Bring Your Own Device (BYOD) Policies

Posted December 16, 2013 Company News

According to a Gallup study, approximately half of American adults own a smartphone. With the continuing popularity of personal devices, it should come as little surprise that employees are using their smartphones in conjunction with their job responsibilities. Various studies indicate that somewhere between one-third and one-half of employees use personal devices for work. As employees’ use of personal devices grows, many companies are adapting to this trend, allowing, encouraging and, in some cases, mandating the use of personal devices on the job.

Although a Bring Your Own Device (BYOD) policy offers many attractive qualities, several legal, financial, security and privacy considerations come with it. Your company should consider requiring a written and signed BYOD policy to protect itself from any risks associated with allowing employees to use personal devices for work.

What Is BYOD and Why Implement It?

“Bring Your Own Device” refers to the practice of allowing employees to use their own personal devices, usually smartphones, tablets or laptops, at and for work. The growing trend of BYOD is fueled by several factors, one of which is an effort to attract and retain new, younger employees who have a high level of familiarity with technology as well as preferences for which devices they use. Other reasons companies adopt BYOD include the potential for reducing costs, increasing productivity and enabling employees to work flexible hours and from remote locations.

Protect Your Company

Allowing employees to use personal devices for work offers various benefits. However, there are serious consequences if something goes wrong and your company is not protected with a written and signed BYOD policy.

Most issues stem from poor security on the device and thus unsecure company data. If you take insufficient steps or, worse, don’t do anything to protect your company’s information and interests, your data could become susceptible to unauthorized access in the real or cyber world. If your company does enact strict procedures for security without a written and signed policy, then you may be intruding on the privacy rights of your employees. Your company should consider the following when implementing a BYOD policy.

Lost or stolen device. When employees lose their smartphones or a device is stolen, company information is available to whoever now possesses the device. Companies can combat this security threat by remotely locking or wiping a device that is reported to be lost or stolen. Some companies may additionally obtain the ability to lock or wipe a device if a security warning is triggered, such as surpassing a limited number of password attempts. However, wiping the device will typically delete the employee’s personal data as well, including photos, games and contact lists. If employees have not been warned about and consented to the possibility of remote deletion, ill will and even lawsuits can ensue. To balance both company and employee interests, create a written policy on when, why, what and how deletion may occur.

Cloud storage. Another threat to company security is the probability that employees will use cloud storage systems to support or back up personal data on their devices. Company data can end up in the cloud alongside that personal data, placing potentially sensitive information in third-party hands. Set policies in place to limit backup processes that might inadvertently leak company information.

Unethical employees. When personal devices are being used to house company information both on and off the clock, theft and leaks can occur. Unethical employees have an easier path to stealing information when it is already on their personal devices. Sending information via text message, for example, is much more difficult for companies to track than the more traditional method of downloading information from a company computer onto an external drive. Establish guides for use and supervision of company resources in order to protect against theft.

Ex-employees. Similarly, ex-employees who have used personal devices for work can easily leave the company with information still on a smartphone or other device. Because the device belongs to the employee, the company cannot confiscate it at the time of employment termination. Various options, such as wiping the device, need to be agreed upon in a written policy in order to protect your company’s interests as well as to avoid violating the former employee’s rights.

Protecting personal information. Laws on both federal and state levels address protection of personally identifiable or sensitive personal information. Because of these laws and the penalties associated with noncompliance, it is imperative that proper safeguards be placed on employees’ use of personal devices that contain sensitive information. According to a study by Cisco, a computer networking company, 40 percent of American workers do not password-protect their smartphones, and 51 percent admit to connecting to unsecured wireless networks from a smartphone. The daily security habits of employees could result in data loss and violation of consumer privacy laws. Set up written guidelines for security measures that employees must take when they carry company information on their personal devices.

Get It in Writing

In order to protect your company from security breaches and privacy violations, require employees to sign a written BYOD policy. A written policy should outline general rules about device use and the rights and obligations of both employer and employee. It is important to maintain a balance between protecting company interests and respecting employees’ expectations for privacy. Anything that might be perceived as a violation of privacy must be clearly outlined.

Also, ensure that your BYOD guidelines are legally and reasonably enforceable. You may not be able to prohibit certain activities on an employee-owned device, but you can at least manage or limit undesirable behaviors. Further, it is essential that you enforce the policy consistently. A policy is only as good as the enforcement behind it, and if you do not require equal adherence from all employees, you could expose your company to discrimination lawsuits.

Following are a few specific elements of a solid BYOD policy:

  • Clearly state which devices are allowed under the BYOD policy.
  • Specify who owns what on the device; if your company retains the right to wipe the entire device, provide guidelines for how employees can back up personal data such as photos and contact lists.
  • Outline what information technology (IT) support will be provided to the employee.
  • Stipulate which apps are allowed and forbidden and determine how this will be enforced.
  • Set strict security procedures that include complex passwords in order to access the device.
  • Describe the process for removing company information from a device owned by an employee who is leaving the organization.
  • Integrate your current acceptable use policy into the BYOD policy.
  • Consult with your legal and IT departments as to the feasibility and reasonableness of suggested policies.

As with any widespread change in the workplace, BYOD brings both advantages and challenges to your company and employees. Implementing a written BYOD policy will help reduce some of the uncertainties and risks associated with this growing technological trend.

 

 


Please note that the information contained in this document is designed to provide authoritative and accurate information, in regard to the subject matter covered. However, it is not provided as legal or tax advice and no representation is made as to the sufficiency for your specific company’s needs. This document should be reviewed by your legal counsel or tax consultant before use.