News

Managing the Risks of Bring Your Own Device Policies

Bring Your Own Device Policy Acceptance

By Josh McIntyre

The expansion of Bring Your Own Device (BYOD) practices was the hot trend in IT circles just a few years ago.  According to a 2014 TechPro Research Survey, 74% of employers allowed employees to use their own mobile devices for work or planned to permit use within 12 months.  BYOD was often seen as a win-win that allowed employees greater freedom while reducing the burden on IT resources.  But new risks to company data and employee privacy have caused some to abandon BYOD.  If your company allows BYOD or is considering the move, a thoughtful written policy is an absolute must.

Benefits and Risks of BYOD

Whether they want the brand-new device or prefer the familiar, employees appreciate the freedom to select their own technology.  BYOD also simplifies life – because who really wants to carry two phones?  Employers see the benefits in better morale, increased productivity, and lower costs.  On the other side of the coin, with recent very-public data breaches for companies like Target and Boeing, data security is on the minds of every employer (or it should be).  If an employee’s device is lost or stolen, how will company data be protected?  And how much control does an employer have if it suspects that the device contains information relevant to an investigation or lawsuit?  These are questions that should be answered in a written BYOD Policy that is presented to and signed by every employee.

Creating the Written BYOD Policy

A BYOD Policy serves two primary goals: it outlines the employee’s responsibilities to protect company data, and it provides notice of the employer’s right to access the device in an investigation.  The policy should address the following topics:

  • Payment Terms: Who will be responsible for the cost of the device, monthly fees, and insurance?  Typically, the employee pays all costs.  The employer may choose to pay a small stipend, often toward a data plan that will allow the employee access to company email.
  • Supported Devices: What devices may be used? IT will need to ensure that employee devices are supported on the company network and compatible with email services.
  • Acceptable Use: What company data and resources will be accessible on personal devices?  Email and calendars are by far the most common, but they can be windows to extremely sensitive data.  Will your company allow employees to transfer a full Contact List to their personal cellphones?  What happens when the employee leaves the company but still has access to the contact information for every customer?  Employees should only be granted access to information that they need to perform their job duties.
  • Required Security: Every mobile device should be secured by a password or passcode that must be entered every time the device is accessed.  Other security measures include automatic device locks (timeouts) and additional passwords for sensitive resources.
  • Retired and Lost Devices: When an employee leaves the company, IT should confirm that access to company resources has been disabled.  When a device is lost or stolen, it should be remotely locked and its access to the company resources disabled.  Resist the urge to remotely wipe the device without the employee’s consent, which also destroys the employee’s private data.  Imagine wiping all of your employee’s new baby photos!
  • Right to Access and Monitor: Under what circumstances may the employer demand access to the device?  Many policies state that the employee must permit access for any purpose and the employer may monitor any communications.  Courts have been skeptical of such broad consent.  Instead, the employer should have a legitimate business reason for any access or monitoring.  Because many resources (such as email) can be accessed through the company’s servers, access to the employee device should be limited to data that is best viewed locally, such as text messages.

Management and Enforcement

A written policy is only as good as its implementation.  Timeliness is next to godliness when company data is compromised, so it is important that IT and management are ready to implement the policy whenever an employee leaves the company, a device is lost, or data must be collected for an ongoing investigation.  With the rise of flexible work arrangements and the quick pace of technological changes, proper risk management and policy guidelines must be in place to ensure that BYOD is a positive way for employees and employers to use technology effectively in the workplace.

Josh McIntyreJosh writes regularly on tech law topics, and his work has been cited in the Iowa Defense Counsel Association’s Defense Update, Depaul Law Review, Privacy and Data Protection in Business, and The Oxford Handbook of Internet Studies.