Have you implemented (or are you considering implementing) a Bring Your Own Device (BYOD) policy? This trend just keeps growing. Employers are finding that many employees are more than happy to use their personal phones (and even tablets and computers) for work, since it means workers will be able to have a say in what type of device they use. It could even mean employees would no longer have to carry multiple devices anymore—work and personal devices can become one. Employers also assume they will benefit from reduced costs if they don’t need to buy new devices.
However, this can be a double-edged sword. What employee behaviors should employers be concerned about when implementing such a policy?
BYOD: Employee Habits that Employers Should Consider
We know there are pitfalls with BYOD policies, not least of which is the risk of company data being less secure. But there are also behavioral considerations that affect security and costs. Here are just a few examples.
- With a device that “feels” like a personal device, employees may be less likely to take security precautions such as password protection—even if the employer’s policy requires it. They may feel it’s a burden and it’s their prerogative to be able to remove the password since it’s their phone.
- Personal devices are often shared by family members, including children, thus increasing the risk of the phone being lost or stolen. This also increases the risk of sensitive data being deleted or shared with others.
- Employees are likely to use the device in less secure ways, such as connecting to open (unsecured) Wi-Fi networks at restaurants and the like. This reduces your security further.
- When using a personal device, an employee is likely to feel it’s their right to use it in any way they please—such as for social media, texting, or games—and will probably be more inclined to engage in such activities at work. This could impact productivity.
- Through many of the above items, these devices may be at an increased risk of introducing and spreading viruses into the company network.
- Employees also may use their devices in decidedly more personal ways, such as sexting or sending explicit photos or jokes. Such behavior will be complicated for the employer, as it will now be occurring on a device also used for work. This could lead to liability questions as well as employee privacy concerns.
- Employees may be more likely to use the phone as a storage device for work documents and other info. This not only poses the same security issues noted above but also presents additional issues. For example:
- If the employee’s device is lost and gets remotely wiped, now the employer has also lost data that can never be retrieved.
- It may make consistent recordkeeping more complex.
Besides employee behaviors that increase risk and liability, there are other considerations that relate to BYOD and employees:
- What happens to the phone and the data when the employee quits or is terminated? For example:
- Does the employer have the right to remove all data from the device to ensure security?
- Does this include all personal data and apps?
- Even if the answer is yes, how will you enforce it?
- Will the employer be responsible for paying for the loss of items that belonged to the employee, such as music, videos/movies, apps, etc.? This could be thousands of dollars.
- What if the employee does not have a personal device and/or does not want to participate? What will the employer do that maintains fairness to everyone?
- Who will pay the bill? Will the employee receive a stipend or set amount to cover the business portion? Will this amount be the same for all employees? If not, how will it be equitable? Some local laws already require employers to reimburse employees for work-related costs on their personal devices even if the device has unlimited minutes or data (in those cases, it should be a percentage of the total bill). What if the stipend doesn’t cover enough in the case of more expensive phone plans?
- How will the employer address situations that go beyond the scope of the employee’s phone plan? For example:
- If you require employees to use their personal phones and also require employees to conduct international business, what is your policy if the employee’s phone does not work internationally, and how will you handle this?
- What if the employee has a data-limited plan and the data run out halfway through the month? Can the employer force employees to answer work-related e-mails even if they can no longer download them without incurring extra costs? Who covers that cost if it’s required by the employer? (The same question could be posed for limited minutes.) Employers that are not offering to pay the full costs of the phone plan may find employees unwilling to take on higher bills, even with a stipend applied.
- How will you ensure that devices are kept up-to-date in terms of updates, security patches, and the latest versions of work-related software?
- If the employee has a reasonable expectation of privacy, the employer may be limited in what they’re legally able to retrieve or view on the phone (such limitations might not apply to a company phone). This could make investigations—such as regarding a data breach—much more complex. Be sure to get legal advice; the law is not always on the employer’s side when it comes to employee rights to privacy. At a minimum, employers must be transparent about what they’re tracking and what type of privacy (if any) the employee can expect. Employees likely won’t be happy to have their privacy compromised—even if it’s outlined in a policy that they sign in advance.
- Who will handle technical problems? Typically a personal device would be handled by the employee, but if the employee has no desire nor budget to pay for repairs and now cannot communicate for work, what do you do? Can you force them to always have it on? What if the employer’s software is not compatible with the device (or stops running) and no one on staff knows how to fix that type of device?
- What are the implications of blurring the lines between personal and work time? Will you require employees to answer the phone after work hours? This could have payroll consequences—especially for hourly employees.
- Implementing a BYOD policy often requires more software to be purchased by the organization, such as more mobile virtual private network (VPN) options or other security needs. Some employers are finding that this offsets the BYOD savings significantly, especially when coupled with increased administrative time.
Remember, simply having a policy does not mean it will be followed, so it certainly can’t be counted on to avoid these pitfalls. Once a data breach occurs, for example, the fact that the employee broke the policy will be the least of the employer’s concerns—firing the employee does not undo the problem.
Additionally, the law has not yet caught up with technology. There have been a handful of cases brought to court, and surely more will follow as these tangled issues get sorted out. While addressing all of the above issues, many companies have found that BYOD didn’t turn out to be a cost savings at all—the increased IT administration, security issues, and other headaches were simply not worth it.
About Bridget Miller:
Bridget Miller is a business consultant with a specialized MBA in International Economics and Management, which provides a unique perspective on business challenges. She’s been working in the corporate world for over 15 years, with experience across multiple diverse departments including HR, sales, marketing, IT, commercial development, and training.