Businesses Need to Stay on Top of Their BYOD Policies
In one way or another, most small to midsize businesses have addressed employees using personal devices for work. In 2022, online career platform Zippia reported that 83% of companies surveyed had a bring your own device (BYOD) policy “of some kind.” That percentage has likely increased as even more businesses have recognized the inherent risks involved.
Does your company have a formal BYOD policy? If not, it probably should. And even if it does, don’t assume the current version will last forever. As technology and its usage evolve, so must your policy.
Anticipate broadly
A formal BYOD policy lays out detailed ground rules for how employees may use their personal devices for work and what role the company will have in supporting, securing and accessing those devices.
Most policies begin with a list of approved devices with acceptable security capabilities that the business can readily support. From there, be sure yours stipulates what happens to your business’s proprietary data on a device if the employee who owns it quits or is terminated. In addition, a policy should anticipate your response if a device winds up in various predicaments, such as it’s:
- Lost, shared or recycled,
- Synced on an employee’s personal cloud,
- Used on unprotected public Wi-Fi networks, and
- Hacked or otherwise attacked by a virus or malware.
Other issues to address or review include:
Payment or reimbursement. Some companies pay for a predetermined number of voice minutes and provide an unlimited data plan for employees’ phones, either directly or through reimbursements. Any charges above the stated amount of voice minutes are the employee’s responsibility.
Phone numbers. Who owns a mobile phone number is a big deal for some types of employees. Take salespeople, for example. If they leave to work for a competitor, customers may continue to call them — which could lead to lost sales for your business.
Access control. Your policy should require employees to set up their mobile devices to lock when left idle for a few minutes and require a passcode (or facial recognition) to unlock them. Where feasible, ask employees to use multifactor authentication to access certain software or data on your company’s network. This is where users’ personal devices come in handy: They can use their phones, for instance, to verify their identities along with entering a password.
Occasional security checks. Some businesses ask employees to periodically submit their personal devices to the information technology department for security checks that may involve reconfigurations or updates. Alternatively, you could ask only those who handle highly sensitive data to do so.
Address privacy thoroughly
Many employees worry that using personal devices for work gives their employers access to sensitive personal data. Your BYOD policy should state that the company will never view protected information such as:
- Privileged communications with attorneys,
- Protected health information, or
- Complaints against the business that are permitted under the National Labor Relations Act.
Your policy needs to also clarify how data stored on employees’ devices may be gathered if your company becomes involved in a lawsuit. Keep in mind that federal rules governing the production of documents during litigation, including electronically stored information, cover all devices — including personal devices that access a company’s network.
Remain vigilant
The negative financial impact of an outdated, incomplete or nonexistent BYOD policy can be severe. After all, the personal devices of your staff members represent multiple avenues through which hackers, employees or other bad actors could compromise your business’s data or network. Work with your attorney to review your current policy or create one if you haven’t already. Our firm can help you identify and analyze all your technology costs.
© 2024