BYOD: Policy Considerations for Employers in the Age of Personal Devices

by Snell & Wilmer

Employees who use personal smart phones, PDAs, tablets, laptops and other electronic devices to connect to the employer’s computer network are fast becoming more of a rule than an exception. Today’s employees are often familiar with sophisticated technology and prefer their own devices to company-provided devices. Allowing employees to use personal devices to perform work-related activities allows employees the freedom they want to manage their work load with the demands of their personal lives. As more and more employers move in this direction, it has become increasingly clear that policies regarding the use of personal devices have not kept pace with the trend, leaving employers open to potential exposure on many fronts. If your company has not implemented a Bring Your Own Device (BYOD) policy, now may be the time to consider it.

There is no boilerplate BYOD policy that will work in all circumstances. The BYOD policy needs of each employer are going to be different depending on a variety of factors including the type of industry, the classification of employees who are allowed to use personal devices and the degree to which the employer has IT support. The following are some factors employers may want to evaluate when considering implementing a BYOD policy.

First, a BYOD policy is a great place to set appropriate privacy and security expectations. Employees have a reasonable expectation of privacy in the information stored on their personal device – indeed, nobody disputes that personal emails, text messages, music, photos, videos, application, etc. are private. However, when employees use their personal smart phones, tablets or laptops to connect to the company’s network, privacy expectations necessarily change. When used for work purposes, those devices also contain the employer’s information, including confidential business information, trade secrets, and, depending on the employer’s industry, sensitive, and sometimes highly personal, information of the employer’s clients/consumers (i.e., healthcare, financial services, etc.). The employer remains ultimately responsible for the protection of confidential and sensitive data and must be able to control its access and dissemination.

One way to balance these competing privacy and security concerns is through a BYOD policy. A well-drafted BYOD policy can define what constitutes personal information and what constitutes company information.

In addition, employers may want to address the company’s ability to “wipe” the device in the event that it is lost or stolen, or employment is terminated. Employers may wish to consider requiring employees to immediately report a lost or stolen device and state that the device may be “wiped” at the company’s sole discretion. As a caveat to the remote-“wipe” provision, a well-drafted BYOD policy will also advise employees to back up their devices often and state that the employer is not responsible for the loss of personal information in the event of a “wipe.”

Other strategies to protect company data in a BYOD policy include requiring employees to use company-approved software, antivirus software, passwords, access codes and automatic locks after brief periods of inactivity. Employers may also want to consider including provisions which allow for monitoring, accessing and reading all data (both personal and work-related) on devices connected to the company.

Second, companies considering implementing a BYOD policy may want to evaluate which employees are going to be eligible to participate in the BYOD program. Twenty-four hour access to work necessarily brings significant concerns regarding the number of hours non-exempt employees may be working. If a non-exempt employee performs work after his or her normal working hours, the employer may need to pay for such time worked, even when the work was not authorized by the employer in advance. Accordingly, determining whether to allow non-exempt employees to participate in the policy is a key question. If non-exempt employees are permitted to use personal devices, employers may want the BYOD policy to spell out the conditions for doing so (i.e., prior authorization) and require that the non-exempt employee track and report all time worked on his/her personal device after hours.

Third, because electronic discovery is a frequent and increasingly expensive component of litigation, employers may wish to address how potentially relevant work-related information on personal devices may be searched and preserved. BYOD policies may require, for example, that employees simply must provide access to the device and all information (both personal and work) on it, or, if it is possible an electronic division between the employee’s personal and work information may be established on the device. That divide may help minimize the risk that the employee’s personal information on the device will need to be seized and reviewed for discovery purposes. Such divides may not eliminate that risk entirely, however, so a BYOD policy may also state that in the event of litigation or a government investigation, the employee agrees not to alter or destroy the information on the device and will provide it to the company for discovery purposes.

When implementing such a policy, employers may also want to consider both distribution to all employees (including signatures acknowledging receipt) as well as training about the new policy.

While there is no one-size-fits-all BYOD policy that will work for every employer, considering the ramifications of a BYOD policy on privacy and data security, overtime compensation and potential litigation, may help employers develop BYOD policies that meet the needs of the employer’s business and employees. Employers considering BYOD policies may want to consult with experienced counsel and IT personnel regarding such policies.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Snell & Wilmer | Attorney Advertising

Written by:

Snell & Wilmer

Snell & Wilmer on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.