On some level, every company needs a Bring Your Own Device (BYOD) policy. While many organizations currently have electronic communication policies, most are outdated and the majority address only company-owned equipment. For companies with highly regulated environments, such as those subject to HIPAA or Sarbanes-Oxley, BYOD policies are a must. Even if your company is not a highly regulated environment, there is no doubt that you are still concerned about protecting proprietary corporate data.

All too often, businesses don’t realize they need a BYOD policy until it is too late. Once a breach of access to company data has occurred, the damage has already been done. Without a BYOD policy, companies are not protected from employees, former employees in particular, who are inclined to use sensitive data for competitive purposes. While there may be a remedy through regular company policies, it’s better to have a solid BYOD policy in place from the start.

A BYOD policy allows an employer to reimburse employees for use of their personal device, relieving the company’s burden of expensive corporate data plans, device upgrades, lost or stolen devices, etc. Employees usually enjoy the convenience of carrying only one device, but often don’t grasp the risks and responsibilities of intermingling business life with personal life.

The biggest drawback to a BYOD policy is that it is almost impossible for it to be protective without being burdensome. It’s difficult to create a policy that is “user friendly” while protecting company data on an individual’s privately-owned device. Two key components of a sound BYOD policy are an agreement between the employee and employer detailing who can wipe data in the event of a lost device or termination of employment, and the requirement of strong passwords for the mobile device.

Additional best practices include:

  • Limit the privilege of using employee-owned devices to those who truly need data access.
  • Specify what types of information can be stored on devices. For example, a policy could limit accessibility to an email account, and could forbid the download or storage of corporate data.
  • Work with your legal counsel to create an agreement that allows for corporate access to employee devices, passwords, etc.
  • Consider using a software package that sequesters company-specific information to a specific area on the employee’s device which can be restricted or wiped remotely.
  • Account for how data can be retrieved and viewed on demand, and understand the difference between corporate and personal data.
  • Plan for “end of life” issues, such as data-wipes, device surrender for inspection, etc.
  • Ensure all parties understand the importance of data security and the responsibility to report a breach.

Employers also need to be cognizant of how they respond to any personal information discovered on an employee’s device. There are multiple laws in place that protect the privacy of employees. In cases where disciplinary action may be warranted, employers must tread lightly when it comes to using information or investigating employees.

Do you have questions about implementing a BYOD policy for your business? Reach out to a WorkSmart professional for more information!

###