Bring Your Own Device Policies: 10 Practical Steps to Minimize Risk
By Anne Kane
Today almost everyone owns a smart phone, tablet or other mobile device. Increasingly, employees want to use their own devices to connect to company networks and to store and process company information. While permitting such access may increase employee productivity, it presents employers with significant privacy and security concerns.
The challenge for employers is finding the right cost/benefit balance for their businesses. In developing an effective “bring your own device” (BYOD) policy, employers must first identify which employees will be eligible for the program.
Employers can open a BYOD program to all employees, or they can limit participation strictly to employees who are exempt from overtime, to a particular functional group of employees (e.g., the sales team), or to some other category or categories that make sense for the business. The employer must also decide how much access to its network will be permitted—which could range from limited access to email to full access to all company data and systems.
Once these basic parameters are set, a written policy is essential to establish ground rules and permit enforcement to protect the company’s data and other interests. The following ten steps are key to establishing an effective BYOD policy:
Establish a Mandatory Authorization Process: This should be completed before an employee is permitted to access company data and systems on a personal mobile device.
Require Password Protection: Each authorized device should have the same password protections as an employer-issued device. Such protections include limiting the number of password entry attempts, setting the device to time out after a period of inactivity, and requiring new passwords at regular intervals.
Clarify Data Ownership: A BYOD policy should specifically address who owns the data stored on the authorized device. It should be clear that company data belongs to the employer and that all company data will be remotely wiped from the device if the employee violates the BYOD policy, terminates employment, or switches to a new device. The policy should also alert employees that it is their responsibility to backup any personal data stored on the authorized device.
Control the Use of Risky Applications and Third Party Storage: An employer may also want to ban the use of applications that present known data security risks, such as the use of “jailbroken” or “rooted” devices and cloud storage.
Limit Employee Privacy Expectations The BYOD policy should clearly disclose the extent to which the employer will have access to an employee’s personal data stored on an authorized device and state whether such personal data will be stored on the company’s back up systems. To minimize the co-mingling of company and personal data, employers may want to install software which permits the “segmenting” of authorized devices. However, no matter what measures the company takes to preserve employee privacy, the policy must emphasize that the company does not guarantee employee privacy if an employee opts in to the BYOD program.
Address Any Business-Specific Privacy Issues: Certain businesses are subject to legal requirements regarding the storage of private personal information (such as social security numbers, drivers’ license numbers and credit and debit card numbers, etc.) which may need to be addressed in a BYOD policy. For example, HIPAA requires native encryption on any device that holds data subject to the act. An employer may need to put in place processes prohibiting or limiting remote access for certain categories of sensitive data.
Consider Wage and Hour Issues: Permitting employees to use an authorized device for work purposes outside of the employee’s regular work hours may trigger wage and hour claims. A BYOD policy should set forth the employer’s expectations regarding after-hours use (such as a requirement that non-exempt employees must refrain from checking or responding to work emails, voice mail and texts after hours).
Insure Compliance with Company Confidentiality Policies. A BYOD policy should reiterate that an employee using an authorized device must comply with all company policies regarding confidentiality and the “acceptable use” of company information.
Spell Out Procedures In Case of Loss or Theft: The employer should establish a specific protocol which will be followed in the event an authorized device is lost or stolen, including the prompt reporting of a lost or stolen device and the remote wiping of the device.
Document Employee Consent: The employer should obtain an employee’s written consent to all terms and conditions of the BYOD policy.
For more information regarding this or other labor and employment issues, please contact Anne Kane of Schnader’s Labor and Employment Practices Group.
The materials posted on Schnader.com and SchnaderWorks.com are prepared for informational purposes only and should not be considered as providing legal advice or creating an attorney-client relationship. Please see our disclaimer page for a full explanation.