Organisations implementing bring-your-own-device (BYOD) initiatives often forget to consider if their software licence agreements are broad enough to cover devices under their programs, according to a technology lawyer.

Speaking at the CIO Summit in Melbourne on Tuesday, Arvind Dixit, senior associate at Corrs Chambers Westgarth, claimed this is one of the most "common pitfalls" when implementing BYOD programs.

Some companies are also failing to determine if their employees have sufficient rights to use applications on their personal devices for commercial purposes.

"You need to review your licensing arrangements to ensure that the use of BYOD technologies is not going to breach the licensing arrangements that you have in place with third parties," Dixit told attendees.

"Obviously the aim here is trying to avoid exceeding the scope of your existing licenses so that you don't get hit with a large bill down the track."

Dixit said that organisations must determine if existing agreements allow for use of the software on devices that aren't owned by the company.

"This might impact on which applications you decide to make available as part of your BYOD program," he said. "Economically, it might make sense to make your email applications available but not your document management or customer relationship management systems as a result of licensing restrictions."

IT departments also need to consider the nature of the license for the BYOD software that is running the program inside their organisations, he said.

"Is it [the software] limited to one device for user or can a single user have multiple devices?" he asked.

"The latter is preferable so I can keep my phone, laptop and iPad [connected] to the [network]. But that's not always the base position because it makes it difficult for vendors to manage security threats."

Risk of copyright infringement

Dixit warned that if employees don't have the right to use software on their personal devices for work purposes, their employer could be exposed to potential copyright infringement claims by allowing staff to use software without the appropriate licences.

"The way to minimise this risk is to make sure that your [BYOD] policy doesn't permit employees to use software that they have purchased or downloaded for personal use for the purpose of performing work for your organisation."

Mitigating security and support risks

According to Dixit, employees will work out way to circumvent security measures around BYOD programs regardless of whether their employer has a formal BYOD program in place.

"This inherently exposes your organisation to a risk profile without you even knowing it," he said. "[BYOD] policies give you the tools you need to take appropriate steps if issues arise around data security and loss."

He said BYOD policies need to outline security measures such as how security breaches will be managed, whether the organisation can remotely wipe all corporate data from a personal device down to how many password attempts should be allowed before access is blocked.

"An employee also needs to be aware that by bringing their device and logging into the corporate network they are accepting a level of risk which they might not otherwise take on board," he said.

He said a BYOD policy clearly needs to articulate how liability is being apportioned between the individual and the company.

"For example, who will be responsible for lost or stolen devices and who is responsible in the case of malware or virus attacks?"

Dixit told also attendees that device support is "probably one of the most problematic areas" because the expectations between the employee and employer when it comes to supporting BYOD devices is often "wildly different."

He said organisations need to determine whether IT staff are responsible for connecting each employee's device to the network and supporting that device if something goes wrong.

"There's no real fixed answer to these questions under the law and it may be different from organisation to organisation," he said.

"The important thing to keep in mind is that you have to think through these issues and cover them off in your policy so there's no ambiguity down the track if one of these issues arises."