BYOD, which stands for “bring your own device,” is becoming an increasingly more popular plan in the workplace. It can provide employers an added connection to their workforce, allowing employees to efficiently address important matters quicker than in the past. Allowing access to the employer’s network via the employee’s own personal devices may result in greater overall efficiency and productivity, fewer electronic devices for the employee to keep track of, and the ability to use the most up-to-date devices and features if they choose.
But there are drawbacks to BYOD as well. Security is one of the biggest. Employers may have a harder time managing and protecting sensitive data when it is stored or can be easily accessed from employee-owned devices.
BYOD and security: The lost device issue
Whether company-owned or not, a missing tablet or phone increases the possibility of an outsider accessing company trade secrets and sensitive customer/employee information.
“A lot of companies have proprietary information on their servers, their email, or what have you. When an employee loses a tablet or smartphone . . . that increases the possibility of an outsider gaining access to that information. That information could be company trade secrets, sensitive customer and employee information [etc.].” James Crumlin explained in a recent CER webinar.
It becomes a bigger problem for BYOD workplaces, however, because employees are more likely to disable security measures on their personal devices. It’s also more difficult to ensure that every device has the latest software (and all updates) when there are dozens of types of devices in use all at the same time by different employees. This can leave the data more vulnerable.
You want to make sure to secure your data so that anyone who uses their own device has a password on the device, as a minimum. This way if a device is lost, it’s more difficult for someone else to access company data. Secondly, the company should be sure to have a way to remotely wipe clean the device just in case this happens.
BYOD and security: Policy considerations
To reduce legal and liability risks, companies need to implement a BYOD policy that includes:
- Mobile device security policies
- Password policies
- Encryption policies
- Data classification policies
- Acceptable use policies
- Anti-virus software policies
- Wireless access policies
- Incident response procedures
- Remote working policies
Additionally, your policy needs to state the additional risk for employees – if a device is lost and the employer remotely wipes the data, all personal data will be lost at the same time. It should also be spelled out who is liable to replace the device if this should happen.
The issue of data and security comes up in other ways as well. Should the need arise, the BYOD policy should define ownership over the device and the information on it. In other words, if there is an investigation, does the employee have to turn over the device?
This can be problematic because the employee may instinctively feel that they should not have to give over information on the device, but since it has become a device used for work purposes the employer may have a limited right to search the information on the device. (The search must be reasonable, taken for a work-related purpose, and not be intrusive.)
It can be a tricky area, so employees need to understand the situation before they use the device for work purposes. In addition to implementing these policies, also implement mandatory training on the topic to be sure everyone is on the same page.
The above information is excerpted from the webinar “From Smartphones to iPads: Legal Issues When Employees Bring Their Own Devices to Work.” To register for a future webinar, visit CER webinars.
James Crumlin is an employment lawyer, working in the Nashville office of Bone McAllester Norton PLLC. He concentrates his practice in the areas of labor and employment law, small business law and mid-size business representation, corporate business litigation and entertainment law.