By: La Toya Palmer – 9/23/14
It seems like every month you hear about the latest and greatest device release. As I type this, people have been camped out at the nearest Apple store hoping to purchase the new iPhone 6 (which, in my humble opinion, brings to mind my old graphics calculator; huge. I digress.). It is no wonder that companies are hard pressed to try and keep up with the latest and greatest devices and technology. On one side you have your devoted Apple fanatics that absolutely refuse to touch anything Android; and on the other side you have your Android techies who swear there is none better. What does a company do to try and appease these loyal consumers you ask? Why, implement a Bring Your Own Device to Work (“BYOD”) program, of course.
What is a BYOD program? Some would consider it the best of all worlds. From the employees’ standpoint, it’s a great thing. Employees get to use the latest and greatest technologically advanced devices, while the employer maintains employee satisfaction and improves employee productivity. In essence, the employer allows its employees to bring various devices to use at work, provided the employee agrees to the employer’s terms regarding the devices. Ahhhh. There is always a catch, you say; not really.
Think about it like this; in order for a company to safely participate in a BYOD program, it has to have great data protection and security safeguards in place. This means that a company will need to somehow balance security with the ever-growing prospect of user choice and freedom. One of the ways companies are approaching the issue of security is through “sandboxing,” or “mobile device management” (MDM). MDM allows users the ability to cordon off or “sandbox” certain data, such as company data, from other information, such as personal data, that is on a mobile device. This gives the company the ability to remotely lock the mobile device or completely erase the data that is located in the sandbox without erasing all of the information on the device. In addition, it allows companies to create a safer, more protected environment for their networks and information maintained on employees’ personal devices.
MDM programs appear ideal for companies that are interested in implementing a BYOD program. However, employers should proceed with caution. Without the right policies in place, employers can run afoul of some federal and state laws that regulate data and computers. For example, the federal Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030, imposes criminal and civil penalties on individuals and companies that “intentionally access a computer without authorization or exceed authorization” to obtain “information from any protected computer.” In addition, the CFAA also prohibits individuals and companies from “knowingly caus[ing] the transmission of a program, information, code, or command, and as a result of such conduct, intentionally caus[ing] damage without authorization, to a protected computer.” Some may argue that a smartphone is not a computer; however, courts are split on the status of a smartphone as a computer. And your company does not want to be the “crash-test dummy” on this one in a court of law.
Hence, the more reason an employer who implements a BYOD program, especially an employer that is using MDM, must have a strong BYOD policy in place. Here are some guidelines of information a good BYOD policy should contain:
1.) Ensure that all employees who want to participate in the BYOD program provide affirmative consent. It is recommended that the BYOD policy be a stand-alone policy even if incorporated into the employee handbook.
2.) Understand when the company may need to view the personal content maintained within a device. – For example, IT may not be able to provide technical support without possibly viewing an employee’s personal content.
3.) Make it clear to the employee that under certain circumstances, remote wiping may occur that could damage some personal content. – Although most MDM software aims to prevent the wiping of personal content, this cannot be guaranteed.
4.) Ensure that the language in the policy is unambiguous and direct.-This will limit an employee’s ability to claim they misunderstood the policy in the event litigation ensues.
5.) Always, always, always retain the records of the signed written consent- This way you will have the consent documents if needed down the road.
BYOD programs are a great way to increase employee satisfaction and productivity. We all know how attached people are to their personal devices. Yet, implementing a BYOD program also has its share of technical, legal, and security concerns. To address these challenges, it is always wise for an employer to approach the implementation of a BYOD from a holistic vantage point, including human resources, legal, legal and IT from the beginning. This will ensure that all your bases are covered and that your BYOD program is a success on all fronts.