News & Insights

HR Best PracticesFeaturedGeneral BusinessDecember 20, 2012by Stanton LawCrafting a Mobile Device Policy for the 21st Century

In this article:

  • What is a Bring Your Own Device Policy (BYOD), and should your company have one?
  • What are the security implications of BYOD, and how can you address them?
  • What privacy issues does BYOD raise, and how can you manage them?

If your employee handbook still contemplates pager use as an HR concern, it’s probably time to take a good look at how your employees are using their mobile devices at work (both at the office and elsewhere), and how your organization would like to manage that use.  The bright line between a cell phone and a computer is rapidly disintegrating, taking with it the careful rules and security measures companies have established to govern proper use, privacy, and confidentiality.

What is a mobile device? Sounds like an easy question, but it’s not.

Smart phones. E-readers. Tablets. Netbooks. Laptops. The list goes on—and tomorrow it will be longer. While a device labeled a “phone” may sound like one thing and a “computer” another, in truth, all will allow you to access the internet and email, text or instant message, download or upload software and data, make phone calls, and take or view photos or video.  Not only do these devices share capabilities, with the advent of wireless technology and cloud computing, all of these devices can also communicate with one another, and with desktop computers, televisions, cars, and even home security systems.  The point is—it’s important to realize the necessary scope of your device policy, which is likely broader than it’s ever been before.  Crafting a policy geared strictly for phone calls and falling back on your catch-all internet or computer policy will leave you with holes that invite security problems and jack up your tech costs.

Whose device is it?

The first critical decision employers should make with respect to their mobile device policy is which devices it should cover.  Employers clearly must (and do) create policies for employees’ use of office computers and internet connections, which can typically extend fairly easily to company-issued devices such as smartphones, laptops, and tablets.

But lets face it, everyone has a smartphone these days, and a growing proportion of people also have tablets that accompany them everywhere.  In order to address the risks that attend mobile computing and working, employers should be honest with themselves about whether and how much their employees are using personal devices for work.  Are employees linking their company email accounts with their smart phones and downloading sensitive data outside your firewall?  Do they forward client calls from their office landline to their cell, and call back from their personal number? If so, you face serious risk of jeopardizing confidential and proprietary information, or losing a client to a future competitor.

So what’s an employer to do? The impulse may be to ban personal devices for company business, thus limiting risk exposure to those within your direct control.  However, employers are finding this approach increasingly difficult, costly, and unpopular.  Buying devices and services plans is expensive and requires careful monitoring so that employees don’t incur costly overages.  And when overages (or worse—theft or damage) inevitably occur, managers have the unenviable task of deciding whether to discipline or demand reimbursement from the offending employee just for doing his job. Finally, anyone who has ever struggled to put down the crackberry knows employees with personal mobile devices will probably use them for work anyway, because, honestly, who can really help themselves?

Enter the Bring-Your-Own-Device Program.  It’s a healthy admission that employees are using their devices for work and gives them the freedom to, well, do what they were already doing, but within limits. It can also save you a lot of money by taking the onus of the device, service, and insurance costs off the company and shifting them to the employee, who in turn gets to use the device of her choice, on her terms (mostly). Instead of bankrolling the Blackberry, employers can offer a monthly stipend or benefit employees apply to their mobile device bill, which typically costs the company much less.

A Bring-Your-Own-Device Policy (or BYOD) cannot exist on paper alone, however.  Before you tell employees that you will pay them to use their personal mobile devices for work, you must implement a security protocol for mobile devices to protect the company as effectively as your in-office security measures.  Making agreement to the security protocol a condition of the employee’s monthly stipend is a good way to encourage compliance.  So what type of security do you need?  I should take this moment to disclaim any impression of tech proficiency, and recommend that you consult an IT security specialist for a detailed explanation of your options. Here are a few considerations to get you started:

  1. Are you in an industry with stringent confidentiality regulations, such as banking or health care? If so the risks of accidental (or intentional) disclosure of sensitive information are much higher.  Investing in sophisticated mobile security measures, such as Mobile Device Management (MDM) (good), or a Virtual Desktop Infrastructure (VDI) (even better) allow employees to access office programs and data remotely and securely while minimizing or eliminating the need for downloading to a local hard drive.  Programs exist which, when activated, will remotely wipe a misplaced or stolen mobile device, which could prevent major security breaches.
  2. Should you maintain control over sales team phone numbers to prevent a separating employee from walking away with your client? With a virtual tether to a mobile device (such as MDM), employees can use their company number for all their work calls, both in-office and on their mobile device. For a lower-tech option, many services like Google Voice offer virtual phone numbers, which the company can create at low cost and provide to employees for their mobile devices, so that separating employees will not have to surrender their personal mobile numbers to protect the company’s business interests.
  3. What type of security do you use in the office? Let this be your guide: anything you need on your desktops—password protection, anti-virus software, automatic timeouts, etc.—you also need for mobile devices, perhaps beefed up even more.

Mobile device security measures are not free, but can often be implemented for less than the cost of buying the devices outright.  Which approach is right for you will depend on your industry, workforce, and budget.

Avoiding Privacy Pitfalls

Installing security protocols and allowing employees to conduct business on their personal mobile devices raises important employee privacy concerns.  Employees will likely have to hand over their devices at least temporarily to have security software installed, and once in use, company data could intermingle with the employee’s personal information.  Employers face a difficult conundrum: they are obligated to retain and produce information relevant to litigation, but face severe penalties for intercepting an employee’s personal electronic communications and other types of monitoring without consent under federal law.  While the law is still developing in this area, employers implementing a BOYD policy are strongly encouraged to obtain their employees’ consent for reasonable inspection of employee devices used for company business and any related data or software as a condition of participation in the employer’s BYOD program.  Employers should also work on developing a comprehensive exit process for personal mobile devices, including requiring departing employees to allow the company to remove company-provided software and data prior to the employees’ departure.  Employers should also obtain employees’ advance consent to remotely wipe the personal device in the event it is lost, stolen, or the employee fails to allow the company to remove sensitive information before separating.

Can we help? Stanton Law LLC can help you prepare an appropriately strict and/or lenient BYOD policy for your organization. Our rates are reasonable and our turn around times are great. Please give us a call to discuss.