Updating and Improving Your BYOD Policy
Published by Eric A. Welter on August 13, 2018
Based on changes in technology and employee preferences, employers are increasingly implementing BYOD policies, which can pose significant risks of data breaches and potential litigation.
Since we posted 4 Ways Employers Can Improve Data Security and Reduce Risk in a BYOD World in 2015, changes in technology and the continued proliferation of BYOD policies have resulted in greater risks for data breaches, as well as new ways to safeguard company data. This post will outline nine suggested practices employers can utilize to successfully and securely update their BYOD policies.
Employers should consider implementing a written BYOD policy, which will mitigate costs by eliminating the need to purchase devices and equipment for each employee and increase productivity by allowing employees to use their preferred mode of technology and adapt flexible work schedules. Despite the benefits, BYOD programs invite a number of legal and operational problems when employers lose control over data and trade secrets stored on employees’ personal devices. Without the proper protections in place, BYOD policies can expose employers to data breaches, theft, and hacking from disgruntled employees or third parties.
Risks associated with BYOD policies include: inadvertently obtaining third party information resulting in expensive computer forensics costs to permanently remove non-company data; potential overtime liability for non-exempt employees under the FLSA and state law; terminated employee theft of proprietary data and trade secrets; increased risk of security breach; business expense reimbursement issues; and litigation.
Steps Employers Can Take To Reduce BYOD Risk:
- Specific Requirements for OS Versions and Device Platforms
Employers should carefully consider what device platforms and OS versions the company wants to support and should clearly state this in the BYOD policy. Any personal devices used by employees under the BYOD policy should be equipped with the required features and comply with mandatory updates.Employers should establish what criteria will be used to block or allow devices connecting to the company network. The BYOD policy should clearly denote what mobile devices must be registered and authenticated before connecting to the network to allow IT specialists and administrators to detect any unauthorized devices.
- Passwords & Stolen or Lost Device Policies
Complex passwords for employees using their personal devices to access company data should be utilized and frequently changed to maintain security. The required password length, complexity, and penalties for not following company regulations should be outlined in the BYOD policy.Because employees use their personal device in and out of the office, theft or losing a personal device remains a possibility. In the BYOD policy, employers should outline the proper protocol for employees to follow if their device is stolen or lost. Employees should be required to notify IT immediately so that passwords can be remotely reset or wiped. Auto-wipe features on certain apps after repeated failed login attempts are also available.
- Confidential, Proprietary and Trade Secret Information
Trade secrets and confidential information should be clearly marked or labeled confidential, proprietary, or trade secret information as appropriate. The BYOD policy should specify what type of employer data the employee is permitted to download or view on the device, as well as protocol for uploading material to corporate systems.Establishing mobile data leakage prevention policies and monitoring employee compliance will mitigate risks of security breaches. If a high level of security is required for certain data, documents or applications, employers should prevent any offline access to them and only allow access to sensitive information when an employee’s personal device is connected to the corporate network.
- Cloud Storage Service Providers & Encryption of Company Data
Third party providers of cloud-based storage pose specific risks to employers and require employers to negotiate a strong contract with the service provider, including prohibitions on any disclosure to third parties and clearly defined contractual terms.Employers should take the important precaution of encrypting sensitive data stored on personal devices or cloud storage services with strong encryption. Full device encryption is preferred, but if unavailable, all sensitive data should be stored in encrypted folders on the device.
- Require VPN for Connectivity
VPN connection enforcement should be standard practice to ensure that all communications with the corporate network are secure. Periodic re-authentication also assures that the employee device accessing the company server is genuine. Unlimited access without re-authentication poses security liabilities for any personal device that is stolen or compromised.
- Separate Business and Personal Data
Anti-virus software, partition manager software, and mobile application management solutions, such as the use of password protected applications separating corporate data, Security software precautions are available to employers seeking to mitigate risks of data breaches or hacking by third parties. To do so, an employer should develop and employ a comprehensive information security policy and request annual compliance and execution of the policy by their employees.Employers can also restrict employees’ ability to electronically transfer sensitive information or utilize software to create a virtual partition between work and non-work materials on an employee’s personal device. Corporate apps that hold company data separate from employee data will allow management to wipe data from personal devices without interfering with the employee’s personal information.
- Potential Overtime Issues
For nonexempt employees, time spent after normal business hours on personal devices to check work email or voicemail, make phone calls or send text messages may be compensable if not de minimis. One way to avoid potential overtime liability is to restrict after-hours device usage by non-exempt employees in order to participate in the BYOD program. If the employer does issue personal devices to nonexempt employees, a written policy should be in place prohibiting employees from working outside business hours and imposing disciplinary consequences for violations of the policy. Employers should also require submitted records for payment of all time worked for nonexempt employees participating in the BYOD program.
- Exit Strategy for Departing Employees
Finally, employers should craft an exit strategy for departing employees, including requirements that departing employees provide their personal devices so that an employer’s IT expert can permanently remove all proprietary data and trade secrets per the employee’s written employment agreement.During exit interviews, employers have the opportunity to provide additional reminders that employees are bound by confidentiality agreements, explain ongoing obligations, and request that an employee certify that he or she does not possess proprietary data or trade secrets and will return such information if later discovered.
- BYOD Employment Agreements
As advised in our previous article, employers should require their employees to sign a BYOD agreement and establish a personal device use policy outlining the permitted uses of their personal devices for work purposes and any data restrictions. The agreement and policy should discuss what type of employer data the employee is permitted to download or view on the device, as well as protocol for uploading material to corporate systems. The agreement should also discuss the penalties for violating the agreement, potentially including the prohibition of future personal device use while at work and restricted access to company network resources.
- Specific Requirements for OS Versions and Device Platforms
Employers should also use the BYOD provision to set appropriate privacy expectations. Because the employee owns his or her personal device and account, employers should take precautionary steps to minimize the employee’s reasonable expectation of privacy by obtaining written permission for IT personnel to inspect devices for legitimate business reasons and delete any company data prior to an employee’s departure.
Employers should take a proactive approach to employee device use and data security when implementing BYOD policies. Legal precedent on personal device use in the workplace is still in development and employers are advised to stay up-to-date on new security protocols rather than rely on reactive legal remedies. Consultation with your IT team is critical as well to ensure that the policy reflects state-of-art technology and addresses any nuances with your IT infrastructure.Topics: BYOD, Policies Procedures and Employee Handbooks, Social Media and Online Conduct, Workplace Privacy and Data Security