airports; only 30% these are ever reclaimed. This creates confidentiality, competency, legal, and reputational challenges for CPA firms. The cost of a data breach can ruin a small CPA firm. Globally, the average cost of a data breach has risen to $3.92 million. The United States, however, has the highest average cost of $7.19 million per data breach (Forbes and Statistica).

Security could be compromised due to social media use or open-access Wi-Fi hot-spots. Team members who are in the field are particularly susceptible. IT departments may not control or have regular access to these devices; hence, operating systems, patches, and anti-virus updates to these devices may be delayed. Moreover, most individuals have poor habits when it comes to updating devices. A malware infection often becomes a launching pad for an attack on the firm’s network that can compromise sensitive data.

Organizations that provide devices will likely have policies on acceptable use, but this may not be the case when employees use their own devices. Unfortunately, usage policies may not be easy to enforce. For example, it is difficult to monitor or prevent employees from accessing social media, or loaning devices to family and friends. Something as simple as posting that “selfie” on social media at a client’s location may reveal a client’s identity, location, or confidential project information. CPA firms also have relatively high employee turnover, which creates unique security challenges. When employees leave, they could take their personal device along with firm and client data, as well as communications.

BYOD may also expose employees’ personal data (e.g., family pictures, health, sexual orientation) to the firm. In order to make sure that an employer does not suffer legal ramifications for wiping an employee’s personal device, the employer must have a BYOD policy that specifies the right to wipe the device. In 2014, a Texas employer wiped an employee’s personal phone, resulting in the loss of all personal data. The employee sued under various laws, including the Electronic Communications Privacy Act, but the court found that the employer had no liability. [See Rajaee v. Design Tech. Homes, LTD, 2014 WL 5878477, U.S Dist. Crt., S.D. Texas (2014). Note that this decision focused on the definition of “storage facility” and said a phone does not fit that definition, but storage on a cloud service could be different.] Internationally, remote wipes and monitoring personal devices might be illegal; hence, firms with international offices need to consult with local attorneys.

BYOD use risks compromising client data. CPA firms are at significant risk of unknowingly violating SOC 3 of the Information Systems Audit and Control Association (ISACA)/AICPA assurance framework. SOC 3 specifically requires maintaining “effective controls over its system with respect to security, availability, processing integrity, confidentiality, or privacy” (AICPA Guide, “Reporting on an Examination on Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting,” p. 7, Jan. 1, 2017). A violation of SOC 3, such as exposure or loss of client information to third parties, exposes both firms and individual CPAs to legal, regulatory, and reputational consequences. Moreover, impairment of a firm’s reputation due to mishandling client data could also result in financial losses to the firm if clients decide to drop the firm.

Once a firm suffers a data breach it is only a matter of time before the legal claims start. A breach of data from an employee BYOD device is deemed the employer’s responsibility. This is particularly true under the California Consumer Privacy Act (CCPA, Cal. Civ. Code sections 1798.100-1798.199) of 2018 or the European Union’s General Data Protection Regulation [GDPR, Regulation (EU) 2016/679]. The CCPA became effective January 1, 2020, and applies to firms that do business in California and have gross revenues greater than $25 million. Personal information that directly or indirectly identify an individual consumer or household cannot be disclosed. The CCPA provides a “private right of battle,” but the company does have a 30-day period to cure the violation, if possible. The consumer may be entitled to actual damages or statutory damages ranging from $100 to $750 per incident. The California Attorney General also has a right to sue for civil penalties from $2,500 to $7,500 per violation. The EU’s GDPR that took effect on May 25, 2018, could also apply. This regulation is broader than the California regulation and applies to any business established in the EU that processes personal data, regardless of whether the process takes place in the EU or the business is not established in the EU, but processes personal data in connection with offering services in the EU. It is substantially similar to what the California legislation protects. The GDPR establishes a private cause of action for damages, and does not limit it to a specific monetary amount. An administrative fine may reach €20 million or 4% of annual global revenue, whichever is greater. For example, in the same week in July 2019, the U.K. Information Commissioner’s Office issued a GDPR fine against the Marriott group for $123 million and a larger $230 million fine against British Airways.

Professional Responsibilities

CPA firms must comply with both AICPA confidentiality and competency rules. Competency requires auditors to have a basic understanding of technology risks, and to guard against breaches that disclose confidential information. The rules specify both technical (e.g., security updates) and behavioral aspects (e.g., not allowing others to use the device, not logging into unsecured Wi-Fi networks) to protect confidentiality. The challenge is using technology without breaching confidentiality and competency standards. There has been a dramatic increase in successful data breaches at law firms, CPA firms, and healthcare providers, all of which can compromise sensitive client information regarding healthcare, tax, matrimonial, personal injury, and corporate litigation (Mike McCartney, “Law Firms & CPA Firms are Targets of Computer Hackers,” July 26, 2016, https://bit.ly/3OdsP85). Mobile devices are easy targets for cyber-criminals (Madison Marriage, “Accounting Group Deloitte Hit with Cyber Attack,” Financial Times, Sept. 25, 2017).

