No matter your industry, BYOD is on its way. Bring your own device, also known as BYOD, like any new technology that enters the workplace, carries many possible risks. What happens when a device not owned by your organization connects to your corporate data? To mitigate those risks to your company, as well your employees, you’ll need to develop a comprehensive set of policies that govern the use of devices that workers bring to the office, before they start coming in. Forewarned is forearmed.
This list is meant to bring to front of mind many issues that should be considered. But, when you’re thinking about establishing BYOD policies, it’s imperative to have a proper governance team established, including members of your legal, HR, and IT staff, among others, depending on your industry. These policies should be complemented by specific controls on software and should include mechanisms for enforcing the policy. The list below is meant to be a guideline, not legal advice.
Here are 14 imperatives to establishing your BYOD policy:
1. Clearly define what criteria constitute an employee-owned device. If the employee purchases a device, but the company pays for the service, who is liable for loss or theft? Also, the organization should develop a list of acceptable devices, and the operating system versions (OSs) for those devices.
2.What are the user’s roles and responsibilities with respect to the device? Your policy should clearly state the responsibilities for each party if the device is lost or stolen. For example, how long after the device is reported missing should it be remotely wiped, or whether that capability is even implemented. What applications are allowed and prohibited? The policy should also set user expectations for privacy with the device. Does the company get access to phone calls, texts, social media postings, etc? What sorts of personal data is the employee allowed to have on the device?
3. The policy should specify what’s acceptable for backup solutions. That’s important because some of the cloud-based backup services may not be compliant with your corporate security policies.
4. How should the built-in features to many of today’s devices be controlled? Should employees be allowed to bring their devices, which can record audio and video, as well as take photos, into meetings in the boardroom?
5. The policies should also discuss whether employees are allowed to bring their own devices overseas, especially if they are travelling to specific hostile countries.
6. Is sharing with family members acceptable? This is a gray area, and raises the question of who is liable for misuse from a 3rd party, even if that 3rd party is a family member. This is especially relevant because many tablets and smartphones don’t have user profiling that can shield sensitive data from 3rd parties.
7. Consider user safety. Unless specifically called out, liability might not be clear if an employee is injured while using the device. The policy should contain a clause such as “…users must comply with all applicable laws while using the device…”
8. Depending on the industry, the policy may also need to be aware of union rules. For example, if an employee checks their corporate email outside of regular hours, it may be considered ‘on the clock’ and therefore outside of a union agreement.
9. The policy should have specific statements regarding data and system security. The policy should have a statement similar to “…all users must abide by corporate security directives…” The policy may need to be explicit about where the devices can be used, given the ease of ‘over-the-shoulder’ reading on trains or planes.
10. Whose responsibility is it to support the device? When the organization supplied desktop or laptop machines to employees this was clear. But with BYOD, should IT maintain the device? What if an employee breaks a screen or needs a new battery?
11. If an employee brings their own device who owns the phone number? Will the company reimburse roaming or international calls and data services?
12. The policy should specify what happens to the data in the event of termination. And, the policy should note that the devices are subject to surrender under certain circumstances, such as eDiscovery or M&A activity, as examples.
13. There may be guidelines for eligibility for BYOD, including location, line of business, and seniority, depending on the organizational circumstances. In any case, the policy should state that BYOD is considered a privilege and can be revoked if misused.
14. Depending on the extent of the policy, the organization may want to establish a training regime around BYOD, including testing,, similar to for example, training and testing about sexual harassment policies.
Finally, if your organization is establishing these BYOD policies, they should be short, clear, and written in plain English so that the policies are easily understandable