BYOD (Bring Your Own Device) What Is It and Why Employers Should Care
Posted on 04/09/2013 at 01:25 PM by The Newsroom
We all have one at least almost everybody. What do we all have? A mobile device we carry everywhere to stay connected. This also means employees, as well as contractors and temporary workers, are carrying their mobile devices to your workplace. BYOD is more than a trend now; it is a way of life for employees and employers. Why should employers care that employees and other workers bring their mobile devices to work? Because BYOD presents significant implications for employers. Odds are good that employees are using their personal devices to access company data, with or without, the company's permission. Data security in the BYOD context is especially concerning for financial institutions and health care employers, but also implicates any employer storing social security numbers, financial and health information, confidential and/or proprietary information, and trade secrets. If you don't have a BYOD Policy, it is strongly encouraged to put one in place. There are several considerations in developing and writing a policy:
-
Identify any limitations to the devices allowed at the workplace (e.g. type of device, on-site support for the devices, restricted areas)
-
Require password protection for devices
-
Institute limitations on attempts to enter a password
-
Program devices to time-out after a certain amount of time (e.g. five minutes)
-
Identify who owns the data on the device (it should be clear that any company data on the device belongs to company and must be returned or erased upon the employee's departure)
-
Install GPS-type software on the device in case it is lost or stolen
-
Install remote employer access to put the phone in lockdown' mode while erasing any or all data in the device's memory
-
Obtain an employee's prior written consent to remotely erase data stored in the device
-
Company's ability to backup and restore an employee's personal data on the device while erasing any company data
-
Insure the BYOD Policy is integrated with the company's policies which address 'acceptable use' and 'confidentiality' of company information
Additionally, there may be business-specific considerations that need to be addressed in a BYOD Policy:
-
Laws and regulations on storage of social security numbers, drivers' license numbers, credit and debit card numbers, financial account numbers
-
Laws requiring customer notification of security breaches
-
Legally mandated encryption requirements (e.g. HIPPA Security Rule requires covered entities to consider whether encryption of stored data is feasible and, if not, document the basis for that conclusion)
-
Laws, regulations, or agreements requiring secure destruction of certain types of information (e.g. Fair Credit Reporting Act (FCRA) requires the secure destruction of consumer report information)
-
Court protective orders, confidentiality and/or nondisclosure agreements may be implicated
-
Litigation holds and investigations may be implicated (does the company know where all its data is stored?)
-
Wage and hour claims for employees' working on mobile devices outside of work hours
Even with all the above, consideration must also be given to an employee's mobile device when an employee leaves the company. These include adding to the HR checklist and employee's exit interview a reminder to wipe the employee's device. A plan should be in place to remotely wipe a device in the event of a quick departure by an employee. Additionally, an employee's access to company email, contact lists, and other company data should be disabled upon the employee's departure or even sooner. It is safe to say that mobile devices are here to stay and that employees will bring their devices to work whether or not authorized for use. To protect the company, a written BYOD Policy is essential so that employees have clear expectations on the use of their mobile devices in the workplace.
The material in this blog is not intended, nor should it be construed or relied upon, as legal advice. Please consult with an attorney if specific legal information is needed.
Categories: Employment & Labor Law, Banking Law
Questions, Contact us today.
The material, whether written or oral (including videos) that is posted on the various blogs of Dickinson Bradshaw is not intended, nor should it be construed or relied upon, as legal advice. The opinions expressed in the various blog posting are those of the individual author, they may not reflect the opinions of the firm. Your use of the Dickinson Bradshaw blog postings does NOT create an attorney-client relationship between you and Dickinson, Bradshaw, Fowler & Hagen, P.C. or any of its attorneys. If specific legal information is needed, please retain and consult with an attorney of your own selection.