BYOD risks are especially pertinent for small and mid-sized CPA firms that lack adequate safeguards and the resources to mitigate or to respond to these risks. To assess the prevalence of BYOD use, the authors conducted a survey of small to mid-sized CPA firms in the Midwest. The goals was to ascertain the following: 1) respondents’ knowledge about these risks, 2) how these devices are managed, and 3) BYOD policies that govern their use. The 21 respondents consisted of 6 partners, 2 directors, and other senior members of CPA firms. (Exhibit 2 summarizes the survey results.) Some firm partners were not even aware of the abbreviation BYOD, and had not given any thought to the possible risks of BYOD, let alone have a BYOD policy. This became alarmingly evident in an e-mail from one respondent:

I have received several emails about your “bring your own devices” survey. While I try to be helpful and participate in surveys, I am simply confused about the topic. I don’t understand what the survey and bring your own devices means!

If you can explain what the concern about “bring your own devices” is, maybe, I can offer some thoughts.

Exhibit 2: Survey Poll of CPA Firms

• 67% Small or midsize CPA firms
• 42% Firms work with publicly listed clients
• 67% Subcontract for other CPA firms
• 75% Subcontract to other firms without any verification of a BYOD safeguards
• 60% Firms had a formal or informal BYOD policy (only 45% had a formal written BYOD policy)
• When a policy was in place, it comprised generic and boilerplate language and lacked specific guidelines
• Only 30% of the firms with a policy monitor or periodically review it
• Only 35% were satisfied that their policy clearly defined appropriate BYOD behavior and guidelines
• Only 57% of BYOD devices had installed remote security applications that can remotely lock or erase lost or stolen devices
• Only 54% of the firms had enabled remote wiping (to the extent permitted by law)
• Only 30% affirmed that their devices blocked access to “blacklisted” sites or applications
• Only half of the firms with BYOD programs had an inventory of devices
• Monitoring and enforcement of BYOD programs was generally weak

CPA Alliance Networks

The authors initially anticipated that this risk would be limited to smaller regional and local firms, but found that larger international CPA firms may also be susceptible to BYOD risks. These risks often exist because large international CPA firms partner with many smaller regional CPA firms via “alliance networks.” These network partners benefit by gaining access to resources and tools such as audit, tax, technical expertise, technology support, CPE training programs, courses, industry-specific resources, and networking opportunities. The larger firms can assign regional fieldwork to their alliance partners. Furthermore, large firms benefit from alliance partner referrals for larger or more complex clients. These alliance partnerships are an overlooked risk area for CPA firms.

According to the BDO’s Alliance webpage, BDO Alliance USA has “the industry’s largest associations of accounting, consulting, and professional service firms” (https://bit.ly/3cr9HWZ). BDO notes that these members are fully autonomous and independent. RSM established its Alliance Network in 1988. RSM proclaims that its US Alliance “is a premier affiliation of independent accounting and consulting firms” and that “membership in RSM US Alliance gives you access to the reach and resources of a national firm while allowing you to maintain your independence and entrepreneurial culture.” Similar to BDO, RSM also emphasizes its member firms “are separate and independent businesses and legal entities that are responsible for their own acts and omissions, and each are separate and independent from RSM US LLP. RSM US Alliance is a business of RSM US LLP” (https://rsm.us/3aMbLc0). Although BDO and RSM are seemingly legally protected, the negative reputational effects of being “in alliance” with a firm facing BYOD failure can vicariously impact BDO and RSM. It is worrisome that there is no formal review or vetting of potential alliance partners regarding BYOD use and controls (i.e., BYOD policy).

Recent Device Thefts

• March 26, 2019: A Seattle University employee lost an unencrypted laptop containing information (including SSNs) of more than 2,000 current and former faculty, staff, and their dependents.
• April 2019: Washington State University agreed to pay up to $4.7 million in cash as damages for a lost hard drive that contained medical files of over 1 million patients.
• September 2019: Telecommunication firm Eir announced that it faces 22 (and counting) legal actions under General Data Protection Regulation (GDPR), stemming from a lost laptop with details of 37,000 customers.
• May 24, 2019: A Philadelphia Department of Behavioral Health and Intellectual Disability Services (DBHIDS) employee taking public transit lost a laptop containing Health Insurance Portability and Accountability Act (HIPPA)-protected personal and medical records.
• June 18, 2018: The University of Michigan School of Medicine announced that an employee laptop containing patient information was stolen from the employee’s car.
• May 9, 2018: A manager with the Northwest Territories of Canada’s Health Department reported her unencrypted laptop stolen from her car. The laptop contained health information from the entire territory’s population.
• November 21, 2018: The laptop manufacturer Lenovo issued a notice warning its employees to watch for unusual activity in their bank accounts since an employee lost an unencrypted laptop containing employee names, salary information, and account numbers.
• November 2, 2017: West Virginia–based Coplin Health Systems discovered the theft of a laptop from an employee’s car. The laptop contained 43,000 patient names, Social Security numbers, financial information, addresses, dates of birth, and medical data.
• January 2017: Puerto Rico–based MAPRE Life Insurance announced their settlement theft of an unencrypted USB drive containing patient data.
• March 2016: North Memorial Health Care of Minnesota announced a $1.55 million settlement for theft of an unencrypted laptop from a vehicle.
• February 2016: A laptop with sensitive data from almost 5 million patients was stolen from a Washington State federal building.

