BYOD vs COPE or Two Sides of the Same Coin?

06
Jan
2013

Jeffrey Brandt

In the beginning things were simple.  Law firms used the Henry Ford approach to mobile devices, "You can have any color as long as it's black."  There was one model BlackBerry on one service provider and you had to justify your worth to have the device.  The device did one thing and it did it well.  The law firm paid for the device and the data service.  Things progressed to multiple BlackBerry models on multiple carriers with both voice and data services.  Options for who paid what and what was reimbursed started to appear.  Additional applications and features converged to make smart phones.  Companies like Good came along to muddy the waters.  Then this guy named Steve Jobs had some revolutionary visions on how mobile technology should work.  More and more piled on and today we have a consumer revolution called BYOD.

 There has been much written about the adoption across the business world of BYOD.  This is true of legal as well.  Law firms have rushed in to support the lawyers and the latest iPhone, iPad and Android devices.  Based on conversations I've had with some of my fellow CIOs, I know that IT has been forced to yield to the partner pressure of BYOD.  The result is that in many law firms mobile security has taken a step backwards.  But that is a subject for a future article. 

What I find interesting is that while I have seen corporate articles about COPE, I've seen none about COPE in legal.  This surprises me as many law firms have been employing COPE almost since the first personal computers were deployed.  COPE can be considered an antimatter twin of sorts to BYOD.  BYOD, as we are all familiar with, stands for "Bring Your Own Device." COPE, on the other hand, stands for "Corporate Owned, Personally Enabled."

When personal computers were first installed, law firms generally went in two philosophical directions with either "open" or "closed" desktops.  Users with "open" systems had the ability to install any of their own personal software.  Most firms saw a huge spike in support costs as software conflicts and instability rose.  They also had significant issues tracking the legitimacy of the installed software.  Many who started "open" then opted to "close" the desktop.  The "closed" desktop didn't allow any changes or new software to be added, except by IT.  As laptops proliferated, some firms offered lawyers an option.  If they presented a business need for a personal piece of software, then IT would install the needed software.  In effect, this was COPE in action.

So which is better, COPE or BYOD? Is it six of one, half dozen of the other?  Is it simply a matter of perspective or philosophy? As with most things, there is no easy answer, it all depends on the details.  And any mobile program for a law firm has many, MANY details.  It is also important to note that not all BYOD or COPE programs are created equal.  Either approach, implemented correctly, can work for both the user and the law firm. 

On the surface, the advantages of BYOD might seem to be a divestiture of capital and operating expenses.  But if you, like many firms, reimburse monthly costs or provide a device technology allowance, then these advantages become far less clear.  It's not like the costs suddenly evaporate either, they just get shifted to the user.  Not all users are willing to shoulder that burden. With hundreds or thousands of devices, corporations can usually negotiate far better group wireless contracts, with steeper discounts, than the average consumer can.  So a COPE approach can be less costly on a monthly basis.  Enter the family plan, where there are six devices sharing voice and data.  How much usage was attorney time reviewing the client PDFs?  How much usage was family members playing Angry Birds Star Wars or updating Facebook?  Depending on your specific policy, you can end up reimbursing for non-firm related usage or paying retail rates. 

Another huge plus of BYOD is choice of device.  But the internal cost of supporting all mobile devices ever made and all those that will be made is quite high. Being able to identify and remediate vulnerabilities on so many different devices is a gargantuan task.  It takes staffing and training to do properly.  Any single hardware device is cable of running multiple iterations of the operating system, each with its own unique security issues.  Taking the attitude that the end user can and will be responsible for keeping the device current is not feasible for a multitude of reasons.  What if a forced OS upgrade breaks a user’s favorite personal app? As a result of the support issues, many firms have a sort of BYOD light program - you can choose from a select list of supported devices.  That is not too different from a lot of corporate COPE programs I know of, where users choose from a list of devices.

Device ownership also sets up a significant set of privacy, legal and HR issues. Generalizing, in the U.S. there is not much of a distinction (yet).  Internationally, you can do almost anything you want with a COPE device, and very little with a BYOD.  With COPE you can retain control over the phone number after the employee leaves.  That can be a significant issue for client contact.  While managing hundreds or thousands of voice and data contracts and their expiration periods are not an advantage for COPE, it really just means more entries in a good asset management database.

Unfortunately, BYOD is breeding BYOS or "Bring Your Own Software" and so management of the devices is critical.    If your firm policy states, "No use of Dropbox," then you must have the ability to monitor and enforce it. Dropbox can be a lot easier to use than an enterprise document management system and users tend to take the path of least resistance.  If you make BYOD submit to the corporate management tools, then is it all that different from COPE?  Things get really complicated if a user claims to use Dropbox for "personal" use.  How do you ensure no client materials end up there?  But again, reconfiguring law firm data security and UI/UX issues are topics for other articles.

There is nothing wrong with BYOD.  The issue I have with BYOD is really in the way that some firms have gone about implementing it.  In embracing BYOD some seemed to have embraced an attitude of "not my problem" when it comes to security and management of that device.  BYOD does not absolve the firm or IT of their responsibilities.  I think that both BYOD and COPE can work.  I think the two programs can work in concert with each other.  Either approach is only as good as the policies which govern it.  Which is "better" may come down to an analysis of the specific firm culture, policies and economics. Ultimately it must be a realistic balance of security, ease of use/access and control.  Education is incredibly important under either scenario.  Let me shorten that up and say it again, "Education is incredibly important!"  Whether the device is owned by the user or enabled by the firm, the range of things you can do has geometrically increased.  Users need to know the things they should and should NOT be doing.  Today the onus is much higher on the user.

On the surface, aspects of BYOD and COPE can look similar.  This was not meant to be an exhaustive list of the pros or cons for either side of the argument, but an overview.  What do you think?  Is BYOD the way to go?  Is your program a true BYOD?  Is it a COPE?  A mixture of the two?  Or is it something else altogether?