In the realm of information technology, “Bring Your Own Device” (BYOD) is the practice of allowing employees to use personal technology devices such as laptops and smartphones for work purposes. In one form of BYOD, employees use personal devices at work or off-site locations (client sites). In the other form of BYOD, organizations provide devices that employees use for personal purposes outside of work (Richard Oliver, “Why the BYOD Boom is Changing How we Think About Business IT,” Engineering Technology, vol. 7, no. 28, November 2012). The common theme in both forms is that these devices are used for both work and personal tasks, which blurs the lines between personal and official use. This dual-use means that these devices essentially share software, data, applications, cloud services, and connect to networks at home, work or anywhere else. Although BOYD offers many benefits, CPA firms should also be cognizant of BYOD risks. [See, for example, Steven M. Puiszis, “Can’t Live With Them, Can’t Live Without Them—The Ethical and Risk Management Issues For Law Firms That Adopt A “BYOD” Approach to Mobile Technology,” 2015, Journal of the Professional Lawyer, vol. 33, 2015.]
Both CPA firms and their employees benefit from BYOD due to the flexibility it offers in terms of work hours and locations. Firms see higher job satisfaction and greater productivity from employees due to the flexibility in terms of both time of work and location of work. Auditors who travel are free from the distractions and responsibilities of home tend to work extra hours in their hotel rooms. BYOD also improves communications and response times within the organization and with clients. Firms can offer BYOD devices as employee fringe benefits—thus, serving as an attractive recruiting tool. Employees benefit by not having to carry multiple devices.
Due its many benefits, BYOD use is widespread and growing. A 2018 survey shows that 85% of enterprises allow employees to access data from personal devices (James Sanders, “85% of Enterprises Allow Employees to Access Data from Personal Devices, Security Risks Abound,” TechRepublic, November 20, 2018, https://tek.io/3cjlFlO). BYOD programs are not limited to smaller companies. Intel Corporation, for example, has close to 10,000 officially sanctioned devices (Ronald E. Miller, and Varga J., Benefits of Enabling Personal Handheld Devices in the Enterprise, Intel white paper, 2011, https://intel.ly/3ccZBZQ). Actual BYOD usage is likely higher, since employees often use unsanctioned personal devices. For example, 36% of employees admit ignoring organizational policies and using devices they feel are suitable (J. Harris, Ives B., and Junglas I., “IT Consumerization: When Gadgets Turn into Enterprise IT Tools,” MIS Quarterly Executive, vol. 11, no. 3, pp. 99-112, 2012, https://bit.ly/3Pts3VO). CPA firms that embrace BYOD can better engage their workforce and offer better service to clients (Claus Thorsgaard, “Why Accounting Practices Should Be Encouraging a BYOD Culture,” CPA Practice Advisor, Oct. 5, 2012). Management at CPA firms who recognize these benefits has fully embraced BYOD (Ellen Messmer, “How BYOD Has Changed the IT Landscape,” Network World, Sept. 5, 2012, https://bit.ly/3PvCbNx).
BYOD brings many challenges and risks. Security experts sometimes even characterize BYOD as “Bring Your Own Disaster.” These risks are exacerbated when CPA firms are oblivious to them. BYOD-related information security risks are a strategically pertinent issue for CPA firms. Problems could arise from integration with existing technology, device support, and increased exposure. Because employees tend to work from home using BYOD devices, it may also increase employee stress and burnout. Firms’ main concern, however, is information security. Exhibit 1 lists some common risks.
Eight Mobile Device Risks
- Mobile Devices often not password protected.
- Two-factor authentication (2FA) is not always used.
- Unencrypted wireless transmissions
- Mobile devices may contain malware.
- Devices might not have security software installed.
- Operating systems or software not updated.
- Mobile devices often do not limit internet connections.
- Unauthorized modifications to devices.
