Workplace BYOD Policy: One Size Does Not Fit All

Workplace-BYOD-Policy-V2 copy

Technology continues to adapt, advance and take over our lives.  Apple will be releasing new iPhones and iPads soon, and loyal fans of Android devices (and other platforms) continually upgrade their gadgets with the latest releases.  The more that these gadgets are available, the more likely employees will bring these gadgets into the workplace and attempt to use them to conduct work and/or check business email.  Whether an employer likes it or not, employees are bringing their own devices to work.  An employer would be foolish to bury its head in the sand and not address the bring your own device (“BYOD”) trend.  The company should not delay in formulating its position on whether, and to what extent, it will allow employees to BYOD to work, and how to manage this growing trend.

Why have a BYOD policy?

Has your company put a policy in place yet?  There are many “non-legal” reasons that a company may want to encourage employees to BYOD to use at work or for work-related purposes.  By adopting a BYOD policy, employers may:

  • Reduce their technology expenses.  This expense is reduced if employers decrease or eliminate altogether the practice of the company providing devices, phones, data plans, and other technologies to their employees.  Essentially, some of the expenses are now assumed by employees who bring their own devices.
  • Make use of the most current technology.  Individual employees are likely to upgrade devices and/or buy the most sophisticated gadgets than many employers who only upgrade every three or five years based on a limited company budget.  By implementing a BYOD policy, employers can take advantage of newer technology provided by employees.
  • Support an employee’s wish to carry only one device for all uses, rather than two (or more) separate devices for business and personal use.
  • Provide freedom to the employee to use preferred device/system.  People are typically loyal to one operating system of their own choice.  There are fierce iOS, Android, and Windows fans.  By implementing a BYOD policy, employees may appreciate the freedom to use the device/system of their choice, rather than being forced to learn/use a system the employee does not like or is unfamiliar.  This may increase employee efficiency and productivity.

Some “cons” of a BYOD policy.

Last year, I warned employers to be aware and take action to deal with personal mobile devices in the workplace.  The biggest issue facing BYOD employers is the increased security risks and diminished control over company confidential data and information.  And, in order to combat those security risks, BYOD employers face potentially significant upfront costs on security technology, and coordination with their IT and legal teams.  Some key factors to consider regarding the security of company confidential information include the following:

  • Level of security of each employee’s particular device.  How will your company manage the differing security setting and options of the various mobile devices, and does the company have an internal (or third-party) IT security expert to handle such differences?
  • Type and sensitivity of the information, and potential impact of inadvertent disclosure of the company’s information.  Using lawyers as an example:  a law firm’s confidential information is highly sensitive, and in most cases also subject to the attorney-client privilege and/or the attorney work-product doctrine.  Inadvertent disclosure would certainly have an impact on the client(s), and the underlying legal matters that were disclosed.  Every company wants/needs to protect its confidential information, but for some businesses, the type and sensitivity of the information is an important factor to consider.
  • Legal consequences of unauthorized use or access.
  • Client directions and circumstances.  Do your clients prohibit BYOD environments because of security concerns, and will you lose business as a result of a BYOD policy?

Some suggested practices for employers.

First, your company needs to analyze this situation.  Gadgets are not going away, and employees will continue to own and use such gadgets.  Companies need to take a position on this issue, and “one size does not fit all.”  Some companies may decide to simply ban all use of personal devices for business purposes.  Such a policy may work for a significant number of companies, but may not work for all.  Conversely some companies may dive right into a BYOD policy.  While these two options are on opposite ends of the spectrum, both are better than a company who is not doing anything or is not even considering how to handle personal mobile devices in the workplace.

If your company is thinking of implementing a BYOD policy, below are some suggested practices to achieve success and maintain security of information:

  • Get IT staff/consultants involved
  • Get a lawyer involved
  • Get an inventory of employee devices
  • Insist on the following:
    • Password protection
    • Encryption
    • Firewalls
    • Firmware updates and antivirus software
    • Virtual Private Network (VPN)
    • Mobile Device Management
    • Data backup
    • Regular audits and software updates
    • Employee departure procedures
  • Develop breach notification procedures
    • Internal:  reporting of lost or stolen devices; remote locking or wiping; enabling “find my phone” or similar applications
    • External:  know if you company has a duty to inform clients/customers/vendors of breaches
  • Draft policies for employees to follow, and get their acknowledgement of receipt of the policies.  Policies must be realistic and should address items including the following:
    • Establishing ownership of firm and client data (as opposed to personal data)
    • Requiring employees to maintain confidentiality of company data
    • Requiring the security measures developed by the company
    • Requiring employee consent to monitoring and reducing employee expectation of privacy
    • Requiring employee consent to remote locking or wiping in event of security breach, theft, loss of device, or employee departure
    • Specifying any prohibited devices
    • Using devices to connect to public Wi-Fi
  • Train supervisors, managers, and other IT folks on the policies.
  • Routinely review and update BYOD and related policies

Avoid tunnel-vision!

Mobile devices, social media, etc. are ubiquitous.  They permeate our daily lives.  Issues related to mobile devices and social media should also permeate a company’s employee handbook and policies.  Referring to social media and/or BYOD issues in merely one policy would be a mistake.  Employers need to think big here.  They must analyze how mobile devices and/or social media impact other workplace issues and should update and audit their policies often.  Some of these policies include those dealing with telecommuting, cell phone/PDA use while driving, trade secret/confidential information protection, employee privacy (and the lack thereof), discrimination, retaliation, and harassment, wage and hour (work time/payment policies) and more.

While a BYOD policy is not something every employer needs, all employers must at least consider these issues and take a stance and update other policies accordingly.

Does your employe have a written/formal BYOD policy?  If not, do you use your own device for work related purposes?

Information provided on this website is not legal advice, nor should you act on anything stated in this article without conferring with the Author or other legal counsel regarding your specific situation.

About the Author:

James Wu

This monthly Social Media and Employment Law column is contributed by James Y. Wu. For over 15 years, James has provided day-to-day counseling and advice to employers regarding compliance with employment laws and reducing the risks of employment-related claims and lawsuits. He also provides strategic litigation services when claims and lawsuits do arise. After practicing at some of the nation’s leading law firms, James opened his own law office in order to continue to provide his top-notch service at a much more reasonable rate for his clients. James earned his JD from Boston College Law School and both his BA and MA from Stanford University. +James Wu

James Wu
This monthly Social Media and Employment Law column is contributed by James Y. Wu. For over 15 years, James has provided day-to-day counseling and advice to employers regarding compliance with employment laws and reducing the risks of employment-related claims and lawsuits. He also provides strategic litigation services when claims and lawsuits do arise. After practicing at some of the nation's leading law firms, James opened his own law office in order to continue to provide his top-notch service at a much more reasonable rate for his clients. James earned his JD from Boston College Law School and both his BA and MA from Stanford University. +James Wu
James Wu
Social Fresh West

Trackbacks

Please Leave a Comment!