- Employers that allow their employees to use their own mobile devices for work purposes should have in place well-considered Bring Your Own Device (BYOD) policies.
- Effective employer BYOD policies anticipate and address a range of privacy, security and other issues that can arise when employees use laptops, smart phones, tablets and other devices at work.
Technology advances so quickly that most employers cannot keep pace as nimbly as their employees can. Capitalizing on that fact, many employers now permit their employees to purchase and use the mobile devices of their choice as a cost-effective alternative to using only company-owned or company-issued equipment. This development raises operational and legal issues that proactive employers will want to address.
What is a Bring Your Own Device policy?
BYOD refers to a policy implemented by employers to address situations where employees use personally owned, mobile, electronic devices for work-related purposes. Such devices include laptops, smart phones, tablets and similar technology. Their use may be voluntary or required by employers.
On the upside, allowing employees to use personal devices can improve efficiency, effectiveness and morale. On the downside, the practice raises serious security and privacy concerns, among others. A well-crafted policy will balance these competing concerns.
Why are BYOD policies important?
Even though more and more employees are using their own mobile devices to perform their job duties inside and outside the office, too often the employers' policies have not been updated to address this latest workplace development. Without an updated and well-thought-out BYOD policy, employers face various challenges. Here are just a few examples:
- A company suffers a massive data breach after an employee fails to report a lost laptop.
- Borrowing a mother's tablet to play computer games, a child accidentally downloads a virus into an employer's computer network.
- A terminated employee refuses to remove trade secret information stored on his device.
- A former employee threatens legal action after his personal information is remotely wiped from his smart phone.
What are some employee concerns?
Loss of privacy and electronic information are typically the two biggest concerns employees have. Although the use of personal mobile devices for work-related purposes offers employees greater convenience, flexibility and other advantages, it also puts at risk personal data and programs stored on or accessed through the device. Employees are concerned about unauthorized or inappropriate access to or use of personal information, particularly financial and health data. Employees are also concerned about the loss of their electronic information (e.g., photographs, videos, contacts, etc.) when employers attempt to remove or "wipe" business information from the employee's device, which can be done remotely with some technologies. In addition, the lack of clear guidance from employers can result in disciplinary actions or financial losses to employees that might otherwise be prevented.
What are some employer concerns?
The primary concern of most employers is security. The use of personal mobile devices increases the risks of unauthorized access, disclosure or destruction of business data. Minimizing these risks is paramount.
A related concern is liability for a data breach, particularly those involving access to personally identifiable financial or health information. Personal devices may also be used to disparage employers through social media or to harass or bully coworkers in cyberspace.
To the extent that nonexempt employees use personal mobile devices, the employer may also face exposure under the federal Fair Labor Standards Act or similar state statutes for failure to compensate those employees for overtime. If nonexempt employees are using these devices for work-related purposes outside their normal work hours, the employer may be required to pay them overtime compensation.
What should employers do?
Employers should develop and disseminate a comprehensive BYOD policy that includes regular training and monitoring. There is no standard or one size fits all BYOD policy. What policy terms are best for a particular employer will depend on several factors, including the nature of the employer’s business, the extent of Information Technology (IT) support, and the type of data that needs protection. The following is a non-exhaustive list of some of the key features of a comprehensive BYOD policy:
- Decide which classes of employees will be permitted to use their own mobile devices.
- Require nonexempt employees to obtain prior authorization for use of mobile devices for business purposes outside normal business hours and to keep track of their time spent on business matters.
- Require employees to agree with acceptable use terms when they first connect with the employer's computer network.
- Establish reasonable expectations for privacy and security.
- Affirmatively state the employer's rights to access, monitor and delete information from the employee owned devices.
- Consider mobile device management (MDM) technology that creates a virtual partition in the device separating work data from personal data.
- Provide reasonable notice to employees when the employer's data will be "wiped" from personal devices.
- Require strong passwords and automatic locking after short periods of inactivity.
- Establish protocols for reporting lost or stolen devices.
- Require certain antivirus and protective software.
- Require or strongly encourage regular backups.
- Address costs and expenses for employee owned devices.
- Consider keeping a registry of all employee owned devices being used for business purposes.
- Consider designating in advance approved equipment and software.
- Designate person(s) responsible for authorizing software and other downloads.
- Identify a point of contact and resources for questions about the policy.
An effective BYOD policy is not a short paragraph in the employee handbook crafted by the Human Resources department. It is a collaborative effort involving input from IT, Human Resources, risk management, operations and legal counsel.