I read a great blog by Tricia Meyer of Meyer Law, on how crucial it is to prepare your business for the Bring Your Own Device (BYOD) movement. Surely you’ve heard about this; I even heard a story about BYOD on NPR a few months ago. This movement is really gathering steam; Tricia points out in her blog that according to a recent Cisco Survey, 71M BYOD devices are currently in use in the U.S, and that number is projected to grow to 108M over the next two years. The time to get your policy done was yesterday. But don’t worry, you can still establish one now… but don’t wait too long.
Crafting Your BYOD Policy and Compliance Training Courses
It’s very important to carefully craft and implement your BYOD policy so it’s as effective as possible at mitigating the risks that can be brought inside your company by outside devices. Meyer advocates considering 9 features when establishing your policy. I’d also advocate that any related compliance training courses or information security training courses cover these same features:
1. Level of Control. Ensure your policy clearly shows that your company maintains control over who has access to its network and data and what procedures and policies are used to monitoring employee devices. Further, your policy should show that your company is able to preserve all data on an employee’s device and that there are restrictions regarding employee use of mobile devices
2. Ownership, Disclaimer. Your BYOD policy should clearly state who owns the data stored on the device as well as guidelines as to what can be done with the data. Can it be deleted? How often should it be backed up? The policy should remind employees that the company is not responsible for loss of personal data.
3. Expectation to Privacy. Your company’s policy should disclose the extent to which the employer will have access to employees’ personal data and emphasize that your company cannot guarantee employee privacy for those who opt to BYOD. Your company should retain access to employees’ devices in order to review activity and ensure compliance with company policies.
4. Lost or Stolen Device. The policy should clearly state what happens in the event that a device is lost or stolen, including that the employee should immediately notify the company, the company has the right to wipe all data and what procedures the company will do next to prevent unauthorized access.
5. Cost. Your BYOD policy should set forth expectations regarding after-hours use to prevent wage claims. This should include whether non-exempt employees are allowed or prohibited from using the device for work outside of work hours.
6. Compliance with Laws. Your BYOD policy should address general compliance with laws and regulations specific to your industry. If you’re in healthcare, for example, you’ll need to pay particular attention to HIPAA. Your policy should also expressly prohibit the use of the device for discrimination or harassment.
7. Confidentiality. Make sure your BYOD policy reiterates that employees must abide by all company policies related to company, client and vendor information, as well as prohibit storing information from prior employers on their device.
8. Employee Consent. As we recommend with many policies, we’d advocate that you get employees to attest to the BYOD policy in writing.
9. Employee termination. Your policy should clearly state what procedures happen in the event of employee resignations or terminations, in terms of BYOD devices and the data stored on them.
I loved Tricia’s blog and think these 9 features make a lot of sense for a company’s BYOD policy. Companies would be crazy to allow personal devices into their enterprises without a solid policy outlining acceptable behavior and procedures for employees. Personal devices introduce a lot of risk into the organization and should only be allowed under an agreed-upon set of conditions.
However, the risk does not go away once the policy is implemented. Do not lose sight of how important it is to train your employees on the BYOD policy (or any policy for that matter). The compliance training courses you roll out for your BYOD policy should be interactive, engaging and easy to remember. Further, if you have an integrated ethics and compliance solution, you can distribute the policy and the compliance training courses at the same time, so the messages complement each other and you get a “sum is greater than the parts” effect.
Employees will use personal devices for work for the sake of convenience, whether or not you actually implement a policy. That’s why it’s even more important that you do roll out a policy and subsequent information security training; laying out the conditions for BYOD allows you to control the ways in which your employees use their devices, the data and the subsequent risks to your organization.