Outside Publication

Key Elements of an Effective Bring-Your-Own-Device Policy, The Legal Intelligencer

October 30, 2013

Reprinted with permission from the October 30, 2013 issue of The Legal Intelligencer. (c) 2013 ALM Media Properties, LLC. Further duplication without permission is prohibited.  All rights reserved.

Employee-owned devices, particularly smartphones and tablets, are increasingly used in the workplace. Although many employers have gone to significant expense to equip their workforces with such devices, more and more employees rely on their own devices, in a trend known as bring your own device. BYOD offers advantages for both employee and employer. Employees crave the most up-to-date devices, but may not want to carry more than one. Employers can save the expense of purchasing and updating devices, while fostering a more productive work environment. According to one study by Gartner Inc.'s Executive Programs, half of all employers will require workers to bring their own device by 2017. Clearly, BYOD is here to stay.

Nevertheless, a BYOD workforce presents several challenges for an employer, including data security, compliance with employment laws, and potential litigation risk. An effective BYOD program supports the advantages of BYOD while simultaneously mitigating the inherent risks. This article outlines considerations for implementing a successful BYOD program.

BYOD: The Potential Risks

The benefits of BYOD are many. However, the need for a comprehensive BYOD program may not be evident until one considers the many challenges associated with using employee-owned devices for work-related purposes, including:

  • Compliance with federal and state laws. The federal Computer Fraud and Abuse Act and the Stored Communications Act both prohibit unauthorized access to certain electronically-stored information. Suffice to say that an employer that intends to reserve the right to access company-provided data stored on an employee-owned device must be aware of—and plan in advance to comply with—these laws. In addition, many states have enacted similar laws or also require companies to protect certain types of data, including Social Security numbers, driver's licenses and other personally identifiable information that may be stored on personal devices. Moreover, a BYOD program may implicate federal and state laws regulating the employment relationship. For instance, some state laws may require reimbursement of an employee's expenses. The tax consequences of reimbursements also should be considered. If a non-exempt employee spends time outside of his or her regular shift using a personal device for work-related purposes at the employer's direction, the employer must recognize the time as "hours worked." Privacy and anti-discrimination laws also apply to the use of personal devices in the workplace.
  • Lost devices. According to the Federal Communications Commission, an American loses a cellphone every three-and-a-half seconds. The ramifications of such a loss for an employer's data security should not be understated.
  • Malware/viruses. Less than one in 20 smartphones and tablets have third-party security software installed in them. More than 40 percent of smartphone users have no anti-virus software on their smartphones and less than 50 percent use password protection.
  • Third-party access. How many readers of this article let a partner, friend or child use their smartphone or tablet to play games or view photos or movies? This is an issue that should be addressed in any BYOD program.
  • Apps and the cloud. An ever-increasing number of applications and services offer the ability to upload and remotely store data. How can an employer protect its information from being "dropped" in the cloud? How does an employer ensure such information cannot be shared after the employment relationship is terminated? A related issue is the extent to which employees may access "unsecured" wireless networks.
  • Commingling. When a personal device is used for work, there quickly becomes a blurred line between work and personal information. How does an employer access only its information without an unnecessary (and potentially risky) intrusion on an employee's privacy?
  • Litigation and e-discovery. Personal devices are subject to state and federal rules governing the discovery of electronically-stored information. Has the BYOD program contemplated related issues? What is the extent of an employer's right to search and preserve information on a personal device? How are litigation hold notices drafted?

Key Elements of A BYOD Program

A BYOD program is not one-size-fits-all. The following considerations and practices are not meant to be exhaustive, nor would we expect all employers to implement identical programs. And although the remainder of this article assumes an employer has decided to implement a BYOD program, a threshold consideration for an employer is whether to jump on the BYOD bandwagon—for only a few employees, for all, or for no employees. Even if an employer decides against BYOD in its entirety, employees still may attempt to "go behind the back" of the IT department. Therefore, an employer is well advised to consider how employees use their personal devices and to devise an effective strategy prohibiting (or limiting) access to employer data.