Source: “10 Common Mobile Security Problems to Attack,” by Michael Cooney, Sept. 21, 2012, Network World, https://bit.ly/3ALU1rH
BYOD employees have access to the firm’s technology from anywhere 24/7. This essentially extends the company’s network to the world and exposes CPA firms to risks related to client, employee, or firm data. Incidents of lost, stolen, hacked, or improperly discarded BYOD devices are common. Criminals used to sell stolen laptops, but have now realized the value of data. It is much easier for hackers to conduct a data breach with a stolen device than actually hack into network or database. Consequently, stolen laptops account for 45% of healthcare data breaches. One-quarter of bank data breaches in the United Kingdom were due to lost phones and laptops (https://bit.ly/3yAMEk6); only 20% were due to hacking. The technology research firm Gartner found that a laptop is stolen every 53 seconds. Ponemon Institute reports that over 12,000 laptops are lost at airports; only 30% these are ever reclaimed. This creates confidentiality, competency, legal, and reputational challenges for CPA firms. The cost of a data breach can ruin a small CPA firm. Globally, the average cost of a data breach has risen to $3.92 million. The United States, however, has the highest average cost of $7.19 million per data breach (Forbes and Statistica).
Security could be compromised due to social media use or open-access Wi-Fi hot-spots. Team members who are in the field are particularly susceptible. IT departments may not control or have regular access to these devices; hence, operating systems, patches, and anti-virus updates to these devices may be delayed. Moreover, most individuals have poor habits when it comes to updating devices. A malware infection often becomes a launching pad for an attack on the firm’s network that can compromise sensitive data.
Organizations that provide devices will likely have policies on acceptable use, but this may not be the case when employees use their own devices. Unfortunately, usage policies may not be easy to enforce. For example, it is difficult to monitor or prevent employees from accessing social media, or loaning devices to family and friends. Something as simple as posting that “selfie” on social media at a client’s location may reveal a client’s identity, location, or confidential project information. CPA firms also have relatively high employee turnover, which creates unique security challenges. When employees leave, they could take their personal device along with firm and client data, as well as communications.
BYOD may also expose employees’ personal data (e.g., family pictures, health, sexual orientation) to the firm. In order to make sure that an employer does not suffer legal ramifications for wiping an employee’s personal device, the employer must have a BYOD policy that specifies the right to wipe the device. In 2014, a Texas employer wiped an employee’s personal phone, resulting in the loss of all personal data. The employee sued under various laws, including the Electronic Communications Privacy Act, but the court found that the employer had no liability. [See Rajaee v. Design Tech. Homes, LTD, 2014 WL 5878477, U.S Dist. Crt., S.D. Texas (2014). Note that this decision focused on the definition of “storage facility” and said a phone does not fit that definition, but storage on a cloud service could be different.] Internationally, remote wipes and monitoring personal devices might be illegal; hence, firms with international offices need to consult with local attorneys.
BYOD use risks compromising client data. CPA firms are at significant risk of unknowingly violating SOC 3 of the Information Systems Audit and Control Association (ISACA)/AICPA assurance framework. SOC 3 specifically requires maintaining “effective controls over its system with respect to security, availability, processing integrity, confidentiality, or privacy” (AICPA Guide, “Reporting on an Examination on Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting,” p. 7, Jan. 1, 2017). A violation of SOC 3, such as exposure or loss of client information to third parties, exposes both firms and individual CPAs to legal, regulatory, and reputational consequences. Moreover, impairment of a firm’s reputation due to mishandling client data could also result in financial losses to the firm if clients decide to drop the firm.
