Information Intersection > Troutman Sanders LLP

Risks Associated With Bring Your Own Device (“BYOD”) Policies

Posted: July 17, 2012

Over the past year, more and more employers are letting their employees connect personal smartphones or tablets to the employer’s network.  Some companies have even stopped supplying their employees with computers; instead, employees bring their own laptops to work (or work remotely from home).

These policies are popular with employees.  They no longer have to carry around a work and a personal device.  They get to choose the technology they prefer to use.  And they are able to get their work done efficiently and from any location.  They’re also popular with employers, who expect to achieve cost savings by not having to supply their employees with devices, and who are very happy with their employees’ increased efficiency and work product output.

As technology continues to proliferate throughout our society, it seems that BYOD, for better or worse, is here to stay.  But BYOD carries with it substantial risks.

The risks to employers are serious and numerous.  The most obvious concern is the dissemination of confidential information—what if an employee leaves his smartphone, containing your company’s trade secrets about your top secret new product, in a cab?  In addition, there is an increased security risk.  For example, employees who have smartphones operating on the Android operating system may download an app from the Android market—which is not screened in the way that the Apple App Store is—only to find that the app contains malware that then infects the company’s network.  Cloud-based file-sharing applications like Dropbox and Google Docs introduce further complexity—what if your employees are, without your knowledge, storing their work product in their personal Dropbox accounts?

There are several ways that employers can—and should—address these risks, though none of these solutions is perfect.

It is crucial that employers use mobile device management software so that they may remotely wipe employee devices that have been lost or stolen.  Because such wipes may result in the loss of the employee’s personal information, and because there is the potential for the device to become unusable after such a wipe, employers should require that all employees sign acknowledgements that they are aware of such risks before employees’ devices are permitted to access the employer’s network.  These acknowledgements should be maintained in the employee’s personnel file.

The freedom to use mobile device management software is important not only to protect the company’s confidential information, but it may also be necessary to comply with various state and federal data security requirements.  Employers in regulated industries, such as the banking and healthcare industries, face additional challenges in ensuring that statutory data security requirements are met.

Because of such data security concerns, as well as because of concerns about maintaining confidential information, employers may want to consider banning employee use of cloud-based file sharing sites such as Dropbox.  If employees are using such websites because they want to be able to work outside of the office, you may be able to meet their needs by providing those employees with remote access via such programs as Citrix or virtual private network (VPN) access.  Keep in mind, however, that it may be impossible to enforce such a ban.  Accordingly, employers should also use the tools of monitoring and confidentiality agreements as further protections.

Employers with Company-Issued Communications Devices (CICD) policies or monitoring policies may also want to revise these policies to make it clear that they apply to employee-owned devices as well.  Other policies that should be reviewed include, but are not limited to, anti-harassment policies, codes of ethics, e-discovery plans, and confidentiality agreements.

Employees must be reminded that when using their devices to conduct company business, they may not use such devices in a way that would reflect badly upon the company or subject it to liability.

Over time, employees may also find that there are unexpected risks involved with connecting their devices to their employer’s network.

As the lines between work and personal lives blur, employees may find that their employers have an increased ability to monitor their off-duty activities via monitoring of their smartphones or other devices connected to the employer’s network.  As we considered in a recent post, litigation over these types of issues is sure to increase.

Moreover, employees may be very willing to agree prospectively to remote wiping of their devices at the outset, but when it actually occurs and they find that they have lost personal photos, or even the use of their device, they may be sorry they did.  Already there are instances of terminated employees whose devices were wiped and made unusable demanding that their former employer replace their device.

Employees should think about such consequences before connecting their devices to their employer’s network.

BYOD has introduced a vast amount of complexity to the world of data management and information security, and at this point, there are many more questions than answers.  The only thing that is certain?  You need to keep up with the challenges in this developing area.

For more information, please contact Christina Bost Seaton.

2 comments

1 Robert David { 08.08.12 at 5:19 pm }

Do you have some sample BYOD privacy setting polices that can be shared? Fiberlink is a mobile device management vendor and we are constantly asked for policy best practices.

2 Troutman Sanders LLP { 08.13.12 at 6:08 pm }

Hi. Thanks for reading. Unfortunately, we don’t share sample policies. We think “canned” policies often do more harm than good, and we only assist clients in drafting policies when we know the particular circumstances in which a customized policy will be applied.

Leave a Comment

Confirm that you are not a bot - select a man with raised hand: