October 17, 2013 By CBIA
Should you allow employees to use personal digital devices for work?
By Richard Voigt, Tiffany Hubbard, and Kelly Gallagher
McCarter and English LLP
Increasingly, employees are using their own personal digital devices, such as smart phones and tablets, to access, create, edit, or send work-related documents—a practice known as “Bring Your Own Device.”
Proponents of BYOD argue that it allows employees to work more conveniently on devices that are already integrated into their daily lives. And, they say, it saves employers money that would otherwise be spent on company-issued phones, tablets, or other technology.
In some cases, employees are using their own devices despite not having authorization from their employer.
Whatever its potential advantages, BYOD also poses significant challenges for employers, including the following:
Monitoring the use of an employee’s device. The problem here is not only that your company doesn’t own the equipment, but also that the device is used by the employee for personal and business purposes.
Protecting the confidentiality of your company’s proprietary information and that of your customers or clients. In a BYOD workplace, it is likely that employees will transfer confidential business-related information to their own devices locally, to an external hard drive, or to an Internet storage site—all of which may be less secure than your company’s network. In addition, the risk of compromising confidential information as a result of the loss or theft of a digital device could substantially increase in a BYOD workplace, since more devices are in the mix. The confidentiality problem becomes particularly acute if an employee leaves abruptly under less than amicable circumstances. Since the employee will have custody of and ownership rights to his or her own personal digital device, your business could be poorly positioned to prevent an improper intentional or inadvertent disclosure of confidential information after the employee is gone.
Controlling compensation for nonexempt employees. The likelihood that employees will perform work on their own devices outside of regular business hours raises the possibility that nonexempt employees may be entitled to compensation, including overtime, for their after-hours work.
Given the potential problems associated with BYOD, a strong argument can be made that you should simply prohibit employees from performing work-related tasks on their personal devices. Such a policy, however, may ignore the emerging realities of today’s workplace and be difficult to enforce.
If you wish to allow or encourage BYOD in your workplace, consider taking the following steps:
Require employees to use a secure portal to access your company’s network.
Establish a policy prohibiting or strictly limiting the downloading of company/customer/client documents onto personal devices.
Encourage or require employees to use robust passwords on their personal devices and to periodically change those passwords.
Depending on the employee, install software that allows you to remotely lock and/or wipe an employee’s personal device. You must give each potentially affected employee prior notice that business use of his or her personal device will necessitate the installation of security software and that the result could be the loss of the employee’s personal files/data.
Require employees to immediately notify you if their personal device is lost or stolen.
Require employees who are leaving your company to give you access to their personal devices for the purpose of insuring that all confidential business-related information has been removed.
Have employees sign a written summary of your BYOD policies in order to confirm that they have been informed of the policies and have consented to any monitoring/security control you have put into place.
Require that nonexempt employees obtain prior authorization to work after hours and maintain a written record of their time.
Educate supervisors about the necessity of consistent enforcement of your BYOD policies. ■
The authors can be reached at firstname.lastname@example.org, email@example.com, firstname.lastname@example.org.