Is It Time for a BYOD Policy?

An increasingly popular business trend right now is BYOD (bring your own device), where employees use their own smartphones, tablets, laptops and other devices at or for work.

BYOD may have tremendous benefits, as it may increase efficiency by allowing companies to provide greater flexibility and anytime, anywhere access to company resources. Even if companies do not anticipate efficiencies from permitting the access of company resources with personal mobile devices, social pressures may force companies’ hands. A Fortinet survey of 4,000 workers from ages 20 to 29 found slightly more than half view it as their “right” to use their own mobile devices at work.

While BYOD has potential benefits, it also creates risks. Personal devices are usually not protected from malware and hacking to the extent internal company desktops are, and personal devices can easily be used by employees to obtain, store and transmit copies of key company documents that could be leveraged by competing businesses.

The easy way to address the risks associated with BYOD is to strictly prohibit the use of employee-owned devices, but that may not be a viable option in today’s world. As mentioned, many employees believe they have the right to use their own devices at or for work.  In addition, studies show that many employees respond to prohibitions on BYOD by circumventing IT restrictions. A better option is usually to adopt a BYOD policy that defines the parameters of access and to support such a policy with an appropriate technical infrastructure.

The following are key security, acceptable use and enforcement provisions usually included in a BYOD policy and a discussion of some of the issues that arise when adopting or enforcing this policy.

Protecting the Employer’s Assets:  Security Provisions

The most important provisions in a BYOD policy are those designed to protect a company’s confidential information from getting into the hands of third parties or being used by an employee for non-company purposes. These include provisions doing the following:

  • Requiring that all devices, including tablets and home computers, that access company networks be registered with the company, in part so that the company can configure the device appropriately and load any software to be used for security and monitoring purposes
  • Requiring that all devices that access company information, including a company email account, be password protected, that password re-entry be required after a relatively short time of inactivity and that the company have access to such passwords (or the ability to override them)
  • Requiring that all devices that access company networks contain specified software, such as software permitting the company to lock, locate or wipe the device should it become lost or stolen
  • Prohibiting by policy and technology the download or upload of any confidential documents to a personal device, the hard drive on a home computer, a personal cloud network or another personal backup service/device
  • Prohibiting the use of public networks or hotspots
  • Requiring that employees delete all company information from any device that they retain following the termination of their employment with the company and certify to the company that such deletion has occurred
  • Authorizing the employer to use software loaded on the device to monitor, locate, lock or erase the device following the employee’s departure from the company or at any other time deemed necessary or appropriate
  • Requiring an employee to disclaim or waive any expectations of privacy with respect to information on, or transmissions from, a device used for work purposes

Balancing Security with Company Culture

Strict security provisions are necessary to protect company information; however, some standard BYOD policy provisions may conflict with the expectations of key employees and workplace culture. For example, employees may need, or believe they need, to download company information to a personal device so it can be edited on a plane en route to a presentation or client meeting. Using a public network at lunch, a layover or at a hotel may also be important to employees who travel.

Provisions authorizing the company to monitor information on the device or erase the device at any time may not only be objectionable to key employees, but may violate privacy and labor laws. If companies include provisions permitting company monitoring or erasing of employee devices, they are advised not to use this authority without consulting an employment law expert on a case-by-case basis.

Given the complexity of many of the issues surrounding the security provisions in a BYOD policy, companies should consult both legal and IT experts prior to adopting or amending such a policy. Careful consideration should be paid to all relevant issues, including employees’ legitimate business needs, relevant laws, the culture of the company and the severity of the harm that would be caused if a third party were to access the company information on the device.

Limits on Uses of BYOD Devices

A BYOD policy should address the purposes for which a BYOD device can, and cannot, be used. In a BYOD policy, employees absolutely should be prohibited from using the device (and particularly by means of a company email account on the device) to harass others or to send offensive content. The viewing of pornography and gambling on such devices should also be prohibited, in part because such websites are the source of many viruses and other malware. Other provisions that should be considered, particularly for devices subsidized by the company, include the following:

  • A requirement that any prior employer’s data be eliminated from the device
  • A prohibition on the use of the company’s network or Internet connection to download, view or stream videos, music and other media using the device (sophisticated firewalls can actually distinguish type of content or websites and block access to them)
  • A prohibition on the use of a device for games and other entertainment purposes on company time
  • A prohibition on use of the device while driving
  • A prohibition on the use of the video or audio recording functions on a device on company premises or in connection with company business (with specified exceptions)

Enforcement of a BYOD Policy

A BYOD policy needs to identify potential consequences for breaking the policy and should be combined with specialized technologies that will assist in the enforcement of the policy. The policy should provide that a breach will result in a formal or informal reprimand (or whatever terms or concepts are used at your company) and that the breach may, in the company’s sole discretion, be a basis for termination of employment. Employees should be required to sign an acknowledgment that they have reviewed the policy and consented to its terms.

Of course, threats of termination of employment or reprimands mean little to employees who are no longer with the company. Enforcement of provisions related to periods after termination of employment should also be included.

Bryan T. Allen is a shareholder with the law firm of Parr Brown Gee & Loveless. He can be reached at or 801-532-7840.