At first, BYOD was something a few brave companies were giving a shot. Then it became a nice way to get users off corporate devices. Now company phones are rare and BYOD is becoming the norm.
What’s the next hurdle for Bring Your Own Device? Keeping it from becoming a legal liability.
The lines between the tech users have for their own personal use and what they use for business is increasingly blurred. And that makes the shared use of a device for business and personal matters a potential legal nightmare.
When users are walking around with company information on a device that’s easy to lose or steal, IT can’t just shrug off the risk and tell users, “Use it how you’d like.”
On the other hand, users have all their personal contacts, information and other valuable content on phones (such as photographs, voicemail, etc.) on phones, too. Any attempts for IT to regulate the use of these devices will be unpopular.
These competing interests could wind up with BYOD disputes being fought in the courts.
10 areas to focus on
So how can you help curb legal action – or at the very least help protect your company in court?
- Ownership. The most basic step is one of the most important. You’ll need to establish who is the owner of the device. With BYOD, the owner will likely be the user who supplied the device.
- Remote-wipe provisions. Users need to understand that IT will be given a role in managing their personal device and how it will be used. They should agree to not only allowing IT to remote wipe information from the device, but also to alerting IT to lost or stolen devices promptly.
Most importantly, users need to know what information could be lost in the event you need to wipe it remotely. In some cases, IT will only need to remove company data. In other cases, it may need to wipe the whole device. In either situation, there’s the possibility their personal data could be lost permanently.
Establish that this is a real possibility – one that users will have to be prepared to accept if they want their devices to be used for work.
- Costs. This should cover who will be responsible for regular voice and data bills, who foots the costs for overages and roaming, work-related or otherwise, etc. Confusion over who pays for a device, its service or incidentals are the easiest ways to wind up in court.
- Eligibility. If BYOD is treated as a perk, you’ll need to clearly establish who is and is not eligible for it. Best bet: Approve or deny BYOD based on job descriptions, not individuals. That way, no one can claim being kept from participating was discriminatory.
- Location tracking. Mobile devices make it possible for IT to determine more about a user’s location than ever before. But beware: This information could work against you. The best bet is to avoid using any features that could report on a user’s location.
- Risks for users. However remote, there is a chance using work applications on their phones could result in the phone being damaged or users losing sensitive personal information. Explain that you’ll do your best to protect users, but that there may be risks just as there are with any other devices.
- Search and seizure. If it comes to your attention that a phone may have been used improperly, there is a chance users will have to turn it over for investigation. Many won’t like handing over that much personal information, so it’s important that this possibility is addressed in policies from the get-go and is handled with great care by HR or legal departments.
- Hours of operation. Part of the draw of a smartphone is that work can be conducted on any schedule. But that can lead to issues with time cards and overtime (in France, some workers were recently banned from answering work emails from home under certain conditions). Make sure that it’s clear when workers can’t take advantage of the flexibility BYOD allows.
- Out clauses. Users may decide for whatever reason that they want out of your BYOD policy. Make sure they realize that if this is an option, you’ll still may need access to their devices to clean up any leftover company data. You won’t want users thinking that getting out of the policy is as simple as saying, “No, thanks. I’m done.”
- Ending the program. When users leave the company, you’ll want to be sure that none of your personal information leaves with them. Make sure that your policies cover what will be wiped on their way out the door, and make it clear that you may need to investigate whether any sensitive information has been stored on the device.