  • Voluntary or mandatory? Whether the BYOD program is mandatory or voluntary, or some combination of the two, will be driven to some extent by the type of business (and data), the positions eligible for the program, the nature of the employee's work, and cost considerations. The BYOD policy and related documents (e.g., guidance for managers, IT staff, HR; quick reference guides for employees) must address this issue.
  • Scope. A closely-related topic is the program's applicability to categories of employees. All employees? What about non-exempt employees or temporary employees? Does the BYOD program address how to approve and track hours worked by non-exempt employees? Is that issue addressed in companion policies?
  • Supported devices. The BYOD program should specify the devices supported and any limitations (e.g., prohibiting an employee to "jailbreak" a smartphone that stores employer data). The minimum system requirements and configurations also should be addressed.
  • Security requirements. As noted above, individuals tend to take fewer steps to secure mobile devices than do businesses. The security of employer-provided data on personal devices may be improved somewhat with advances in technology, such as the new iPhone fingerprint scanner, but security risks will never be eliminated. Accordingly, employers should consider deploying mobile device management (MDM) tools to improve security, including requirements such as:
    • Users must register their device with the MDM tool as a condition of access.
    • Users must use strong passwords on the device.
    • Encryption for all data sent outside the corporate firewall.
    • Affirmatively block access to "blacklisted" sites or applications.
    • Enable remote wiping to the extent permitted by law.
  • Consent to employer access. As a condition of enrollment in a BYOD program, employees should affirmatively consent and waive the employer's access, review and collection of data on the personal device. The consent should be simply and clearly written and be broad enough to cover all potential needs of the business (e.g., to comply with a court order; to assist an internal investigation; to provide technical support; etc.). Importantly, employees should be advised not to expect privacy even in purely personal information. If consent is given in more than one manner (e.g., a handbook acknowledgment; an electronic signature during the MDM installation process), ensure that the language is consistent.

Similarly, an effective BYOD program must include a process that allows an employer to remotely wipe business data, for example, when a device is lost, on termination of employment, or even if the employee removes certain security settings on the device. Depending on the circumstances, the employee's personal data (e.g., photos, music and other nonwork information) may be destroyed. The consent should address these contingencies as well.

  • Maintain a record of the consent(s).
  • Define permissible use. The BYOD program should provide guidelines regarding access to apps, cloud-based storage systems and wireless networks (secured versus unsecured). An employer also should require that employees download certain software updates, such as newer versions of the MDM tool or anti-malware software.
  • Other policies and training. In a closely-related matter, the BYOD policy and related documents should cross-reference applicable company policies, such as a code of conduct and non-harassment/non-discrimination policies. Consider training on the BYOD program for users as well as those who might review personal devices (e.g., IT, compliance, managers) regarding the need to keep personal information confidential.
  • Exit procedures. Determine how the BYOD program may impact exit procedures. During an exit interview, determine whether the employee's personal device was used for business and, if so, whether it contains employer data. If the employee is not subject to a legal hold, obtain consent (if not already obtained) to wipe the data. If the employee is subject to a legal hold, determine whether any information on the personal device requires preservation and collection before wiping the device.
  • Reimbursement. Consider whether and to what extent the employer will reimburse employees for the cost of the personal device and/or the data plan. Review state laws for applicable provisions.
  • Technical support. Consider the level of support the company will provide for personal devices.

Given the increasing popularity of BYOD, more employers will consider jumping on the BYOD bandwagon (or will recognize that their employees are already on that bandwagon). All such employers should consider developing a BYOD program that identifies and addresses the advantages and risks of maintaining company data on employee-owned devices.

Scott A. Milner is a partner in Morgan, Lewis & Bockius' eData practice and resident in the firm's Philadelphia office. Milner counsels Morgan Lewis attorneys and clients on a wide range of discovery topics from records management and information governance through production. He can be reached at smilner@morganlewis.com.

James P. Walsh Jr. is a partner in the firm's labor and employment practice and resident in the firm's Princeton, N.J., office. Walsh represents employers in a broad array of labor and employment law matters. He can be reached at jwalsh@morganlewis.com.