BYOD Policy

A bring your own device (BYOD) policy is becoming the norm for many companies because it's not nearly as easy for businesses to keep pace with the rapid advances in technology as it is for individuals. That means employees often have more recently updated devices, and they would like use them for work, as well as personal reasons.

White-collar millennial workers, in particular, are now established in the workforce. They are also accustomed to using their own devices whether working or playing. As a result, they are driving a trend toward BYOD in the companies where they work.

So, the more progressive organizations have been allowing their employees to work on their own tablets, laptops and even smartphones, rather than on equipment that has been issued by the company. Unfortunately, there are a multitude of legal compliance and security issues to be considered.

However, a well-crafted BOYD policy can address concerns of both employer and employees.

Advantages of a BYOD Policy

Creating an effective BOYD policy takes a great deal of effort and planning. But that should not be a deterrent, because there many advantages to having one, not the least of which is saving a significant amount of money.

Computers and other devices are not cheap. Computers can range anywhere from a few hundred to a few thousand dollars. For instance, a company with about 30 employees with their own computers could spend $30,000 to 90,000 every few years upgrading to new equipment.

Allowing employees to use their own devices would help offset those costs, or even perhaps eliminate them completely. And employees are happy to use their own equipment because it's more convenient. A BOYD policy means they don't have to worry about needing one when it's in the wrong location.

There are even more reasons for employers to embrace having a BOYD policy:

  • Increased productivity – When employees don't have to keep switching between personal and professional equipment, they can be more productive with their time.
  • Employee retention – So many employees these days are used to working for companies with BYOD policies, that it may be a deal breaker for businesses who don't have one, not only with current employees but with prospective job candidates, as well.
  • Pro-active management – A study by Pew Research Center showed that over 75 percent of Americans own smartphones. And they are likely to use those for professional reason whether or not their employers have a BOYD policy, which could cause a world of trouble. By getting in front of potential problems with an airtight BOYD policy, a company can pro-actively set the rules and avoid major problems.

Critical Components in Creating a BYOD policy

Bring your own device programs can vary from company to company, but they generally have 3 critical components.

  1. There must be a clearly written policy that details all of the responsibilities of the company and the employees.
  2. All users must be required to sign an agreement stating that they have read the policy completely and thoroughly understand it.
  3. There has to be some type of software application to manage all devices that are capable of connecting to the company's network.

While each organization can add specifics which best suits its needs, these three components should always be part of any BYOD policy.

Key Features in Creating a BYOD Policy

Company management must consider carefully before allowing their employees free rein of the organization's network with their own tablets and smartphones. Some of the questions that management need to consider while their BYOD policy is still in the planning stages are:

  • Should employees be restricted to certain apps or web browsers? If so, which ones?
  • How much support should the IT department be expected to offer?
  • What type of security tools are available to protect the wide variety of devices that will be connecting to the company's network?
  • Will the company contribute to the cost of devices or the device/data plan? If so, how much?
  • Will the employer use location-based tracking, or any other type of monitoring? If so, the BYOD policy should clearly state when such monitoring will be employed and for what purpose.

In order to ensure that nothing falls through the cracks, input should be solicited company wide, from executives to the lowest ranks of employees who will be affected by the policy. Accounting, Human Resources, Legal, IT and more should all contribute to creating the policy.

When developing a BYOD policy, employers should try to anticipate any issues that might arise during implementation, and make sure that the policy is comprehensive enough to address them.

BYOD Policy Samples of Acceptable Use

Your company must clearly define what it considers acceptable business use. These will be activities which support the business either directly or indirectly. Guidelines might include:

  • Blocking access to particular websites during business hours and while employees are connected to the company's network. The list of websites, or types of websites, should be provided to employees.
  • Whether or not camera capabilities on employee devices, including video, must be disabled while on company premises.
  • Employees may not use their devices at any time to store or transmit proprietary information or illicit materials, engage in business activities other than their employer's, or harass anyone at the company.
  • Provide a detailed list of which apps employees will be allowed to use while at work, such as productivity or weather apps, and if any are prohibited, such as Facebook or Twitter.
  • Allowing employees to access company owned resources such as: calendars, email, documents, internal networks, etc.
  • That your company has a policy of zero tolerance for emailing or texting while driving and that only hands-free talking is permitted while driving.

BYOD Policy Samples on Security

It is crucial that devices be protected with the strongest of passwords to prevent unauthorized access. It is equally important that the company's network also require strong passwords for access.

Suggested password requirements are that they be a minimum of six characters, upper-case and lower-case letters, symbols and numbers. They should be rotated at least every 3 months and none of the previous 15 passwords can be repeated.

