The author began the discussion of BYOD’s in previous columns. BYOD means Bring Your Own Device and it relates to employees bringing and using their own computer, smart phone or other device at their employer’s business. It usually included joining with the employer’s system, obtaining access to the employer’s data and using the employer’s applications. This subject continues to be of tremendous current interest in the legal and business community.

  Most legal commentators suggest that a business develop a BYOD policy that is provided to employees and acknowledged as received in writing. Samples of such policies are available on the internet at both free and fee based sites. It is important, however, to consult with an attorney familiar with the laws in your state or the states in which your business operates. The purpose of this article is to list some important topics and issues to consider for developing your own BYOD Policy.

What Devices Can be Used or Supplied?

  There are so many types of devices used today so it is very important to indicate in the policy what devices may be brought and used in the business. If you are only going to allow iPhones, iPads, Androids or Blackberrys, the policy should clearly list the devices that will be allowed and supported. If the business supplies equipment to employees then the acceptable use of this equipment should be covered in the policy.

Security

  Unfortunately it is a dangerous world and many people do not have good passwords or even use passwords on personal devices. Since a device will be connected to the system of the business and have access to confidential information, it is imperative that requirements for safely protecting access to the device must be incorporated into the policy. Almost every day there is an article or report of someone gaining access in to a confidential site because an employee negligently allowed access to a personal device that was not properly protected. The policy should set out the requirement that passwords be used for access to the employer’s systems at all time. IT personnel should be able to set up a system with this requirement.

Servicing of Devices

  It’s important for employees to understand the boundaries when questions or problems creep up with personal devices.

  The policy should describe the level of support that will be provided to employees. Subjects that should be covered are initial connection of a device, support for applications, support for email, calendars and other personal information. The policy should also cover what happens if a device needs repair. One issue is if the business will supply loaners while a personal device is being repaired.

Cover the Ownership of Applications and Data.

  Remember your business owns the personal information stored on its servers that your employees will be accessing with their devices. Also, industry members will usually have confidential information about their clients. The employees may have personal information on their devices. There are situations that arise when it may be necessary to eliminate all data on a device when it because part of the system of the business. The BYOD policy must make it clear about the employer’s right to wipe devices brought onto the system. Also employees must be provided with information about backing up a device so they can restore personal information once a phone or device is replaced.

Set Out the Applications that Will Be Allowed or Banned.

  Rules about the use of applications for social media browsing, replacement email applications or remote-access software should be in a policy. The question here is whether users can download, install and use an application that presents security or legal risk on devices that have free access to sensitive corporate information. Hackers today are very talented.

An Acceptable Use Policy Must be in the BYOD Policy.

  We previously discussed the importance of controlling the use of social media in a business. Allowing personal devices to potentially connect to your business network introduces issues about what activities may and may not be permitted. For example, if an iPhone can be connected to the network and an employee posts to Facebook or browses objectionable websites, are these violations of the BYOD policy? What sanctions can be imposed if an employee transmits objectionable or even illegal material over the business network? It is important to know the legal rights of the business to establish rules against such activities.

Clarify the Rules if an Employee Leaves the Business.

  It is important to include in the BYOD policy rules for when employees with devices on your system leave the company. Require the removal of access tokens, e-mail access, data and other proprietary applications and information. It probably is necessary to have email disabled, access terminated and even wiping of the employees personal device. Of course, as previously discussed it is important to allow an employee to back up any personal information before there is a complete wipe of a personal device.

  This article is for the information of subscribers and does not constitute legal advice. All subscribers should accordingly consult with their own attorney to make sure they are in compliance with the legal requirements for their own companies.