The COVID-19 outbreak has seen a great many more people working from home, which in turn likely translates to an increased reliance on personal computers, tablets, phones or other devices. A recent program hosted as part of the 2020 American Association of Law Libraries Virtual Conference—"Bring Your Own Device: No Longer an Option"—looked at what that development meant for law firms, but what about corporate legal departments and their organizations?

To be sure, an influx of personal device use creates a unique challenge for companies attempting to safely maintain and account for the security of their data. Frank Gillman, a principal at Vertex Advisors Group, noted that a business rapidly expands the surface of its network when it brings personal devices into the mix. And the number of variables at play only increases from there.

"If I'm working from home, my kids might be on that same computer, my spouse. Who knows who is using these devices? … So much more data is potentially leaking because of shared use," Gillman said.

But the dangers that personal devices could pose for a corporation's legal department may be far more calculated. Tom Gann, chief government affairs officer at McAfee, indicated that legal departments tend to be attractive targets in the eyes of hackers due to the sensitive or confidential information they contain.

"When it comes to a legal department, I would assign some of the highest-level of security risk to those organizations," Gann said.

And the headaches that personal devices might bring to legal departments don't just stop with a breach. Gillman pointed out that an employee conducting work from their home computer might one day be involved in litigation against an employer. Corporate attorneys could find retrieving evidence or discovery material from a personal device more difficult than if it were a company laptop.

Gillman stressed the need for companies to account for these potential logistical and security issues proactively as networks continue to expand. "You have to look at how that impacts all your policies and adjust them accordingly," Gilman said.

But are companies following through on that prerogative? According to Susanna McDonald, vice president and chief legal officer of the Association of Corporate Counsel, she's heard that fellow ACC members are already making changes to their BYOD and work-from-home policies—but not indiscriminately.

"Policy changes are specific to a given employee's job. One size does not fit all," she said in an email.

For example, employees who regularly handle sensitive data as a function of their job may be provided with company-issued smartphones. "This option is safer than dealing with sensitive data through one's personal device," McDonald said. 

Other policy shifts may not be as heavily geared toward expensive equipment. Gillman said companies might configure networks to give employees limited access to certain data sets, granting them just enough time to complete an approved task before the window closes.

Meanwhile, Gann at McAfee stressed the value of training, a task that he suggested the corporate legal department could play a role in leading. Whatever preventative measures an organization chooses to deploy, he doesn't expect rolling back BYOD use entirely to be one of them.

"The cat is out of the bag and I don't see anyone putting it back in," Gann said.