Roughly 77% of Americans currently own a smartphone, and half of all Americans own a tablet. A new iPhone can cost over $1,000 plus monthly fees of roughly $100 per phone. For a startup company with limited resources, it may be unreasonable to purchase smartphones – and other technological devices – for of all its employees. Companies with 10 employees could end up paying $20,000 a year for phone services.
In addition, many businesses, both large and small, have come to realize that employee use of their own devices is becoming the norm. Employees often will conduct Company business using their own personal devices even when Company policy discourages or even forbids such use. It is just easier to return a call or send a quick text or email from that smartphone that never leaves your side.
As the technology has evolved and more and more businesses use cloud-based platforms, businesses and employees alike are preferring that employees use their own devices. Employees like it because they believe that such use empowers them to work and collaborate the way they prefer, with complete freedom to use any PC, laptop or mobile device they choose.
Consequently, business owners now more than ever are allowing and in some cases requiring their employees to use their personal devices for work-related purposes. This trend raises numerous concerns, however. First and foremost are the security concerns that such use creates and the risk of unauthorized disclosure of sensitive information. Employees may connect to unsecured Wi-Fi or may share personal devices with family or friends. Some employees may not use passwords to protect their phones, tablets, and laptops, and some of these devices do not have an automatic timeout function.
As with most things that make business operations more convenient, there also are serious legal issues that need to be addressed when employee are allowed to use their personal devices for work-related purposes. For example, a company that is brought into litigation may have a legal duty to preserve data on employees’ personal devices, and it will need a way to procure and secure that data unaltered. Text messages are discoverable. Want to free up storage and clean old “junk” off your iPhone? Any intentional or unintentional destruction or alteration of the data while litigation is pending could lead to sanctions for spoliation of evidence, even if the deleted data was not related to the case.
Permitting use of a personal device for work-related purposes could also lead to complications under state and federal wages-and-hour laws. Overly restrictive procedures and policies relating to the use of the devices could lead to claims of unfair labor practices.
Unless a company decides to ban the use of personal devices for business use, prudent risk management requires the adoption of a bring your own device (BYOD) policy. The purpose of the policy is to ensure network security is not compromised by employees and that the company can capture and maintain the records related to its business.
There are four basic BYOD options:
1. Unlimited access to the company’s network for personal devices.
2. Access only to non-sensitive systems and data on the network.
3. IT retains the ability to exercise control over personal devices, applications and stored data, and therefore has the ability to monitor all activity on the device.
4. Access to systems and data on the network without the ability to store data on personal devices.
The BYOD policy should address, at a minimum, the following issues:
1. Who will pay for the devices and user data plans?
2. Are there any regulatory issues that need to be accommodated?
3. How will the devices be secured from lost or stolen data?
4. Who will be responsible for storing and where will data from BYOD devices be stored?
5. What documentation will you require from employees who use their own devices at work?
6. What measures need you take to ensure the protection of trade secrets, confidential information, and other company data?
7. What are the limits of each employee’s expectation of privacy?
8. What are the procedures for immediate reporting of lost or stolen devices?
9. Can you or your IT vendor disable the phone or tablet remotely if it is lost or stolen?
10. Will you provide technical support for employees who need assistance with their device?
11. How to prevent after unauthorized hours email access and work by nonexempt employees?
12. How will you educate employees on their rights and obligations under the BYOD policy and security requirements?
13. What happens if an employee violates the BYOD policy? Disciplinary action? Deny access to system from the employee’s own device?
14. What is the procedure for deleting company data on termination of employment?
Every business need to consider the how it wishes to address these issues, in consultation with knowledgeable IT personnel and legal experts. A BYOD policy can be the right thing for your business and your employees, but employers should review their strategic options and consider the pros and cons of such a policy.