There are many advantages to allowing employees to use their own devices for work. Bring-your-own-device initiatives can reduce an employer’s overhead and is convenient and efficient for employees. However, embracing a BYOD approach is not without risk.
From a litigation perspective, one major BYOD risk is the failure to properly preserve data. When a company faces a lawsuit, it has an obligation to maintain and provide relevant documents. Although a company has little control over an employee’s mobile device, it still must ensure that it manages all relevant data.
To minimize the threat of data breaches and to ensure preservation of data, companies should develop a framework for securing their mobile device environments.
That starts with a mobile device management program. Using MDM, companies can centrally apply password policies as well as create strict retry and timeout standards. Then, when a device is lost or stolen, the IT team can lock it or wipe the contents remotely.
Businesses also need to consider encryption, sandboxing and the appropriate backup of data from devices. And, depending on users’ needs, a business may also want to consider cloud-based sharing services. But again, it’s critical that the IT team define what can and cannot be shared. For instance, for healthcare professionals, sharing protected health information might lead to a HIPAA violation.
Ultimately, wise BYOD use hinges on the development of a smart policy that users both understand and can adhere to. What follows are areas that should be considered for any use policy:
Scope of participation: Determine if the policy applies to all employees. Employees who handle sensitive data may need to use only corporate devices. Restricted use: Consider imposing limitations on personal device use, including a prohibition on either unapproved third-party applications or unsecure networks.
Range of devices: Identify what brands of devices and operating systems are permissible so support and security settings can be streamlined.
Employer access: Include language in the policy that requires employees to give signed consent allowing employer access to their device and data.
Compensation: Determine whether to offset a portion of the wireless service fee. This may increase your ability to access data on the employee device.
Education: Train employees on litigation holds, security concerns, privacy issues, and mobile device and data best practices.
Departing employees: Prepare a procedure for exiting employees to remove company data from their devices, which could include the loss of personal data.
In the financial industry, FINRA Reg. Notice 11-30 provides directives on the use of personal and corporate-issued devices. It notes that it is the content of an electronic communication — not the device it is sent from — that determines whether the information is a business communication.
Therefore, an email, text or social media post, transmitted by a mobile device, needs to be archived and supervised by the employer, just like data sent from an office PC. Notice 11–39 also points out that a firm’s policies and procedures must include training and education so that employees know the difference between business and nonbusiness communications. Businesses also, the notice advises, need to ensure that employees know how to properly archive, supervise and retrieve business communications.
Regardless of industry, with pre-planning and an awareness campaign, BYOD can drive up productivity without introducing new risks.