Risk Versus Convenience: Crafting Effective BYOD Policies

Salespeople who travel, customer service reps who work from home, and managers who use mobile devices to perform business tasks may all appreciate the flexibility of a bring-your-own-device (BYOD) policy.  Manufacturers may put themselves at risk, though, in allowing access to their systems on an unsecured device. How can you protect your company’s data without violating employees’ privacy rights?

Study the pros and cons

Instead of buying work phones, laptops and tablets for each employee, some businesses choose to let workers use their own. Such BYOD programs enable employees to work anytime, anywhere, which improves flexibility and productivity. Employees also appreciate the option to choose their preferred devices.

Employers can reduce or eliminate mobile equipment costs because most employees already own these devices and update them often. However, when estimating your potential cost savings, remember to offset the equipment savings with the additional costs of supporting multiple operating systems and devices.

To begin, first ask your IT department to provide a list of devices that it can easily support and that have acceptable security. You will probably want to publish a list of acceptable devices, keeping in mind that the more devices IT supports, the more time-consuming and costly your BYOD program becomes.

BYOD programs also carry less quantifiable costs. Employers generally have less control over equipment and the confidential data stored on employees’ devices. And employees have less separation between their personal and business lives, and may have to accept the possibility of their entire device being wiped remotely by the employer.

Craft a formal policy

If your company is going to allow employees to use their own devices for work, you need to implement a formal BYOD policy to minimize security and liability risks. That policy should anticipate what happens in various situations, such as a voluntary or involuntary termination; if the device is lost, shared or recycled; if unprotected public wireless networks are used; if the device is attacked by a virus or malware; or if it’s synced on an employee’s home wireless router.

Other questions to address include:

Who pays the bill? Payment policies vary widely. For example, an employer might pay for a predetermined number of voice minutes and an unlimited data plan for employees. Any charges above that amount are the employee’s responsibility.

Who owns an employee’s cell phone number? This is a big deal for salespeople and service representatives, especially if they leave to work for a competitor. Customers may continue to call a rep’s cell phone, leading to lost sales for the former employer.

Can employers require the use of passwords and encryption? In general, mobile devices should lock if idle for five minutes and require a password or personal identification number to unlock. After a limited number of failed password attempts, the device should require assistance from the company’s IT department to regain access.

Employees who participate in BYOD programs should be required to periodically submit their personal devices to IT personnel for configuration, updates and security checks. And employers should reserve the right to revoke the BYOD privilege if users don’t abide by the rules.

Navigating privacy issues

Employees must understand that participating in a BYOD program gives the company access to personal information, such as text messages and photos. However, the BYOD policy should state that the company will never view protected information, such as privileged communications with attorneys, protected health information, or complaints against the employer that are permitted under the National Labor Relations Act.

In case your company becomes involved in a lawsuit, its data retention policies should address how data is stored on mobile devices and gathered during litigation. Keep in mind that Rule 34 of the Federal Rules of Civil Procedure covers all devices, including personal devices that access the company’s network.

Wondering how to make it work?

No matter what details are contained in your company’s BYOD policy, there is one must-have: that policy should be spelled out in a formal user agreement that’s signed by all employees who participate in your program.

If you have questions, contact Weaver’s IT advisory services group to ensure that your BYOD policy covers all the bases, addresses all relevant security and liability risks, and is legally enforceable.

© 2019