The Legal Side of Bring Your Own Device (BYOD)
One increasingly popular business trend right now is BYOD (bring your own device), where employees use their own smartphones, tablets, laptops and other devices to access company resources for work purposes via the Cloud. BYOD can increase efficiency, as it allows companies to provide greater flexibility and anytime, anywhere access to company resources. Even if companies do not anticipate efficiencies from permitting the access of company resources with personal mobile devices, social pressures may force companies’ hands. A Fortinet survey of 4,000 workers from ages 20 to 29 found slightly more than half view it as their “right” to use their own mobile devices at work. It was only little more than a decade ago that being able to access office emails with a Blackberry was a bit of a status symbol. Now, almost all professional and sales employees send and receive emails on a personal or company-owned work mobile device while away from the office, and an increasing number are accessing and editing documents, data and other resources using mobile devices.
This proliferation of mobile devices, and software connecting the device to company networks, has significant potential to increase company efficiency, but it also creates risks. Personal devices are usually not protected from malware and hacking as well as internal company desktops. In addition, personal devices can easily be used by employees to obtain, store and transmit copies of key company documents that can be used in competing businesses. Prohibiting the use of employee-owned devices is the best way to address these security issues, but may not be a viable option in today’s world. Outright prohibition may limit employee’s abilities to service customers effectively. In addition, studies show that employees will circumvent IT restrictions to get access to company information when they want. A better option is usually to adopt a BYOD policy to define the parameters of access and to support such policy with an appropriate technical infrastructure.
Set forth below are key security, acceptable use and enforcement provisions usually included in BYOD policy and a discussion of some of the issues that arise when adopting or enforcing this policy.
Protecting the Employer’s Assets: Security Provisions. The most important provisions in a BYOD policy are the provisions designed to protect the company’s confidential information from getting into the hands of third parties or being used by an employee for non-company purposes. These include provisions doing the following:
- requiring that all devices, including tablets and home computers, that access company networks be registered with the company, in part so that the company can configure the device appropriately and load any software to be used for security and monitoring purposes;
- requiring that all devices that access company information, including a company email account, be password protected, that password re-entry be required after a relatively short time of inactivity and that the company have access to such passwords (or the ability to override them);
- requiring that all devices that access company networks, including tablets and home computers, contain specified software, such as software permitting the company to lock, locate or wipe the device should it become lost or stolen;
- prohibiting by policy and technology the download or upload of any confidential documents to a personal device, the hard drive on a home computer, a personal Cloud network or another personal backup service/device;
- prohibiting the use of public networks or hotspots;
- requiring that employees delete all company information from any device that they retain following the termination of their employment with the company and certify to the company that such deletion has occurred;
- authorizing the employer to use software loaded on the device to monitor, locate, lock or erase the device following the employee’s departure from the company or at any other time deemed necessary or appropriate; and
- requiring an employee to disclaim or waive any expectations of privacy with respect to information on, or transmissions from, a device used for work purposes.
Balancing Security With Company Culture. Strict security provisions are necessary to protect company information; however, some standard BYOD policy provisions may conflict with the expectations of key employees and workplace culture. Employees should not object to many of the standard security provisions, such as those requiring passwords and deletion of company information after leaving the company. Employees may object to other provisions, such as prohibitions on the downloading of company information to a personal device or the use of use of public networks or hotspots. Employees do not always have good access to the Internet and may need to download documents onto a device to be edited on a plane or at a client’s location. Employees may also want to use public networks work during a layover at an airport or while staying in a hotel.
Provisions authorizing the company to monitor information on the device or erase the device at any time may not only be objectionable to key employees, but may violate privacy and labor laws. Since the device is employee-owned, it would reasonably be expected to contain important personal and confidential information of the employee. It may also contain information related to legally-protected efforts to unionize or report illegal activity of the company. The employer’s right to access this information is important to facilitate investigations into unlawful or inappropriate behavior by employees, but there are court and agency decisions placing limits on an employer’s ability to access or delete personal information, especially information that may be part of a legally-protected collective bargaining efforts or efforts to report illegal activities of a company. If companies include provisions permitting company monitoring or erasing of employee devices, they are advised not to use this authority without consulting an employment law expert on a case-by-case basis.
Given the complexity of many of the issues surrounding the security provisions in a BYOD policy, companies should consult both legal and IT experts prior to adopting or amending such a policy. Such policies should not be adopted as “off-the-shelf” forms, but need to be adapted after careful consideration of all issues, including issues such as the employees’ legitimate business needs, relevant laws, the culture of the company and the severity of the harm that would be caused were a third party to access the company information on the device.
Limits on Uses of BYOD Devices. A BYOD policy should address the purposes for which a BYOD device can, and cannot, be used. In a BYOD policy, employees absolutely should be prohibited from using the device (and particularly by means of a company email account on the device) to harass others or to send or to produce offensive content. The viewing of pornography and gambling on such devices should also be prohibited. Setting aside moral issues, these website are frequently used to transmit malware to devices and networks. Other provisions that should be considered, particularly for devices subsidized by the company, would include the following:
- a requirement that any prior employer’s data be eliminated from the device;
- a prohibition on the use of a the company’s network or Internet connection to download, view or stream videos, music and other media using the device (sophisticated firewalls can actually distinguish type of content or websites and block access to them);
- a prohibition on the use of a device for games and other entertainment purposes on company time;
- a prohibition on use of the device while driving; and
- a prohibition on the use of the video or audio recording functions on a device on company premises or in connection with company business (with specified exceptions);
As previously noted in the security provisions, the acceptable use provisions must be balanced against the fact that the device is a personal device owned by the employee and the culture of the company.
Enforcement of a BYOD Policy. A BYOD policy needs to identify potential consequences for breaking the policy and should be combined with specialized technologies that will assist in the enforcement of the policy. The policy should provide that the breach of the policy will result in a formal or informal reprimand (or whatever terms or concepts are used at your company) and should provide that breach of the policy may, in the company’s sole discretion, be a basis for termination of employment. In addition, employees should be required to sign an acknowledgment that they have reviewed the policy and consented to its terms, including expressly any terms permitting the company monitor, locate, lock or erase any employee device.
Of course, threats of termination of employment or reprimands mean little to employees who are not longer with the company. Enforcement of provisions related to periods after termination of employment can be facilitated with provisions requiring terminated employees to certify that all company data has been deleted and permitting the company to inspect the device. Technology can also assist with enforcement. As discussed above, there are technologies that can be loaded on devices that permit a company to erase a device or certain information on the device.
- Is It Time for a BYOD Policy?
- Keep Your Legal Feet on the Ground when Migrating to the Cloud
- Is Your Cloud Migration Legally Secure?
- Negotiating a Cloud Services Agreement
For more information contact Bryan T. Allen