Adopting a BYOD Policy

A comprehensive BYOD policy needs to consider controls that include preventative, detective, and corrective measures. It should also set expectations for all employees. The policy needs to be clear, understandable, comprehensive, and enforced. In creating a policy, a CPA firm needs to consider taking several steps (see Sample BYOD Policy Template, https://bit.ly/3v2pbY1):

• Specify sanctioned platforms, devices, and applications permitted (Jill Duffy, “The Dos and Don’ts of BYOD,” PC Magazine, October 13, 2014, https://bit.ly/3IO4VPG; Jonathan Hassell, “7 Tips for Establishing a Successful BYOD Policy,” CIO, May 17, 2012, https://bit.ly/3zhZJQM)
• Specify the ownership of the data
• Adopt a password-protected screen lock for idle devices
• Require management permission to add firm owned data to personal devices
• Draft a protocol for lost or stolen devices
• Secure device owners’ consent to having data wiped in the event of loss or theft to protect the data
• Use malware protection and a firewall at all times
• Provide guidance on physically securing mobile devices (e.g., never leave devices unattended)
• Restrict back up or copying data from the device to non-company equipment (501 Commons, “Security Policies for Mobile Devices,” 2012, https://bit.ly/3zfi-AMv)
• Employ language on how the policy will be enforced (e.g., a statement such as “Users found in violation of this policy will be subject to disciplinary action up to and including suspension of mobile computing privileges or termination of employment”)
• Require employee signatures acknowledging their understanding and acceptance of the policy.

The best-constructed policy is ineffective without proper employee education and training. Hence, management must review the BYOD policy with new staff and provide regular updates to all staff.

Best Practices

BYOD opens the door to various devices and platforms being used by employees (e.g., iOS, Windows, Android, ChromeOS, macOS). This creates challenges for network administrators. An integral part of a BYOD program and policy is Mobile Device Management (MDM). A proper MDM system can help solve some BYOD-related problems. MDM software enables an organization to have greater control over the devices and mitigates the risk to the organization. MDM enables an employer to lock or wipe device data. This can also be a downside of MDM, because data might include employee personal data (e.g., family pictures, downloaded files, messages, music, health data, games). Hence, it is important that employers inform BYOD employees about this capability and obtain employee consent to wipe the device. Exhibit 3 lists some best practices.

Exhibit 3: Mobile Device Management (MDM) Best Practices

• MDM software should support the organization’s mobile operating and cloud-based systems.
• Operating systems should be limited to one or two options.
• MDM software must be compatible with common security platforms [Mobile Device Management (MDM): What it is and why it matters (2015)].
• Offer employee education on acceptable usage (forbidden applications or activities that might infect the device).
• Enforce mandatory password protection and data encryption.
• Activate remote device lock and wipe in case a device is lost or stolen.
• Install jailbreak and root protection that restricts employees from bypassing controls.
• Create enterprise app stores where employees can download vetted applications.
• Whitelist applications not available on the enterprise app store.
• Blacklist applications to keep malicious applications off of mobile devices.
• Configure application security within the application wrapping section, which makes applications secure by disabling functions like copy and paste.
• Security-wipe corporate data when an employee leaves the organization or changes their role, without affecting the user’s personal data on the machine.
• Set up remote configuration to control security, applications, and other configurations.
• Maintain an inventory of devices and software installed that enables IT to alert users of problems.

All employees (BOYD and non-BYOD) should receive training and guidance on BYOD use and BYOD firm policies. A good MDM system should always accompany BYOD implementation. To mitigate BYOD risks, CPA firms must develop a comprehensive BYOD policy with an integrated MDM system.

Ruwan Adikaram, , PhD is an assistant professor in the department of accounting and finance at the University of Minnesota Duluth.

Roger Reinsch, , JD is a professor of business law at the University of Minnesota Duluth.

Alan C. Roline, , JD is a professor of business law at the University of Minnesota Duluth.