BYOD is continuing to gain momentum in the workplace, and sooner or later every company will have to deal with it.
BYOD stands for “Bring Your Own Device,” and it’s what increasing numbers of employees are doing every day. Rather than be stuck with company-provided devices that are unfamiliar, modern workers want to be able to use their own personal smartphones, laptops, or tablets in their job.
And often, it works. Employees are happier when they can use their own devices, and they’re more productive, too. According to Brandon Leatha, a Director with iDiscovery Solutions, a study conducted by Intel shows “employees saved an average of almost one hour per day by using their own devices.” So, good for workers, good for companies.
But BYOD can also be dangerous if it isn’t properly supervised. When companies don’t have a clearly defined, written BYOD policy statement, they may find themselves legally and financially vulnerable, particularly if data stored on employee devices is lost, stolen, or misused.
What should a BYOD policy statement include?
iDiscovery’s Letha has addressed the issue of what a good BYOD policy statement should cover. He says, “organizations must have a strong BYOD policy that covers all aspects of personal device usage, including password and security requirements, acceptable use, continuous monitoring, data ownership, and separation procedures.”
The first aim of a good BYOD policy must be to ensure that the organization’s vital data is kept safe. When employees are allowed to directly access internal company IT systems using, for example, their smartphones, those devices can become a portal through which unauthorized and malevolent intruders also gain entrance.
For example, if a worker falls victim to a “phishing” attack while surfing the web on their own time, information could be revealed, or malicious code downloaded onto the device, that allows a hacker to penetrate the company’s systems.
Are employees allowed to download company information?
Allowing employees to download sensitive company information onto their personal devices puts that data at great risk of being compromised. A survey of Federal workers in the US shows that many employees have little concern about the security of information stored on their devices.
For this reason, the BYOD policy should specifically address whether employees are allowed to store company data on their personal devices, rather than accessing it online through an app or browser window.
In most cases, actually downloading information to a personal smartphone or laptop should be absolutely forbidden, except with explicit authorization. Otherwise, the company could find itself with unanticipated liabilities if the employee’s device is lost or stolen, potentially including a legal requirement to publicly disclose the possible exposure of sensitive information.
Another reason for avoiding having business information actually resident on employees’ personal devices is that doing so makes the company responsible for the worker’s handling of that data. For example, in the event of litigation, such information may be subject to discovery, and its unauthorized destruction could lead to severe penalties. One company was required to pay a fine of more than $900,000 when employees deleted job-related text messages stored on their personal smartphones.
The BYOD policy should also emphasize to employees that if their personal device is lost or stolen, or if their employment is terminated for any reason, the company has the right to remotely delete its data from their device. This has sometimes resulted in workers’ personal information being inadvertently deleted as well, and employees should be aware of this possibility.
Watch out for FLSA and Privacy Act violations.
The BYOD policy should make clear to workers when they can use their devices for company business, and when they cannot. Many companies have become unwitting violators of the US FLSA (Fair Labor Standards Act) rules because of employees using their personal devices for work during off hours. For example, if a worker decides to check for job-related emails at 9:00 pm using their smartphone, that could raise a requirement for overtime pay.
It’s the company’s responsibility to be aware of and, when necessary, pay overtime for work done by non-exempt employees just as if that work was done on the company’s premises using company equipment.
Likewise, a company’s need to maintain, access or delete data from an employee’s device calls a number of privacy related issues into play.
These are just a few of the challenges a company can face if it doesn’t adequately regulate the BYOD activities of its employees. That’s why having a well thought out and properly communicated BYOD policy statement is so important. If your company doesn’t yet have such a policy, now’s the time to put one in place!