Maier Law Group

Blog

Employment and Privacy Law Blog

How to Draft an Airtight Bring Your Own Device (BYOD) Policy

 

In the workplace, it is becoming increasingly common for employees to use their own personal devices to access company data and systems through what are known as bring your own device (BYOD) programs. BYOD programs allow employees increased mobility and flexibility, making them more productive. Employees get to work with the preferred devices that they're most comfortable using, and the programs are generally cost-effective for companies since employees pay for their own devices and service plans (although a recent California appellate case will likely change that in the future).

In November 2014, Gartner, Inc., the world's leading IT research and advisory company, discussed BYOD at the Gartner Symposium/ITxpo. Gartner analysts predicted that through 2017, 90% of organizations will support some aspect of BYOD, and by 2018, there will be twice as many employee-owned devices in the workplace than enterprise-owned devices.

With the rise in the use of personal devices comes a growing number of concerns about security, legal issues, and IT support. In order to manage these concerns, it is important to implement a BYOD policy with very specific guidelines for your company. These are some of the most important components that should be incorporated in your policy:

1. Devices

Stay away from broad language such as "smartphones and tablets" when you define the devices in your policy. Include details about particular models, operating systems, versions, etc. for tablets such as iPad and Android and smartphones such as iPhone, Android, and Windows. Since it's increasingly common for employees to want to bring multiple devices of their own, even as many as four or five, state if you have a limit to their number of allowed devices.

2. Security

All devices must be password protected to prevent unauthorized access to the company network, and you should have a strong password policy dictating the minimum password length, number of special characters to use, etc. Establish a certain number of failed login attempts before access is suspended by IT. Assign a set number of days after which the password must be changed. Require that the device automatically lock after a certain amount of idle time. Specify that only the devices approved by the company will be allowed to connect to the company network. If an even higher level of security is required, provide details on any data encryption that should be used. In addition, specify which apps and programs are not allowed, such as those that aren't downloaded through official channels such as iTunes or Google Play and represent a security risk due to the high potential for malware.

3. IT's Service Role

Determine how much support your IT staff will provide for personal devices and the applications installed on them. For example, say if IT will support connectivity issues but will not provide loaner devices while personal devices are being serviced.

4. Overall Company Compliance

State how employees must follow your acceptable use policy while using their own devices, including not accessing certain websites on their devices or sending inappropriate material over the company network. List the specific apps such as email, Facebook, weather, productivity, and calendar apps that will be allowed for work purposes. You might have other specific requirements, such as disabling the camera or video feature on the devices while at work.

5. Ownership

Clarify that the personal information that employees store on company servers belongs to the company. If the device is lost or if there's a data or policy breach, the company has the right to remotely wipe the device. Let your employees know how to back up their own content so they don't lose their personal information if the device needs to be wiped.

6. Departure of Employees

Make sure you describe what will happen when an employee who participates in the BYOD program leaves the company. Decide how you will disable email access or wipe proprietary information from the device after allowing the individual to back up his or her personal data.

These concepts will help you start to put together your own BYOD policy, and there are many policy templates available online to assist you further.