Drafting and maintaining a “Bring Your Own Device” (BYOD) policy is now a necessary component of any company’s privacy program. Advances in technology have provided employees the opportunity to use their own devices for work-related purposes. Now, a parent can use his/her personal laptop to remotely access a company computer while taking care of a sick child, or an employee can use an iPhone to reply to an e-mail while singing “Take Me Out to the Ballgame” at Wrigley Field. The use of employee-owned devices is a regular occurrence in most industries.
The use of these devices for business purposes allows employers to maximize the productivity of their employees, but also comes with risks. Generally, an employer will forfeit a certain amount of control over the access and use of its data when it allows its employees to use their own devices for business purposes. In today’s technology-driven world, it is not feasible to prevent employees from using personal devices for business purposes, so employers should implement a BYOD policy to minimize their risk.
Bring Your Own Device Policy Considerations
There is no one-size-fits-all approach to formulating a BYOD policy, but the following issues should be considered and addressed.
- Who is involved?
All relevant stakeholders should be involved. That means representatives from senior management, the IT Department, the Legal Department and the HR Department should all have input in formulating this policy. This variety of input will ensure that the BYOD policy is driven by the goals of the business, and also mindful of data security and compliance issues.
- What is the scope of the policy?
The employer must consider what types of devices will be covered by the policy. Generally, a BYOD policy should cover smart phones, tablet computers and personal laptop computers. However, the employer must recognize that these devices have different characteristics and vulnerabilities, and therefore the BYOD policy may need to address their use separately.
- What operating systems will be allowed?
There are a number of different available devices that run different operating systems. For example, there is Android from Google, iOS from Apple and Windows Mobile from Microsoft, and many others. The variety of operating systems presents a challenge to employers as they must ensure that each operating system provides secure access to the network.
- Storing employer information in the cloud?
Many employees now use cloud storage for personal use. It is very likely that while using their personal devices for business purposes they will store company information in the cloud. A BYOD policy should clearly prohibit the storage of company information in a public cloud storage location.
- Wiping data from a device
A BYOD policy should outline the circumstances under which the employer will wipe information from a personal device. This situation could arise if the device is lost or stolen, or if the employment relationship is terminated. The policy should also define the information that will be wiped. Will the company only remove data applicable to the business, or will all the contents of the device be erased. Lawsuits have arisen when employers have erased personal material from an employee’s device.
- Who owns the phone number?
It seems straightforward that the employee would retain ownership of the phone number for a personal smart-phone after leaving the company. However, this can be a more difficult question depending on the employee’s position, and whether the phone number was used for business purposes, such as for sales calls. The BYOD policy should clearly identify the owner of the phone number.
- User Authentication
Access by unauthorized individuals is a major concern when personal devices are used to access company data. A BYOD policy should require that personal devices used for business purposes are password protected.
- Compensation Considerations
The BYOD policy should define whether the company will compensate the employee for use of a personal device. This compensation may include wireless voice and data usage. Additionally, the company must determine how the use of personal devices is treated under the applicable jurisdiction’s labor laws. For example, in some jurisdictions, employees are entitled to overtime pay when checking e-mail on their personal smartphones outside regular working hours.
- Employee Monitoring
The BYOD policy should clearly define and notify the employee of the extent to which the employer will monitor activity on the employee’s personal device. Employers generally have the ability to monitor all of the employee’s activities on a company-owned device, but cannot do the same on an employee-owned device. A certain amount of monitoring will be necessary to protect the company’s interests, and the company should notify its employees that it will take this action.
The issues outlined above should be considered as a company creates its BYOD policy. Like all components of a company’s Privacy and Data Security program, the BYOD policy should be regularly reviewed, updated as necessary, and conveyed to its employees.