Once a firm suffers a data breach it is only a matter of time before the legal claims start. A breach of data from an employee BYOD device is deemed the employer’s responsibility. This is particularly true under the California Consumer Privacy Act (CCPA, Cal. Civ. Code sections 1798.100-1798.199) of 2018 or the European Union’s General Data Protection Regulation [GDPR, Regulation (EU) 2016/679]. The CCPA became effective January 1, 2020, and applies to firms that do business in California and have gross revenues greater than $25 million. Personal information that directly or indirectly identify an individual consumer or household cannot be disclosed. The CCPA provides a “private right of battle,” but the company does have a 30-day period to cure the violation, if possible. The consumer may be entitled to actual damages or statutory damages ranging from $100 to $750 per incident. The California Attorney General also has a right to sue for civil penalties from $2,500 to $7,500 per violation. The EU’s GDPR that took effect on May 25, 2018, could also apply. This regulation is broader than the California regulation and applies to any business established in the EU that processes personal data, regardless of whether the process takes place in the EU or the business is not established in the EU, but processes personal data in connection with offering services in the EU. It is substantially similar to what the California legislation protects. The GDPR establishes a private cause of action for damages, and does not limit it to a specific monetary amount. An administrative fine may reach €20 million or 4% of annual global revenue, whichever is greater. For example, in the same week in July 2019, the U.K. Information Commissioner’s Office issued a GDPR fine against the Marriott group for $123 million and a larger $230 million fine against British Airways.
CPA firms must comply with both AICPA confidentiality and competency rules. Competency requires auditors to have a basic understanding of technology risks, and to guard against breaches that disclose confidential information. The rules specify both technical (e.g., security updates) and behavioral aspects (e.g., not allowing others to use the device, not logging into unsecured Wi-Fi networks) to protect confidentiality. The challenge is using technology without breaching confidentiality and competency standards. There has been a dramatic increase in successful data breaches at law firms, CPA firms, and healthcare providers, all of which can compromise sensitive client information regarding healthcare, tax, matrimonial, personal injury, and corporate litigation (Mike McCartney, “Law Firms & CPA Firms are Targets of Computer Hackers,” July 26, 2016, https://bit.ly/3OdsP85). Mobile devices are easy targets for cyber-criminals (Madison Marriage, “Accounting Group Deloitte Hit with Cyber Attack,” Financial Times, Sept. 25, 2017).
BYOD risks are especially pertinent for small and mid-sized CPA firms that lack adequate safeguards and the resources to mitigate or to respond to these risks. To assess the prevalence of BYOD use, the authors conducted a survey of small to mid-sized CPA firms in the Midwest. The goals was to ascertain the following: 1) respondents’ knowledge about these risks, 2) how these devices are managed, and 3) BYOD policies that govern their use. The 21 respondents consisted of 6 partners, 2 directors, and other senior members of CPA firms. (Exhibit 2 summarizes the survey results.) Some firm partners were not even aware of the abbreviation BYOD, and had not given any thought to the possible risks of BYOD, let alone have a BYOD policy. This became alarmingly evident in an e-mail from one respondent:
I have received several emails about your “bring your own devices” survey. While I try to be helpful and participate in surveys, I am simply confused about the topic. I don’t understand what the survey and bring your own devices means!
If you can explain what the concern about “bring your own devices” is, maybe, I can offer some thoughts.
Survey Poll of CPA Firms
- 67% Small or midsize CPA firms.
- 42% Firms work with publicly listed clients.
- 67% Subcontract for other CPA firms.
- 75% Subcontract to other firms without any verification of a BYOD safeguards.
- 60% Firms had a formal or informal BYOD policy (only 45% had a formal written BYOD policy).
- When a policy was in place, it comprised generic and boilerplate language and lacked specific guidelines.
- Only 30% of the firms with a policy monitor or periodically review it.
- Only 35% were satisfied that their policy clearly defined appropriate BYOD behavior and guidelines.
- Only 57% of BYOD devices had installed remote security applications that can remotely lock or erase lost or stolen devices.
- Only 54% of the firms had enabled remote wiping (to the extent permitted by law).
- Only 30% affirmed that their devices blocked access to “blacklisted” sites or applications.
- Only half of the firms with BYOD programs had an inventory of devices.
- Monitoring and enforcement of BYOD programs was generally weak.