With the proliferation of powerful smart phones and other data storage devices, Bring Your Own Device (BYOD) situations are increasingly common for employers.
It stands to reason employees want to use their own devices in a work capacity. This phenomenon presents benefits for employers, as their employees can work remotely and communicate when situations arise during non-work hours. Additionally, employers can save money when they are not providing electronic devices to their employees.
BYOD situations also benefit employees, as they often prefer to link up their own devices to a work system, creating a little node of personalization in an environment that they do not otherwise control. Surveys have found a significant percentage of job seekers will view a prospective employer more favorably if it has an IT system that supports the seeker’s personal devices. Most people like having pictures of their kids or pets as desktop backgrounds, for example, and that is easier to do on a personal device.
However, if employers do not manage BYOD scenarios proactively, then there are significant drawbacks to the trend. When an employee sends, receives and stores company information on a personal device, then the specter of data loss is real. This risk can come from employees who intend to benefit themselves by taking information and using it to compete with or embarrass a former employer. It also can come from employees who mean no harm, but who inadvertently retain or lose sensitive data all the same.
Either way, the employer that thinks through BYOD issues in advance and charts out rational, balanced policies before issues arise is going to place itself ahead of the game. Following are some best practices for BYOD situations.
1. Have technology in place to protect company information.
The most basic response to a technological challenge is often the use of more technology. For example, an employer can require that its employees use an employer-issued email application such as Good Technology that ensures that email remains secure. An employer also can require that its employees use an application that allows the employer to shut down or access a device in certain circumstances. In an even simpler vein, an employer can take the no-cost step of requiring that employees activate passcode protection on their devices. Regardless of which of these options an employer chooses, it is important that a BYOD policy address the device itself.
2. Think through key information and take steps to protect it.
The smart employer engages in critical self-analysis as to the nature of its critical information and the means that it takes to safeguard the confidentiality of that information, especially with BYOD policies. Some information should not migrate to an employee’s personal device, no matter how secure that device is. Thus, it is important for an employer to ask two questions. First, what information would be most dangerous in the hands of a competitor or disgruntled former employee? Second, if forced to testify in court about the steps that an employer takes to protect that information, what could an employer representative say?
3. Make Sure employees UNDERSTAND THEY cannot misuse the employer’s computer system.
With the increased use of the federal Computer Fraud and Abuse Act and analogous state law computer protection statutes, employers are learning the importance of putting employees on written notice as to what they are not authorized to do on the company computer system. This includes taking material from the system (such as by emailing files out as attachments, saving them to flash drives or moving them to cloud accounts) and deleting materials for non-business reasons. The key to unlocking the power of federal and state computer protection laws is putting employees on notice that they are not authorized to perform certain acts on the system.
This general rule extends to BYOD policies. It is important for an employer to put employees on notice as to what they cannot do with respect to use and storage of company information on personal devices. The prudent employer will think through common employee misconduct or negligence scenarios involving data security on personal devices and then cover those scenarios with written policies. A policy laying out general rules and then covering specific situations is ideal.
4. Pay for the employee’s cell phone.
In the grand scheme of things, it is penny wise and pound foolish to have key employees pay for (and therefore control) their own cell phone plans. A company that owns the mobile device account can:
- terminate the account when a key employee leaves so customers cannot make contact;
- determine who the employee has been contacting;
- stop the employee from walking out with a de facto customer list.
While key employees might choose to use their own devices at work, the employer can still control the accounts and still be in command of the information on a device.
5. Employ tight exit procedures for departing employees.
Perhaps the number one issue with BYOD is that when employees use their own devices, they end up with a large quantity of employer information on those devices. Whether intentionally or inadvertently, when employees resign or are fired, they leave with a wealth of information. That information can be used in ways that are detrimental to the employer. Therefore, it is critical for an employer to use exit procedures so when an employee leaves, the employer can show that it did everything in its power to get its information back. These procedures will never be fool-proof against employees who choose to keep information on their devices, but at a minimum, an employer should be in a position to show that it took all reasonable steps to maintain the confidentiality of its key information.
The issue of protecting against data loss resulting from employees using their personal devices for work is increasingly salient and one that employers can address with some basic forethought and planning. Relatively small expenditures of time and money on the front end can deter an employee from exploiting key information on a personal device, it can protect against that same employee accidentally losing information, and it can position the company to recover the information if it is indeed lost. The critical first step is to acknowledge the reality of employees using their own devices and to plan accordingly.