Many companies permit their employees to use personal mobile devices, such as smartphones and tablets, to access company-specific information, such as email, under a Bring Your Own Device (“BYOD”) policy. BYOD policies can be popular for employees that want to use hand-picked devices and for employers that want to avoid the cost of providing, and maintaining, company-owned devices. Nonetheless, the use of company data on employee owned devices implicates both security and privacy considerations.
Percentage of employees that are given corporate-issued smartphones.1
Percentage of companies that reported “security concerns” were the main inhibitor to full BYOD adoption.2
The percent of companies that offer BYOD to all employees.3
MinutesThe amount of time per day that one study found employees waste using their mobile device for non-work activity.4
Percent of employees that reported they use their mobile devices to access websites blocked by their company.5
Consider the following when deciding upon a BYOD policy:
- Is the scope of your organization’s control over employees’ mobile devices consistent with the organization’s interest? Organizations should think about how much interest they have an interest in knowing about their employees’ mobile devices. The company’s legitimate interest in information can be the basis from which a BYOD policy emerges. For example if the organization simply wants to allow an employee to access work email on a mobile device, then the policies and restrictions should proceed with that focus.
- To what extent and for what purpose does the organization monitor employees’ use of mobile devices? Many servers create logs showing when an employee’s device accessed the organization’s server using certain authentication credentials. As security measures such logs are often appropriate. To the extent that the organization wants to monitor more substantive actions by an employee on a mobile device, such monitoring should be in line with an appropriate purpose.
- What procedures are in place to restrict the transfer of data from the organization’s network by way of the mobile device? Organizations often protect against the risk that the organization’s data will be “floating” on multiple devices by (a) limiting the types of data accessible to mobile devices (e.g., email) and (b) restricting, to the extent possible, how that data can be used on the mobile device (e.g., policies on copying and requiring certain security settings). For example, some organizations use sandboxed applications for accessing work-related email. Such apps open email in a program that is separate and apart from the native email system that is built-into the device and they control aspects of the user’s experience. For example, they may restrict the user from locally saving any emails, or attachments, to the user’s device.
- For security purposes, does the organization require a minimum version of the operating system to be in place, and for that version to be fully patched, before an employee can use a mobile device? Minimum versions ensure that certain security protections and bug fixes are present on the device.
- Can data on a mobile device be remotely wiped? By whom? A best practice for devices that contain confidential or sensitive organization information is to ensure that the data can be remotely deleted from the device by the organization if, for example, the device is stolen or the employee is terminated. This may be relatively easy for some organizations. For example, organizations that use sandboxed application that permit employees to access email on the company’s server – but do not store or cache data locally – can typically be deactivated relatively easily and in a manner that does not allow an unauthorized person who may possess the mobile device to gain any access to the company’s system. To the extent that an employee was permitted to locally store work-related data (e.g., cache work emails locally, or download attachments), an employer should consider whether it has the right, and the technical means, to remotely wipe the entire device.
- What procedure is in place for an employee to report a missing mobile device? Accidents happen to everyone, but their aftermath can determine whether they become catastrophes. Employees should report a missing device to someone – perhaps the IT department or help desk – so that the organization’s device removal policy can be followed.
- What steps does the organization take to proliferate its mobile device policies? Organizations often rely on their IT staff, self-help materials, and employee certifications to ensure (a) employee awareness of the organization policies and (b) enforcement of organization policies.
- Do the security measures in place match the sensitivity of the data accessed through the mobile device? For employees that receive non-sensitive information minimal restrictions may be appropriate. For employees that receive sensitive or confidential information higher restrictions may be appropriate.
- Does your BYOD policy facilitate a wage and hour dispute? Although BYOD programs are widely lauded for increased productivity and “off-the-clock” accessibility, this benefit can expose employers to potential wage-and-hour issues if the BYOD user is a nonexempt employee. If a nonexempt employee is permitted to use a mobile device for work related purposes after working hours, is there a policy that mandates that the employee must report the time that he or she worked? Is there an effective and efficient means for the employee to report such time?
- Does the BYOD policy expose the company to additional discovery costs? In the event that the organization is involved in litigation or a government investigation it could receive a request that the company review its electronic files for evidence that may be relevant to the case. In some situations, a BYOD policy may expose the employee’s personal information – e.g., texts, images, emails, and files – to potential disclosure in the litigation. This is particularly true if, pursuant to the BYOD policy, the employee is instructed to use native communication systems on their personal device. For example, if the employee routinely texts clients or other employees from their mobile device. If the employee has not taken care to preserve relevant information – particularly after an investigation or a lawsuit is initiated – it could lead to allegations of evidence spoliation against the company.