Bring your own device (BYOD) policies are starting to gain some traction in the workforce as more and more employees are requesting the ability to use personal devices for work rather than take on yet another device to manage. Employers recognize the benefits (such as employee satisfaction and decreased upfront costs of electronics for the employer) but still need to utilize BYOD policies to protect themselves from the considerable security, privacy, and legal risks involved.
Why BYOD policies are important to have
While the need to have a written BYOD policy may be obvious, it can serve many important objectives:
- It can help to set or clarify the company priorities. For example, how will you protect trade secrets? Is this a concern? How much risk is acceptable? Does the company value security over access or vice versa?
- It can be used as a tool to educate employees. A BYOD policy advises what is and is not acceptable and what type of privacy expectations employees should have. It also tells what behavior is not tolerated and the consequences for such behavior. It can also serve to remind employees what data must be kept private.
- It can help IT to allocate resources. The IT department needs to know what devices will be covered. They need to know what to look out for and what security issues they will need to address.
- It can help the legal team to determine the legal risks and how to handle them. For example, they will need to have a plan for how to handle e-discovery issues, lawsuits, privacy issues, control issues, preservation of documentation, etc. Proper protocols need to be in place.
What BYOD policies must do
When drafting a BYOD policy, it must not only cover all the items above and address security, compliance and legal issues, but it also must be realistic. This means it has to reasonably address stakeholder concerns while meeting company goals and legal requirements. Here are some guidelines to consider:
The policy must be reasonable. This might mean, for example, that the employer needs to allow the employee their own choice of device (even if they put limits on it). Requiring a specific device may limit the benefits of having a BYOD policy. Another way the policy needs to be reasonable is that any access restrictions need to balance the competing needs of security and flexibility. This might include allowing access from personal devices but limiting:
- the time of day that the company network can be accessed
- what areas can be accessed on personal devices versus work devices
- which employees can access which applications, networks, or programs
It must comply with privacy laws. For international employers, remember that European laws are much stricter than U.S. laws on this matter, and Canadian law is moving towards the European standard. In the U.S., state laws are still developing in this regard. Only recently, laws have been passed that prohibit employers from being able to ask for an employee’s password for social media, for example.
“The law is always behind the technology—so it’s catching up.” Jason Storipan noted in a recent CER webinar. “As people are adapting and adopting more technology (and new technologies), you’re going to start seeing issues pop up that then the law’s going to address.”
It must work within the needs and goals of all stakeholders. The policy should work within the company needs. But it also needs to take into account employee needs because if they don’t like it and don’t adapt it, then there will be implementation problems. Employers should determine all the right stakeholders to be involved early in the process. For example, IT needs to be involved and they need to be onboard and able to handle the extra demands. HR needs to be involved as well because this type of policy may require an increase in responsibility by adding training, additional employee concerns to address, and the potential for additional discipline issues. Legal should be involved too to ensure compliance.
The above information is excerpted from the webinar “BYOD Explained: Legal Guidance and Best Practices for When Employees Use Their Own Electronic Devices at Work.” To register for a future webinar, visit CER webinars.
Jason Storipan is an associate in the New Jersey office of Fisher & Phillips LLP. His practice involves representing employers in all types of labor and employment disputes and assisting and advising clients in pre-litigation matters.