Bring-your-own-device, or BYOD, policies allow employees to use their personal technology, such as laptops, smartphones and tablets, in the workplace. In InsideCounsel’s October issue, we take a look at the benefits of putting such a policy in place, as well as the security challenges inherent in allowing employees to carry around company data.
Why have a BYOD policy?
Tech-savvy employees who are dissatisfied with the technology provided by the company may well prefer to use their own devices, and granting them this freedom could increase employee retention and productivity. The ability to access company data remotely provides enormous incentive for employees to stay plugged in to work while on the go.
What’s the downside?
Letting data roam free in the pockets of employees presents a pretty significant security risk, one most companies aren’t prepared to deal with. According to PricewaterhouseCoopers’ 2012 Global State of Information Security Survey, only 43 percent of respondents’ organizations had a security strategy for employee-owned devices.
What kind of policy is best?
There are many different approaches to take. Some companies work out Internet payment agreements with their employees. Some give employees a stipend with which to purchase the required devices. However a company decides to approach its policy, Brian Jackson, an attorney at Fisher & Phillips, advises employers to maintain ownership of the devices, to better protect company data.
Companies might also want to consider restricting employees’ options to a selected list of approved devices. “It is nearly impossible to manage the thousands of potential operating systems and device configurations from a variety of manufacturers,” says Jim Guinn, managing director at PricewaterhouseCoopers.
How can companies protect their data on employee-owned devices?
First and foremost, companies should put in writing their right to access and protect data on devices employees use for work. Putting this in the employee handbook isn’t enough—companies should draft stand-alone agreements specifically for this purpose. However, if an audit ends up being necessary, a company’s IT department, or another third party unaffiliated with employment decisions should conduct it, in case personal information such as religious beliefs or disability status should surface during the audit. Keeping decision makers away from that kind of information can protect the company from potential discrimination claims down the line.
For added security, another option many companies are considering is having employees install mobile device management (MDM) software on any devices they use for work. This gives employers control over the device, allowing the company to wipe it clean of data if the device is lost or stolen.