BYOD Policies: Are They Right For Your Company?
As technologies advance and real estate costs increase, more and more companies are moving towards allowing workers to telecommute. With the advantages of having remote employees, comes the question of how these employees interact with the company resources. While many companies choose to provide workers with computers and cellular phones, technology allowances have also become a method by which companies request that the employee provide his or her own technology. Additionally, many workers prefer to utilize their own devices for work, even if the company does not provide reimbursement. Many companies have welcomed this drive in their employees as it lowers their own costs, as well as provides an increase in productivity. With any remote system accessing company data, security and legal compliance become risk factors that must be analyzed.
For the employee, the loss of privacy can be a key issue. Most employees worry about the company having the right or ability to access the worker’s personal email communications, social media, financial and health data, photos and contact lists. Additionally, while many employees may not think about it until it comes up, many companies may not be able to remove their information from the employee’s device without wiping all of the data off of the device.
For the employer, most companies concentrate of the security factors and risks. Many personal use devices do not carry passcodes, lock features, or time out functions. Allowing an employee to work remotely may mean that the employee utilizes an unsecure Wi-Fi hotspot or share them with roommates. And, as with anything that is not kept in the office, there is the risk of losing the device entirely. But there are things that many employers do not think of when it comes to initiating remote policies. When an employee is utilizing their own device, or in their own space, many office protocols can become more relaxed. Sharing of company and/or client interactions on social media, defamation of the company, use of vendors or client contacts, and even harassment of co-workers become easier when an employee is away from the office structure.
Moreover, when allowing an employee to work remotely or with a personal use device, the company can expose itself to liability under the federal Fair Labor Standards Act, state overtime and wage laws. As technology use has become common place around the home, on the go, at sporting events, even while waiting for a movie, employees will be in a position to access emails and respond to work situations outside of traditional and scheduled work hours. While many do not take issue with this, and in fact often view it as a benefit to not having to fit everything in set time periods, when push comes to shove it can be an issue that comes to bear.
Reimbursements can be another potential headache that employers do not often look at when first entering into allowing employees to utilize personal devices. Many reimbursement policies are governed by state law. Additionally, being clear on whether an employee is required to utilize their personal device, whether a company provided option is available, and what qualifies as company time, can be key elements in structuring reimbursement procedures.
One final challenge facing employers is when business records are stored on personal use devices. Remote access to company servers, email attachments, and cloud-based storage are all ways in which company data can leave company possession and be stored on an employee’s device. While the employee may never use the records for nefarious purposes, it is still subject to electronic discovery requests during litigation and/or Internal Revenue Service audits. Failing to retrieve and destroy records in accordance with company retention policies form employee devices can have long reaching consequences for the employer.
To address these issues, employer should have a very comprehensive policy that is given to all employees and updated and maintained as technology changes. A recent addition to the Human Resources paperwork has become the Bring Your Own Device Policy. Most BYOD Policies are used to address the risk factors from both the employee and employer perspectives. When structuring a BYOD Policy, it is important to remember that they are not one size fits all. Each policy must be tweaked based upon your company’s industry, available IT support, and data that may transfer over remote devices. Here are some key factors to consider:
- Determine which devices are permitted and supported. Limiting the devices to non-jailbroken or non-refurbished devices can be essential.
- Keep a registry of all remote devices. Be sure to require updates to these devices.
- Determine who can utilize their devices. Limiting device use to exempt employees or setting strict policies around off-clock hours for non-exempt can be crucial.
- Create a virtual partition between work data and personal data. This protects both the employee’s personal data as well as the company’s data.
- Clearly state the employer’s rights to access, monitor and delete information that is owned by the employer. Also, be sure to state that while every effort will be taken to protect the employee’s personal data, it may be subject to wipe in order to protect or retrieve company data. The employer and employee should both beware of what data may be saved in cloud-based back-up and through routine maintenance, despite policy. Be sure to outline how and when a wipe of the data may occur. Note how the company will determine company versus personal data, and the methods for obtaining this information.
- Require passwords, automatic locking, and/or establish protocols for public use Wi-Fi, reporting lost or stolen devices, antivirus software, and IT support.
- Determine who can authorize a personal use device and who will maintain adherence to company practices and policies. Determine if current retention policies will correspond with BYOD policies.
While remote working provides many financial and morale benefits for both the employer and employee, it does not come without risks. A well composed BYOD policy and careful consideration to the employee and employer needs can assuage many of these risk factors. The most important thing to keep in mind is that no BYOD Policy should be written and forgotten. It must be routinely reviewed and revised to keep up with the changing world of technology and workplace advancements.