According to a recent Cisco Survey, 71 million BYOD devices are currently in use in the U.S. This number is projected to grow to 108 million over the next two years. Businesses increasingly allow employees to use personal devices for work, which can benefit both employers and employees.
But Bring Your Own Device (BYOD) policies must be implemented carefully, to bolster positive outcomes and mitigate security risks. Cisco has found that, because many companies implement BYOD in a piecemeal fashion, rather than strategically, their savings are greatly reduced.
You must consider the following when establishing a strong BYOD policy:
1. Level of Control. It is crucial that your company maintain control over who has access to its network and data. It’s recommended that companies set up procedures and policies related to monitoring employee devices including the option for your company to preserve all data on an employee’s device. It’s also important to set clear restrictions regarding employee use of mobile devices.
2. Ownership & Disclaimer. Your BYOD policy should address who owns the data stored on the device and what can be done with the data. For instance, if the data belongs to the company, the company generally requires that it have the ability to delete the data from the device. The policy should also remind employees to back up their personal data. It’s important to clarify that your company is not responsible for personal data loss.
3. Expectation to Privacy. Your company’s policy should disclose the extent to which the employer will have access to employees’ personal data and emphasize that your company cannot guarantee employee privacy for those who opt to BYOD. Your company should retain access to employees’ devices in order to review activity and ensure compliance with company policies.
4. Lost or Stolen Device. What happens if the device goes missing? To prevent unauthorized access, your BYOD policy should set forth a procedure for a lost or stolen device, including a requirement for the employee to notify the company immediately. The company should have the ability to remotely wipe all data from the device.
5. Cost. Allowing employees to use authorized devices for work purposes outside of regular work hours may trigger wage claims. Your policy should set forth expectations regarding after-hours use. This will include whether non-exempt employees are allowed or prohibited from using the device for work outside of work hours.
6. Compliance with Laws. Some businesses are subject to legal requirements regarding storage and access of personal information. For example, the Health Insurance Portability and Accountability Act (HIPAA) requires native encryption on devices that hold data subject to the act. Depending on your industry, these restrictions may need to be addressed. Your BYOD policy should also address general compliance with laws and prohibit the use of the device for discrimination or harassment.
7. Confidentiality. Your policy should reiterate that employees must abide by all company policies related to company, client and vendor information, as well as prohibit storing information from prior employers on their device.
8. Employee Consent. It’s recommended that employees agree to the terms and conditions of the BYOD policy in writing.
9. Employee termination. Your policy should set forth procedures regarding BYOD devices in the case of the resignation or termination of an employee.
If thoughtfully executed, a strong BYOD policy can benefit your company. Cisco estimates that BYOD programs can save employers more than $3,000 per employee. Many employees will use personal devices for work for the sake of convenience, with or without a formal policy. Laying out the terms for BYOD allows you to control the ways in which your employees use their devices.
DISCLAIMER The content in this article is for informational purposes only and does not constitute legal advice. Readers should contact a qualified attorney to obtain advice with respect to any particular issue or problem.