Tips on Creating a “Bring Your Own Device” (BYOD) Policy
It may seem like just yesterday companies were handing out corporate Blackberries and phones to employees. But today, “bring your own device” has increasingly become the norm. Encouraging employees to use their own devices to communicate for work purposes makes sense from many perspectives. Mainly, BYOD can save employers money and can increase productivity by offering employees flexibility. Industry experts estimate that as many as 60% of workers can access company data on their personal devices. This said, only a third of employers have any sort of management system to protect company data and even fewer have laid out specific BYOD rules.
Such an “anything goes” approach carries serious risks. The information that travels with an employee leaves the company’s control. Sometimes severe problems can arise ranging from intellectual property concerns, to the need to be able to make data available for potential regulatory or legal requests. It’s worth taking the time and effort to develop a specific company policy for BYOD.
Here are some guidelines:
1. Make sure that all stakeholders at your organization have had the opportunity to provide input regarding what they feel the policy should contain. Get feedback from all departments, including IT, legal, human resources, and compliance.
2. Decide which employees should be allowed to use their own devices. Take into account the nature of the data handled by a given employee and the company’s need to access that data.
3. Draw up a list of permissible devices. Some are simply not enterprise ready, and which should be allowed depends on such factors as capabilities, operating systems and compatibility.
4. Clarify which applications may be used for business purposes and specify restrictions. While you can block applications that do not meet your company’s security requirements from being downloaded onto company computers, and could monitor company-owned devices for risky applications, it’s difficult to control what an employee installs on a BYOD device. Whether to protect your company from a data breach or from unintended copyright infringement, your BYOD policy must get out ahead of these risks.
5. Insist that employees take maximal precautions in selecting passwords and use screen locks on all devices used for work purposes.
6. Spell out how the support and maintenance needs of personal device users will be met. Employees using their own devices will likely take at least as good care if not greater care of their personal property than devices provided by the company. But when a service need arises, how will you determine whether the company’s IT team should address it?
7. Set up an ownership policy for all business related data on the BYOD devices.
8. Make clear that the company must be able to access information on any BYOD device whenever necessary. Consider making devices remotely accessible, in the event, for example, that the company needs to erase data from a stolen device.
9. Protect the company from liability if employees engage in illegal or inappropriate behavior using their BOYD devices. Distracted driving and inappropriate use of social media are among the many behaviors that could expose the company to claims of negligence or harm through the use of BYOD devices. A good BYOD policy will ban such behaviors.
10. Craft a strategy to handle the transfer of data back to the company if an employee leaves the organization. Whether this means securing the right to delete information or supervising the employee’s data removal, this will reduce the possibility of losing key data, intellectual property, or client information.
Considering the benefits of the BYOD trend, it’s worth putting in the time and effort to craft a BYOD policy that works for you and your employees by addressing the security, IT service, devise use and application concerns upfront.
Disclaimer: This article is intended for informational and educational purposes only. Because of the generality of this article, the information it provides may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.