Key Components of Employee “Bring Your Own Device” Policies
Need to Know . . .
- A company will need to obtain reasonable access to the BYOD users' devices on a fairly regular basis
- Security provisions would include restrictions on who can use the device, where company data should be stored on the device, and password requirements
- The BYOD policy should remind employees that when using their personal devices for company purposes they still must comply with all company policies regarding electronic communications
“Bring Your Own Device” (BYOD) is an increasingly widespread practice through which employees are allowed to use their personally owned computing devices to connect to and interact with their employers’ computer networks. At many companies, BYOD has been permitted, and frequently encouraged, as a means of satisfying employees’ desires to use those devices they are most at ease in operating so that presumably they are more productive. BYOD may be occurring without much comprehensive employer oversight of the usage and security of devices, however.
In enabling employees to maintain company data on their devices along with personal data, BYOD raises serious security and privacy concerns. Companies in the manufacturing sector with substantial intellectual property assets should particularly focus on vulnerabilities to data breaches through BYOD. In addition, data breaches involving private employee information (e.g., Social Security numbers or health records) or material, non-public company financial information could compromise the ability of companies to comply with various legal confidentiality requirements.
Also not to be overlooked is the potential loss of other types of confidential information that would affect companies’ competiveness, such as customer lists, pricing lists, and sales terms. In some cases, the benefits of BYOD may be outweighed by concerns for maintaining confidentiality of internal communications, thereby leading some companies to prohibit BYOD. Nevertheless, companies that are inclined to allow BYOD should consider adopting an effective policy providing important guidance regarding employee–employer interaction.
Key Provisions of a Suggested BYOD Policy
An employer’s overriding objective in creating a BYOD policy is to foster a cooperative environment between the company and its employees with respect to the use, maintenance, and security of personal devices. The company needs to obtain reasonable access to the relevant devices on a fairly regular basis so that software can be installed and upgraded, and may want to reserve the right to inspect the devices to ensure that employees’ use of the equipment complies with company policies. Occasions may arise when employer access is necessary to comply with legal discovery requests or obtain information as part of internal investigations. Therefore, the policy should alert affected employees that they will routinely need to make their devices available for service and/or inspection. The policy should clearly identify the extent to which employee communications will be monitored.
Data security provisions should cover such matters as restrictions on who can use a relevant device, where company data should be stored on the device, and password requirements. Issues for consideration include having BYOD users avoid installing certain kinds of software or applications and even prohibiting access to websites that pose risks to company data or to the software applications that provide security for the company’s network.
The policy must address the handling of devices that are lost or stolen or compromised through viruses, malware, or spyware. One provision would require employees to immediately report the loss or theft of a device to the employer to allow for prompt protection of company data and systems. Another provision would involve obtaining employee consent (through a signed form indicating the employee has read the policy and agrees to comply with its provisions) to having company data wiped (i.e., removed) from a device at any time, especially following a theft or loss. In light of the possibility that the wiping procedure could result in the loss of the employee’s personal data, the policy should note this risk.
Another issue concerns removing company data from personal devices when an employee leaves the company—voluntarily or involuntarily. Therefore, the policy should state that departing employees must turn their devices in for removal of company data and that the company will determine the timing of the process (terminations for cause would likely trigger a requirement for immediate device submission).
Compliance With Company Policies
The BYOD policy should remind employees that when using their personal devices for company purposes they still must comply with all of the companies’ usual policies regarding electronic communications (e.g., prohibiting harassing language, sexually explicit content, and texting while driving). Employees should recognize that intellectual property assets are more widely accessible through mobile devices, and thus they have an essential obligation to maintain the confidentiality of those assets.
Many MAPI member companies conduct operations in countries with a heightened risk of theft of devices or information stored on devices. Companies should therefore considering instituting restrictions precluding BYOD use in specific high-risk countries, regardless of whether employees are permanently based in those countries or merely traveling there on limited assignments.
An effective BYOD policy supports a company’s specific needs, obligations, and culture, and should place particular emphasis on facilitating the protection of data privacy and security.