Employees who use personal smart phones, PDAs, tablets, laptops and other electronic devices to connect to the employer’s computer network are fast becoming more of a rule than an exception. Today’s employees are often familiar with sophisticated technology and prefer their own devices to company-provided devices. Allowing employees to use personal devices to perform work-related activities allows employees the freedom they want to manage their work load with the demands of their personal lives. As more and more employers move in this direction, it has become increasingly clear that policies regarding the use of personal devices have not kept pace with the trend, leaving employers open to potential exposure on many fronts. If your company has not implemented a Bring Your Own Device (BYOD) policy, now may be the time to consider it.
There is no boilerplate BYOD policy that will work in all circumstances. The BYOD policy needs of each employer are going to be different depending on a variety of factors including the type of industry, the classification of employees who are allowed to use personal devices and the degree to which the employer has IT support. The following are some factors employers may want to evaluate when considering implementing a BYOD policy.
First, a BYOD policy is a great place to set appropriate privacy and security expectations. Employees have a reasonable expectation of privacy in the information stored on their personal device – indeed, nobody disputes that personal emails, text messages, music, photos, videos, application, etc. are private. However, when employees use their personal smart phones, tablets or laptops to connect to the company’s network, privacy expectations necessarily change. When used for work purposes, those devices also contain the employer’s information, including confidential business information, trade secrets, and, depending on the employer’s industry, sensitive, and sometimes highly personal, information of the employer’s clients/consumers (i.e., healthcare, financial services, etc.). The employer remains ultimately responsible for the protection of confidential and sensitive data and must be able to control its access and dissemination.
One way to balance these competing privacy and security concerns is through a BYOD policy. A well-drafted BYOD policy can define what constitutes personal information and what constitutes company information.
In addition, employers may want to address the company’s ability to “wipe” the device in the event that it is lost or stolen, or employment is terminated. Employers may wish to consider requiring employees to immediately report a lost or stolen device and state that the device may be “wiped” at the company’s sole discretion. As a caveat to the remote-“wipe” provision, a well-drafted BYOD policy will also advise employees to back up their devices often and state that the employer is not responsible for the loss of personal information in the event of a “wipe.”
Other strategies to protect company data in a BYOD policy include requiring employees to use company-approved software, antivirus software, passwords, access codes and automatic locks after brief periods of inactivity. Employers may also want to consider including provisions which allow for monitoring, accessing and reading all data (both personal and work-related) on devices connected to the company.
Second, companies considering implementing a BYOD policy may want to evaluate which employees are going to be eligible to participate in the BYOD program. Twenty-four hour access to work necessarily brings significant concerns regarding the number of hours non-exempt employees may be working. If a non-exempt employee performs work after his or her normal working hours, the employer may need to pay for such time worked, even when the work was not authorized by the employer in advance. Accordingly, determining whether to allow non-exempt employees to participate in the policy is a key question. If non-exempt employees are permitted to use personal devices, employers may want the BYOD policy to spell out the conditions for doing so (i.e., prior authorization) and require that the non-exempt employee track and report all time worked on his/her personal device after hours.
Third, because electronic discovery is a frequent and increasingly expensive component of litigation, employers may wish to address how potentially relevant work-related information on personal devices may be searched and preserved. BYOD policies may require, for example, that employees simply must provide access to the device and all information (both personal and work) on it, or, if it is possible an electronic division between the employee’s personal and work information may be established on the device. That divide may help minimize the risk that the employee’s personal information on the device will need to be seized and reviewed for discovery purposes. Such divides may not eliminate that risk entirely, however, so a BYOD policy may also state that in the event of litigation or a government investigation, the employee agrees not to alter or destroy the information on the device and will provide it to the company for discovery purposes.
When implementing such a policy, employers may also want to consider both distribution to all employees (including signatures acknowledging receipt) as well as training about the new policy.
While there is no one-size-fits-all BYOD policy that will work for every employer, considering the ramifications of a BYOD policy on privacy and data security, overtime compensation and potential litigation, may help employers develop BYOD policies that meet the needs of the employer’s business and employees. Employers considering BYOD policies may want to consult with experienced counsel and IT personnel regarding such policies.