To print this article, all you need is to be registered or login on Mondaq.com.
As a result of the COVID-19 pandemic, remote access has now
become a life line for maintaining an organization’s ability to
conduct business. As a result, “bring your own
device” (“BYOD”) policies should be top of mind for
both employer and employees. While different organizations will
approach BYOD from different perspectives, each and every
organization requires some form of BYOD strategy.
Organizations are now accepting BYOD as the new
“normal”. Some may fail, however, to appreciate the risks
that can arise with an employee’s use of their mobile
device. To address these risks, organizations should review,
update and revise accordingly the remote access, security and other
policies in response to the increased use of personal mobile
devices that access an organization’s information technology.
Where there are no such policies and procedures, while not ideal,
now is the time to adopt procedures and policies governing the use
of personal mobile devices for work related activities.
It is important that while conducting these reviews, companies
not overlook the specific and unique IP risks that these personal
mobile devices and remote access present. To assist with
company’s risk IP mitigation strategies, we have put together a
list of key considerations to address. The following is designed to
provide some suggestions and guidelines on how to strategically
manage and reduce the associated IP risks.
It’s Not Just About Email Anymore
Smart phones, tablets, PCs and laptops are now being used for
work in addition to personal uses. Common office software and
applications for word processing, spreadsheets and multi-media
presentations are being used to take work outside of the office. As
a result, employees may be using their own hardware and software,
in all likelihood purchased for personal use, for commercial use.
There is also the ability of the employee to create and disseminate
information outside of the normal protections of the workplace
(e.g. restricted access, firewalls, etc.). With employees being
able to create, use and disclose information across multiple
platforms, there are a number of IP ownership and disclosure issues
Software vendors tend to licence their products with a number of
price points and/or restrictions depending on the nature of the
licence. For example, the same word processing program may be
available under a student licence for $50, a home licence for $100,
a small business licence for $250 and an enterprise site licence
that allows for installation on 10 workstations for $5,000.
In each case, the licence will define the permitted uses of the
software. Any use of the software that is not permitted may be a
breach of the licence and an infringement of copyright. A breach of
a license term between the employee and the software vendor may
also be of concern to the employer because, under provisions of the
Canadian Copyright Act, the employer may be
“authorizing” the employee to infringe.
Virtually every business will also produce, own, and use a wide
variety of assets and resources that are created internally and may
be protected as a trade secret and/or under IP legislations such as
the Canadian Copyright Act and Patent Act. These
assets can include software, marketing plans, databases,
instruction manuals, employee handbooks, audiovisual materials for
use in social media or traditional broadcast, web materials and
Employees may be creating, using and disseminating these
materials via their personal devices. In the BYOD environment,
therefore, company assets may be passing outside of the corporate
firewall and residing on the personal devices of employees or on
non-company servers. The ability of cloud storage, for example,
provides a particularly efficient manner for the control over the
publication or dissemination of trade secrets to be lost.
What Are the IP Risks of Not Addressing These Concerns?
If an employee is doing work for their employer with their own
personal software that is licensed to that employee for
non-commercial activity, the employee is in breach of the
conditions of licence attached to the software and potentially
liable for copyright infringement. If the employer knows that the
employee is using a program on their personal device for
work-related tasks and also knows that this device is not covered
under their own licence for the software, the employer could be
found to have “authorized” the infringement. In Canada, a
software vendor could elect to recover statutory damages of between
$500 and $20,000 per work.
For copyrighted works (e.g. software), the first owner of
copyright on any material produced by an employee in the course of
their employment is, by default, the employer ─ regardless of
where and how that material was produced. There is one gap,
however, as this provision does not apply to independent
In the context of patentable invention, the employee is more
akin to an independent contractor. Unless there is a written
agreement to the contrary or the employee is specifically hired to
invent, any invention developed by the employee is the property of
the employee and not the employer.
Beyond ownership issues, the ability of the employee to easily
disclose prematurely a patentable invention or other pieces of
confidential information of the employer can have a negative impact
on company assets. If an employee discloses the invention, then the
ability to obtain patent protection and any possible trade secret
protection may be lost. Just imagine what would happen to the owner
of the formula for a famous soft drink if it was disclosed via
As such, potentially important company assets may flow out of
the company’s hands as a result.
What Can Companies Do to Mitigate These IP Risks?
Companies should develop and implement clearly written and
easily accessible BYOD policies for the identification and
mitigation of potential IP risks. Once the policy has been
developed, it should then be incorporated into the company’s
daily business practices and procedures. Companies should also
endeavour to effectively communicate these policies to their
executives, employees and independent contractors. Once the policy
has been developed, it should be updated on a regular basis as
technology will likely change over time and may present new risks
that had not been considered previously.
With an effectively conceived and implemented policy, companies
can reduce the IP risks associated with BYOD. At minimum, an
effective BYOD policy should address and provide for the
- Provide employees with appropriately licensed copies of
software if they are using their devices for business
- Require employees to submit their devices for periodic audits
and indicate when/how to report and track devices when in use, lost
- Establish clear guidelines for when and how devices may be
wiped (e.g. employee termination, lost or stolen device) and
when/how employees should back up personal data (e.g. photos,
music, videos, etc.);
- Define “acceptable use” from the company’s
perspective, develop a white list and a black list of approved and
prohibited software/apps and indicate whether technology will be
used to enforce such policies;
- Establish policies to explain and address confidentiality and
privacy concerns and the need for effective enforcement of
- Establish a security policy for all devices (e.g. password
logins, lock screens, etc.);
- Establish a recommended approach to content storage (cloud vs.
- Clarify ownership of any developed copyrighted works,
patentable inventions (e.g. particular software apps) or data and
provide for employees/contractors to execute written assignment
agreements to that effect.
Companies need to identify and manage the IP risks associated
with employees’ BYOD. By having effective IP risk management in
place, companies can avoid the potential losses, headaches and
costs associated with inappropriate use of ubiquitous mobile
devices (e.g. possible costs of “authorizing” IP
infringement claims). The costs of not providing effective IP risk
management tools are too great to ignore.
Originally published May 12, 2020
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.