Best practices for BYOD policies

Dec. 3, 2013
Steps organizations can take to help prevent sensitive data from falling into the wrong hands

Let’s face it: bring your own device (BYOD) situations are here to stay.  With the ubiquity of employees having and using smartphones and tablets – devices that have more capacity and processing power than desktop computers from not so long ago – it was inevitable that employees would eventually start to use their own devices in a work capacity.  This new reality presents benefits for employers, as their employees can now be productive away from the office and be responsive to work situations as they arise.  Additionally, there are cost savings that can be achieved when an employer is no longer responsible for supplying devices to its employees.

The situation also benefits employees, as they often derive personal satisfaction from being able to link up their own preferred devices to the work system, creating a little node of personalization in an environment that they do not otherwise control.  Surveys reflect that a significant percentage of job seekers will view a prospective employer more favorably if it has an IT system that supports the seekers’ personal devices. 

However, if employers do not manage BYOD scenarios proactively, then they present risks in addition to the aforementioned rewards.  To state the obvious, when an employer’s information is being sent, received and stored over a device that the employer does not own, then the specter of data loss is present.  This risk can come from an employee who intends to hurt the employer by taking information and either using it on behalf of a competitor or simply disclosing it to embarrass the employer.  It can also come from an employee who inadvertently retains or loses it. 

Either way, the employer that thinks through BYOD issues in advance and charts out rational, balanced policies before issues arise is going to place itself ahead of the game.  Here are some best practices for BYOD situations:

1. Have technology in place to protect your information.

Take the typical employee’s smartphone.  Some employers require that the employee use an employer-issued e-mail application like Good Technology.  Other employers require that their employees download an application that allows the employer to shut down or access a device in certain circumstances.  Some employers take the simple step of requiring that employees activate passcode protection on their devices, a policy that costs nothing because just about every device contains this option.  Regardless which of these options an employer chooses, it is the most basic step in dealing with BYOD situations.  An employer needs to acknowledge and deal with the fact that if its information is going to migrate to its employees’ personal devices, then those devices need protection measures in place to ensure that the information is not lost or stolen.

2. Think through your key information and take steps to protect it.

Some information is simply too important to permit it to migrate to an employee’s personal device.  Even with one of the aforementioned data security fixes in place to protect information on an employee’s smart phone or tablet, an employer might worry about information that remains on the device after the end of the employee’s employment or that an employee will leave the device unattended for a moment and allow a third-party to see sensitive information on the screen.  Thus, it is important for an employer to ask itself three questions.  First, what information would be most useful to its competitors if an employee left with it?  Second, what information would be most embarrassing if it were leaked to the general public?  Third, if asked on a witness stand by a judge (or by the employer’s attorney while drafting an affidavit) “how many measures do you take to ensure that the employer’s most valuable, sensitive information remains private?,” what could the employer’s personnel say in response?  It is generally valuable for an employer to put itself through this sort of self-critical analysis, but it is specifically important in addressing BYOD concerns.

3. Make clear that employees cannot misuse the organization’s computer system.

With the increased use of the federal Computer Fraud and Abuse Act and analogous state law computer protection statutes, employers are learning the importance of putting employees on written notice as to what they are not authorized to do on the company computer system.  This includes both taking files from the system (such as by e-mailing files out as attachments or saving them to thumb drives) and deleting files prior to departure.  The key to unlocking the power of federal and state computer protection laws is showing that the employee was on notice that he/she was not authorized to perform certain acts on the system.  This general rule extends to BYOD policies.  It is important for an employer to put its employees on notice as to what they can and cannot do with respect to company information on their devices.  Just as it is helpful to think through confidential information issues in advance, it is also worthwhile to spend some time addressing common employee misconduct or negligence scenarios involving data security on personal devices and then covering them with written policies.  A policy laying out general rules and then covering specific scenarios in an “including, but not limited to” string (a construction much beloved by lawyers) is ideal.

4. Pay for the employee’s cell phone.

In the grand scheme of things, it is penny wise and pound foolish to have a key employee pay for his or her own cell phone plan.  If a company owns and maintains the account, then it can: (a) terminate the account when the employee leaves so customers cannot reach out to her/him; (b) determine whom the employee has been contacting in her/his final weeks with the company by reviewing call and text logs; and (c) stop the employee from walking out with a de facto customer list on her/his phone.  Thus, while an employee might choose to use his/her own device at work, the employer can still control the account and thus still be in command of the information on a device.

5. Employ tight exit procedures for departing employees.

Perhaps the number one issue with the BYOD phenomenon is that when employees use their own devices, they end up with a large quantity of employer information on those devices.  Whether intentionally or inadvertently, when those employees resign or are fired, they leave with a treasure trove of information.  That information can be used to compete.  It can be used to stir up issues with the employees who remain.  It can also be disclosed on social media or to reporters.  Therefore, it is critical for an employer to create and follow exit procedures for their HR personnel so that when an employee leaves, the employer can show that it did everything in its power to get its’ information back.  These procedures will never be fool-proof against employees who choose to keep information on their devices, but at a minimum, an employer should be in a position to show that it took all reasonable steps to maintain the confidentiality of its key information.  

The issue of protecting against data loss resulting from employees using their personal devices for work is a classic example of the maxim that an ounce of prevention is worth a pound of cure.  Relatively small expenditures of time and money on the front end can deter an employee from exploiting key information on a personal device, protect against that same employee accidentally losing information to a third-party and it can position the company to recover the information if it is indeed lost.  The critical first step is to acknowledge the reality of employees using their own devices and to plan accordingly.