Apr 12 2013

Strategic BYOD Best Practices to Help Minimize Risks

Rules for employee-owned devices should be put in place before opening the floodgates.

In today's business world, a can-do approach yields a seat at the table; a naysayer approach gets you cut out of the process.

People are constantly connected: to their office, to their families and to their social networks. Their desire to do and have it all is perhaps outpaced only by expectations of others that they be accessible and responsive to a greater degree than ever before.

While some organizations issue company-owned devices, many are allowing their employees to use their own devices to conduct business, which is known as the bring-your-own-device trend (BYOD).

How big is BYOD? A 2012 Aberdeen survey found that 80 percent of respondent organizations now allow employee-owned devices to be used for work. In 2008, that number was 10 percent.

But the potential legal risks associated with BYOD, including privacy and electronic discovery concerns, are giving some companies reason to pause.

If your company seeks to explore BYOD, grab a seat at the table and consider the following tips for implementing workable BYOD practices.

Assemble the Right Team

Before diving in to the technology, it’s critical to think ahead, plan for business realities and implement up front information governance practices. That means assembling the right team to assess and manage risks, including representatives from IT, human resources, records and information management and legal. Integration across all departments is the key to any BYOD policy’s success.

Mitigate the Legal Risks of BYOD

Identify and mitigate the risks associated with the company allowing employee-owned devices to be used for work early and implement safeguards so risks don't dwarf the opportunities.

Potential legal risks to look out for include:

  • Privacy: commingling personal and company information
  • Discoverability of information: potential for company responsibilities in litigation
  • Tax implications: depending on how reimbursement is structured

BYOD User Guidelines and Training

Much of BYOD is focused on the device, but an important vulnerability to consider in implementing any BYOD program is the user. Tips to help mitigate potential legal risks include: write and implement specific user guidelines, train employees and implement device registration measures that require participating employees to accept and agree to the guideline terms.

Key user guideline considerations include:

  • Scope. Define eligibility to participate, devices covered and company applications approved for business use (e.g., contacts, calendar, email).

  • Device registration. Describe what mobile device management software or security measures will be installed on the device, outline the registration and agreement process and state whether password protection, auto-lock and/or auto or remote wipe could occur.

  • Company expectations. Communicate what happens (on employee side and company side) when a device is no longer within the employee's control (e.g., lost, stolen, sent in for repair, replaced, disposed of), address technical support and any application use restrictions, identify other company policies that may apply and define how email attachments and business notes should be handled.

  • Privacy. Educate employees that using their personal device for business purposes could place their personal information at risk; describe what may happen to personal information if certain circumstances occur and what types of monitoring or location-tracking may be in place.

  • Costs. Define whether and what costs will be reimbursed; understand up front any potential tax implications of reimbursements versus stipends.

BYOD Information Governance

Access to company information on employee-owned devices must integrate with broader corporate information governance and litigation readiness strategies.

Keep these things in mind when crafting your organization’s BYOD policy:

  • Avoid storing unique business information on personal devices, to the extent possible. Any business information from the device should also be stored on centralized company systems.
  • Assess preservation and litigation hold efforts that may be needed. Evaluate company needs and develop measures to extend these practices to BYOD.
  • Determine collection practices up front. Identify what practices need to be implemented to collect information from personal devices, if necessary.

The flexibility and freedom that come with BYOD make the trend an attractive one for businesses, but without the proper policies and practices in place, things can veer off track. Consider the tips that have been outlined and help ensure that company data remains in the right hands.