February 09, 2016
“Bring Your Own Device,” or “BYOD,” or is an emerging catchphrase used to describe the practice of using employee-owned personal computers, phones, tablets, or other communications devices to perform company work. In other words, employees engaged in BYOD use their own hardware, software, and operating systems, rather than their employer’s, to do their work.
1. BYOD Policy Considerations
This area is rapidly-evolving, and every organization’s needs and situations will be different. Therefore, as with many other types of employment policies, there is no one-size-fits all BYOD policy; you must craft a policy that suits your organization. Here are some things to think about in drafting your organization’s BYOD policy.
a. To B(YOD) or Not to B(YOD)
As a threshold issue, consider whether BYOD even makes sense for your organization. Are more than a handful of employees using personal devices to perform company work? Who really needs to be using a personal device? In some cases, it may make sense to return to the employer-provided device model, restricting employee access to your information and systems away from work. In other words, the employer supplies and owns the device, pays for the network and the storage, and retains control over the devices and the information they carry. If your organization goes this route, be sure to have a clear policy about personal use.
b. If BYOD is Right for You, Determine Who Will be Permitted to BYOD
It may not be appropriate or necessary for all employees to perform work on personal devices. Once BYOD users are identified, have them sign off on the policy and use agreement.
Be particularly careful in permitting non-exempt employees (those entitled to overtime and other protections under the Fair Labor Standards Act) to BYOD. This includes giving non-exempt employees access to webmail or other seemingly-innocuous methods of connecting with the office. Non-exempt employees are entitled to compensation for all time worked, which includes time spent reviewing and responding to work emails. Non-exempt employees generally should not be permitted to use personal devices to perform work outside their normal work hours without prior authorization, just as they should not be permitted to work overtime without prior authorization. Solutions could include instructing non-exempt employees not to read or respond to email away from work; instructing non-exempt employees to log all time away from the office spent working; and/or segregating work from personal email on the employee’s personal device.
c. Set Rules for BYOD
Provide clear instructions to employees about what is required to BYOD. Among the items you should include are:
(1) Password Protection
Most obviously, employers should require that any personal device used for work purposes be password protected with a strong, unique password. Employees should agree that they will keep passwords confidential. Employees should specifically agree not to share passwords of devices used for work with friends or family, just as they agree not to share the password to their desktop computer.
(2) Malware Protection
Employees should also be required to install and maintain appropriate antiviral software. It may be a good idea to provide the software, or at least provide a list of acceptable options.
(3) Encryption
Employers should require that anything sent to or from an employee’s personal device, or stored away from the employer’s storage, be encrypted and otherwise secure. For some employers, it may be necessary to ban off-site storage of certain types of information.
d. Require Regular Back-Up to the Employer’s Storage
Content that is created on and received on the employee’s individual device may or may not make it back to storage controlled by the employer. To the extent that it is feasible, it is a good idea to require employees to regularly back up information to the employer’s storage. Similarly, employers could require that all messages be copied to an address or location that will automatically reside on the employer’s storage.
e. Require Compliance with the Employer’s Other Policies
Remind employees that all other company policies apply to BYOD use. In particular, the company’s anti-harassment and anti-discrimination policies, confidentiality, ethics, compliance, and social media policies must apply to BYOD use just as they apply to employer-provided device use. Companies subject to regulatory requirements, such as HIPAA, must be extremely cautious.
f. Address Privacy Issues
Employees should be reminded, and should specifically agree, that they have no expectation of privacy in company work performed on their personal devices. Although this area is evolving, an employer will generally be in the best position to recover information if the employee acknowledges and agrees in advance that there is no privacy interest in the employer’s information, even if it resides on the employee’s personal device.
g. Require Immediate Reporting When Something Goes Wrong
Employees must be required to report lost, stolen, hacked or damaged devices promptly. Prompt reporting allows employers to take swift remedial action to address lost or breached data, if necessary. It may also aid in recovery or wiping of the device; generally a device can only receive a “locate” signal or a “wipe” command until the battery runs out.
h. Set a Protocol for Departing Employees
Employees should agree in advance to return all company information, files, data, etc. upon termination of employment. Employees should agree not to retain any company information for any reason. Finally, employees should agree that upon termination, any personal devices used for work purposes will be surrendered for inspection upon request.
i. Articulate Your Policy, Educate Your Employees, and Get Them to Sign Off On It
Your BYOD policy should be in writing and employees engaged in BYOD should sign off on it, indicating their acknowledgment and agreement to its terms.