Other options for maximum protection of the company's interest would be:

  • If the device is idle for 5 minutes, it must automatically lock itself and require a pin or password to be unlocked.
  • The device will lock automatically after 5 failed login attempts and IT must be contacted in order to regain access.
  • iOS devices that are jailbroken and Android devices which have been rooted are absolutely denied access to the network.
  • Any app that is not on the company's list of approved apps will automatically be prevented from being downloaded or installed by employees.
  • Any tablet or smartphone that is not listed by the company as supported devices will/will not be allowed to access the company's network.
  • An employee's access to the company's network and data will be limited according to user profiles that have been defined and automatically enforced by the IT department.
  • The company may wipe an employee's device remotely if:​
  1. It is lost or stolen
  2. IT detects a policy or data breach virus or some other threat to the security of any of the company's data or technology infrastructure.
  3. The user's employment is terminated.

BYOD Policy Samples on Risks/Liabilities/Disclaimers

The company will ensure that the IT department will use the strongest precautions to avoid the necessity of wiping an employee's device, and the resulting loss of personal data. However, employees must still be responsible for utilizing measures of their own, such as backing up all of their data, email, contacts, etc.

Employee responsibilities will include:

  • Reporting lost or stolen devices immediately to the mobile carrier, and to the company within 24 hours.
  • Strictly follow the company's policy regarding accepted use.
  • Always use a device in an ethical manner.
  • Assuming full liability for  all risks, including – but not limited to – any loss of personal or corporate data due to malware, viruses, bugs, errors, operating system crashes and/or other hardware or software failures, including any programming errors which might render a device unstable or unusable.

Additionally, the company reserves the option to:

  • Disable services or disconnect devices without advance notification.
  • Take any disciplinary action it considers appropriate for noncompliance with its BYOD policy, up to and including employment termination.

Employee Concerns about BYOD Policy

The main concern for most employees is that a BYOD policy might lead to a loss of their privacy. Employees are often afraid that their employers will obtain inappropriate access to their health and financial data, as well as to their personal contacts, photos, videos and other types of information.

Another fear is losing all of their personal data in the event that the company deems it necessary to wipe their devices. Even if none of the previously mentioned circumstances occur, their devices will almost certainly be wiped if their employment is terminated, even if voluntarily.

One possible solution for this is for the company to use mobile device management technology (MDM) to separate personal data from work data by creating a virtual partition. Not only will this limit an employer's access only to the company's data, it will also make it easier for the company to employ security measures.

Employer Concerns about BYOD Policy

Employers, on the other hand, have a great many issues to contend with.

Security

The biggest concern about BYOD policy for a business is almost certainly security. A great many people do not protect their smartphones, tablets or even their laptops with passwords. The devices that employees bring in may not have a timeout function or an automatic lock code.

Another major security concern for employers is when employees lose their devices, share them with others or connect their devices to the company's database using unsecured Wi-Fi networks. Any of these increase the risk that the firm's business data will be vulnerable to unauthorized disclosure or even destruction.

Legal

There are also any number of legal issues which could arise when employees are able to use their own devices. It might be easier to defame the company, its vendors, customers, competitors or their own co-workers. It might also allow them to harass subordinates or their co-workers by phone, text or on social media.

Another concern regarding a BOYD policy is whether business records that are stored on the personal devices of employees have been saved for a long enough period of time to meet the requirements of electronic discovery requests during litigation.

Adverse consequences for the employer may also result during litigation if the company fails to produce required information because it was not retrieved from an employee's personal device.

Labor Concerns

In addition to potential security and legal problems, a BOYD policy could render a business open to labor issues, as well. The federal Fair Labor Standards Act, state wage and overtime laws all contain provisions that might be triggered when non-exempt employees are requested to use their own devices for work purposes.

The problem is that employees who are using their own devices will have such easy access to them that they will be able to engage in work activities such as responding to text and email messages outside of their normal working hours.

Some state laws may also require companies to pay for all costs employees incur by using their personal devices for work. That raises concerns for employers about the expenses which are covered by the BYOD policy.

For instance, Section 2802 of the California Labor Code includes broad responsibilities for employers to the business expenses of their employees. These could easily include some of the costs related to wireless voice and data plans when employees are required, or even just allowed, to use their own devices for work duties.

It's worth noting, though, that the above mentioned MDM technology can also be used to limit a non-exempt employee's ability to use a personal device for business purposes outside of their scheduled work hours.

All in all, the best BYOD policies are notable for two main factors. They take into account the interests of both the employer and employees. They also make sure that every aspect is formally documented in the policy, with nothing left to uncertain interpretation.

If you need help with creating a BYOD policy, you can post your legal need on UpCounsel's marketplace. UpCounsel accepts only the top 5 percent of lawyers to its site. Lawyers on UpCounsel come from law schools such as Harvard Law and Yale Law and average 14 years of legal experience, including work with or on behalf of companies like Google, Stripe, and Twilio.