Keys to Effective Bring-Your-Own Device Policies
Seamus M. Donoghue
Manufacturers may implement bring-your-own-device (BYOD) policies for salespeople who travel, customer service representatives who work from home and managers who use mobile devices to perform business tasks. But allowing access to the company’s systems on an unsecured device presents risks. How can you protect your company’s data without violating employees’ privacy rights?
Evaluating the pros and cons
Rather than buying dedicated work phones, laptops and tablets for each employee, many businesses are tapping into workers’ personal devices. BYOD programs enable employees to work anytime from anywhere, which promotes greater flexibility and productivity. Plus, employees appreciate the option to choose their preferred devices, leading to enhanced job satisfaction.
Because most employees already own these devices and tend to update them often, employers may be able to eliminate the cost of purchasing and updating devices. When calculating cost savings from a BYOD initiative, offset the equipment cost savings with the added costs of supporting multiple operating systems and devices.
Ask your IT department to provide a list of devices that it can easily support and that have acceptable levels of security. The more devices IT supports, the more time-consuming and costly your BYOD program will become.
BYOD programs also come with less obvious costs. Employers generally have less control over technology equipment and the confidential data stored on employees’ devices. And employees have less separation between their personal and business lives.
Drafting a formal BYOD policy
Employers that allow their employees to use their own devices for work purposes need to implement a formal BYOD policy to minimize security and liability risks.
A comprehensive policy anticipates what happens with the device in various situations, such as:
- If there is a voluntary or involuntary termination;
- If the device is lost, shared or recycled;
- If unprotected public wireless networks are used;
- If the device is attacked by a virus or malware; or
- If it is synced on an employee’s home cloud.
Other questions to address include:
- Who Pays the Bill?
Payment policies vary widely. For example, an employer might pay for a predetermined number of voice minutes and an unlimited data plan for employees. Any charges above that amount are the employee’s responsibility.
- Who Owns an Employee’s Cell Phone Number?
This is a big deal for salespeople and service representatives, especially if they leave to work for a competitor. Customers may continue to call a rep’s cell phone, leading to lost sales for the enterprise.
- Can Employers Require the Use of Passwords?
In general, mobile devices should lock if idle for five minutes and require a password or personal identification number to unlock. After a limited number of failed password attempts, the device should require assistance from the company’s IT department to regain access.
Employees who participate in BYOD programs should be required to periodically submit their personal devices to IT personnel for configuration, updates and security checks. And employers should reserve the right to revoke the BYOD privilege if users don’t abide by the rules.
Navigating privacy issues
Employees must understand that participation in a BYOD program gives the company access to personal information, such as text messages and photos. However, the BYOD policy should state that the company will never view protected information, such as privileged communications with attorneys, protected health information or complaints against the employer that are permitted under the National Labor Relations Act.
In case your company becomes involved in a lawsuit, its data retention policies should address how data is stored on mobile devices and gathered during litigation. Keep in mind that Rule 34 of the Federal Rules of Civil Procedure covers all devices, including personal devices that access the company’s network.
No two companies have the same BYOD policy, but there is one must-have: Your policy should be spelled out in a formal user’s agreement that’s signed by all employees who participate in your program. Contact your attorney and an IT security expert to ensure that your BYOD policy covers all the bases, addresses all relevant security and liability risks, and is legally enforceable.
For more information, contact Seamus Donoghue at firstname.lastname@example.org or 312.670.7444. Visit ORBA.com to learn more about our Manufacturing and Distribution Group.