Bring Your Own Device – Pitfalls and Policies

A fairly recent issue facing businesses and their employees is the trend known as Bring Your Own Device, or BYOD. This term describes the practice where an employer relies on its employees to bring their own laptops, tablets, and/or smartphones to work for business use, rather than issuing them company-owned devices. BYOD raises a variety of legal and business issues, including privacy, data security, wage & hours tracking, and litigation, to name just a few. These issues apply to companies of all sizes, including startups where the founding team may be using their personally-owned laptops, tablets, and smartphones. Take the jump for a discussion of the business and legal issues raised by BYOD, as well as some of the components of any workplace BYOD policy.

A key business issue is how to maintain and support the variety of devices that currently exist. One employee may have a Windows laptop, while another might use an MacBook, and a third might have a Chromebook. Three different operating systems, and three different versions of software, although there are many software programs that are written solely for one operating system. The same split applies to tablets and smartphones, where you have Android, iOS, Windows, Blackberry, etc.

A second issue that has both business and legal ramifications is providing security for the data stored on the device, as well as for the company’s data in general. We have all heard about someone losing a laptop that contains customer data, including social security numbers or credit card numbers. Just as dangerous is a tablet or smartphone that gives the user access to the corporate network, and all the data stored there. If a company implements BYOD, it must ensure that any device used has adequate security protocols programmed into it.

A third issue is data ownership. If an employee uses her own smartphone or tablet for work, it is likely that the device will contain data belonging to the employer, as well as data belonging to the employee. Separating out this data is a thorny issue. For example, the contacts on a smartphone might include the contact information of friends, family members, coworkers, and business contacts such as customers. If the employee is subject to a non-compete agreement, how does that affect the customer contact information on the employee’s smartphone when she leaves her job?

A fourth issue is privacy. An employee may store sensitive personal information on the device, such as bank account numbers, passwords, credit card information, browsing history, etc. How can the employee prevent the employer from accessing such information on a personal device used for work? In addition, there are federal laws such as the Computer Fraud & Abuse Act and the Stored Communications Act, which prohibit unauthorized access to certain electronically-stored information.

An issue related to data ownership and privacy is the effect of litigation and e-discovery. In a pending lawsuit, a company may have to turn over certain specified information to the adverse party as part of the discovery process. The information can include files, email messages, and even instant message and chat logs. Information subject to a discovery order may be stored on an employee’s personal device. Gaining access to all these devices is much more complicated than if the company is merely accessing data on its own network. Moreover, there is the risk of accidentally accessing and turning over personal information owned by the employee.

Before adopting a BYOD approach, the employer should carefully develop a policy to address the variety of issues raised by BYOD. The policy should cover, at a minimum:

1. Scope – will BYOD be voluntary or mandatory? In addition, will BYOD be limited to certain employees or classes of employees, or will it apply company-wide?

2. Supported Devices – which devices and brands will be supported by the company?

3. Security – will the company use mobile device management (MDM) tools, such as requiring registration of devices with the MDM program as a condition of access, password strength protocols, encryption, remote wiping, etc.?

4. Consent to Employer Access – the company should have each employee affirmatively consent, in writing, to the employer having access to any personal device used for work.

5. Remote Wiping of Data – the company should have the ability to remotely wipe data from devices if the device is lost, if the employment is terminated, and if the employee removes required security settings.

6. Definition of Permissible Use – this should cover use of cloud storage, access to secured vs. unsecured wireless networks, etc.

7. Exit Procedures – when employment is terminated, there needs to be a process for the employer to remove company data from any personal devices.

8. Application of Other Employment Policies – the employer needs to consider how other employment policies, covering subjects such as workplace harassment, access to certain websites, use of social media, etc., might apply when an employee is using his own device for work.

9. Cost Reimbursement – the employer needs to determine who will pay for the device as well as for any data plan. In addition, state law might impact whether the employer must pay for some or all of these costs.

10. Technical Support and Maintenance – the employer must address the issue of providing adequate support and maintenance for any personal devices covered by BYOD.

This is just a brief overview of what has quickly become a complex issue for companies large and small. I would be remiss if I didn’t close by suggesting that employers consult an attorney in crafting their approach to BYOD.

Follow me on Twitter @PaulHSpitz