The most critical issue to employers is ensuring that corporate data and information is secure, particularly if the employee’s device is lost or stolen. The most critical issue to employees is ensuring that their personal data and information remains personal.
A best practice for managing these issues is through the development of strong IT policies and a strong Bring Your Own Device policy.
On the IT side, many companies use Mobile Device Management (“MDM”) to wipe sensitive data in the event a device is lost or stolen. Companies permit the IT department to remotely manage employees’ access to corporate data and servers via personally owned electronic devices and to remotely terminate such access immediately upon the employee’s separation from the organization.
But what about the company that is relying solely upon a BYOD policy — without an IT department becoming involved — to best ensure that corporate information is protected? This practice works best in the situation where the employee cannot download information onto his or her own personal device, i.e., the employee can only view or work on files through his/her device but can only save those files to the company server. There are a number of steps an employer should still take, and these are particularly important in the absence of IT-based controls.
» First, the BYOD policy must require strong password protection at the welcome screen level.
» Second, the BYOD policy must require that the device automatically locks after a few minutes of inactivity.
» Third, the BYOD policy must require the employee to certify that s/he has not, and will not, permit the device to be jailbroken or rooted.
» Fourth, the BYOD policy must require the employee to report lost or stolen devices to the wireless carrier immediately and to the employer within 24 hours.
» Fifth, the BYOD policy must require the employee to install operating system upgrades, software upgrades, software patches, and anti-virus and anti-malware software as they become available.
» Sixth, the BYOD policy must prohibit the employee from saving company files to the cloud.
» Seventh, the BYOD policy should require iPhone, iPad, and Mac users to enable the “find my phone” application.
» Eighth, the BYOD policy should specify what portion, if any, of the voice and data plan costs the company will pay for the device, and which employees (by level, title, department, or other designation) are eligible for the cost offset.
» Ninth, the company must require the employee to sign a document indicating the employee’s agreement to, and intent to adhere to, the terms and conditions of the BYOD policy.
Some companies want the employee to promise not to allow anyone else to use the personally-owned electronic device. Personally, I would bet on 100% noncompliance with a provision like this. A better approach is to have the employee affirm that s/he will take appropriate measures to ensure that non-employees using the device will not access corporate information.
While other provisions can certainly enhance and strengthen a BYOD policy, even the most basic policy should include these provisions. Employers are urged to have an experienced employment lawyer review their BYOD policies before rolling them out to ensure compliance with relevant laws and to best ensure that the security of corporate data and information is not compromised by the employee’s use of his or her personally-owned mobile device.