April 7, 2014
How To

Create a sound bring-your-own-device policy

"BYOD" or "Bring Your Own Device" is quickly becoming the rule, rather than the exception in today's workplace. While employers may benefit from the BYOD trend because it reduces costs and increases productivity, employers should be aware that BYOD carries risks. Before allowing the use of personal devices in the workplace, employers should consider the following:

1. Address data security risks

Employers must implement reasonable data security measures if they are going to allow personal devices to access and store sensitive company data.

Before employees are allowed to use personal devices at work, employers should require their employees to:

  • use password protection on all personal devices

  • install and update software regularly to patch known vulnerabilities

  • encrypt data on all personal devices

  • enable tracking and remote wipe features (allowing data to be erased remotely if the device is lost)

  • notify their employer as soon as a device is lost

  • properly destroy/erase data before discarding or reselling their devices.

Employers should also prohibit employees from:

  • jail-breaking their devices

  • installing applications from unapproved sources

  • connecting to unknown wireless networks

  • sharing their device with another individual (such as a spouse or child), or perhaps more realistically, require their employees to prevent others from accessing sensitive information on their devices.

2. Define privacy expectations

Employees must understand that company information is company property, even if stored on a personal device. The company must retain access to its information. Thus, employers should have their employees acknowledge and agree in writing that they do not have any rights in company data, the employer has the right to access the data on their personal devices, monitor the use of those devices and retain possession of those devices as needed.

3. Address what happens when an employee leaves

When an employee leaves his or her job, the employer must ensure that all of its data is permanently erased from the employee's personal devices. Yet, it is often impossible to separate relevant company data from personal employee information when "wiping" a device. Employers should require employees to agree that all data on their devices will be erased when the employee stops working for the company.

4. Address wage claim issues

Because employees normally have their personal devices with them outside of the workplace, they may read and respond to work emails and phone calls during non-working hours. This may constitute compensable "working time" under wage and hour laws. This can be a trap for the unwary. Employers should have a policy to properly record and compensate employees for this time. Alternatively, employers may want to consider restricting its use of personal devices to exempt employees.

5. Address who is responsible for fees and related expenses

An employer's BYOD policy should clearly state which parties are responsible for costs related to the use of personal devices in the workplace. Typically, in a BYOD environment, the employee purchases his or her own device(s). Nevertheless, there are other associated costs that should be considered, such as who pays for repair costs, voice and data plans and/or roaming charges? Clearly defining responsibilities will lessen the chance of a dispute in the future.

6. Make sure your company follows its own BYOD policy

Simply put, failure to follow policy creates risk.

Dawn Harmon is a director and shareholder at Perkins Thompson and Joseph Talbot is an associate. Both attorneys are members of the firm's employment law practice group. You can reach them at


Type your comment here:

Most Popular on Facebook