Time was, organizations provided employees with the computer hardware they needed for their jobs. Today, many workers prefer to use the same device for business and personal use. Organizations have signed on to accommodate employee demand, but also in the hope of saving IT costs. But “Bring Your Own Device” raises a host of risks for companies:
Information security: Employee owned devices often come with fewer data protections. IT departments may not know which devices employees are using, making it hard to provide protections.
Data privacy: Customer data is at greater risk on employee-owned devices. That’s a particular concern in Europe, which tends to have strict personal information laws. “That includes data that doesn’t directly identify an individual, such as job title or email address,” notes Karin Retzer, a Morrison & Foerster partner in Brussels who is focused on data security, direct marketing, and e-commerce. Employee data is equally sensitive. “Monitoring employee email becomes much more intrusive, because personal devices likely include personal information,” says Ann Bevitt, who heads Morrison & Foerster’s Employment and Labor Group and its Privacy and Data Security Group in London.
Employment law: “The employment world is divided into non-exempt employees, who get paid when they work overtime, and exempt employees who don’t,” notes Janie Schulman, who co-chairs Morrison & Foerster’s Employment and Labor Group. “If a non-exempt employee uses a personal device to check email at home, do you have to pay for that time?”
Faced with these issues, how can your company manage BYOD effectively? Some best practices are beginning to emerge:
Leverage technology: Make sure all devices employ basic safeguards such as password protection, data encryption, and functionality that deletes data if the device is lost. Consider technology that prevents sensitive data from leaving the network.
Establish a policy: Put your BYOD policy in writing, recommends Alistair Maughan, co-chair of Morrison & Foerster’s Technology Transactions Group. Employees should know that their device may be monitored, that its corporate data belongs to the company, and that its data will be deleted if it’s lost.
Make it easy: “Don’t make it too difficult for employees to comply with the rules, or they’ll actively try to circumvent them,” advises Christine Lyon, a Palo Alto, California-based Morrison & Foerster partner who focuses on privacy and employment law.
Train, train, train: “You need to create a culture in which everyone understands it’s in both the individual’s and the institution’s best interest not to have a data breach,” says Daniel Westman, managing partner of Morrison & Foerster’s Northern Virginia Office.