Poyner Spruill Welcomes Education Law Practice Group

Sign Up Created with Sketch. Want to receive our thought leadership?     Sign Up

With 87 percent of employees confirming they use personal electronic devices for work, designing a workable “bring-your-own-device” program is probably overdue. BYOD is a tricky issue; 48 percent of companies claim they would never authorize employees to use personal devices for work, but 57 percent acknowledge that employees do it anyway. The wave of mobile devices has already flooded your offices. It’s time to figure out what to do about it.

Talent Recruitment And Cost Concerns
Almost half of college students and young employees say they could accept lower pay in exchange for flexibility on device choice, social media and mobility, indicating it will be difficult to compete for new talent without adopting a BYOD policy. Your business may be able to save on device purchases and information technology support, but all that savings could be wiped away if a lost personal device results in a reportable security breach (average response cost is over $5 million) or if sanctions result because contents of the device are considered discoverable in litigation but cannot be produced.

Productivity And Social Media
Let’s be realistic: Your employees already use Facebook during work time, and blocking the site won’t help since we’ve already established that they use personal devices at work. Think of BYOD as a means to retrieve some of those lost hours. Seventy-two percent of employees regularly check their emails from personal devices outside normal business hours, and 42 percent check even when out sick. If you enable BYOD, social media use may go up, but temper your zeal to prohibit or monitor that use. In recent years, employers have been repeatedly dinged by the National Labor Relations Board for overly broad social-media policies, were found liable for accessing employees’ social-media communication in unauthorized ways, and scaled back reviews of social-network sites due to Fair Credit Reporting Act liability. Employers should revisit their social-media policies to make sure they are not already running afoul of this rapidly evolving list of pitfalls.

Information Security And Compliance

Here are a few examples of the potential impact of BYOD on security and compliance:

Privacy Concerns
Like it or not, employees have some privacy rights not impacted by your dusty old electronic- communications policy that undoubtedly warns they have no expectation of privacy when using your equipment. Although you can revise the scope for BYOD, your employee owns the device and is clearly entitled to make personal use of it. Similarly, that device essentially tracks their whereabouts 24/7 and reflects all manner of activities, such as websites visited, items purchased, books read, games played, photos taken, apps used and calls and messages sent and received. Your business needs to decide the extent to which it needs to know such information and plan accordingly.

e-Discovery And Departing Employees
Inevitably, if employees store work-related information locally, device retrieval may be necessary in legal discovery or when an employee leaves the company. For litigation, strict protocols providing for immediate preservation before employees modify or delete files are crucial. BYOD will add expense and delay to discovery and to the employee-departure process.

Get Back In Control
Having considered a variety of issues raised by an increasingly mobile workforce, let’s consider solutions that will put you back in control.

Security Framework
Perhaps the greatest perils posed by BYOD are the security risks. There are several options to mitigate those risks, but some are better than others.

To determine which approach or mix of approaches is best, consider inventorying your business units, their activities and their use or proposed use of mobile devices. Units that need regular access to sensitive business or personal information and travel or work from home may warrant a more cautious approach.
Policy Document
No matter how you address security, a written policy is needed to establish privacy boundaries and set security expectations. You also should review existing security policies to ensure you have not set contradictory requirements. Your social-media policy likely also deserves an update once BYOD is in place. Training and reminders are useful to help employees remember the requirements and risk and will help your organization establish legal compliance.
Terms Of Use
When your organization does not own user devices, strong and effective terms of use are necessary to preserve your rights. Key terms include the employee’s agreement to adhere to security requirements, immediately report potential breaches, submit to compliance audits and allow the employer to wipe the device without prior notice if the device poses a security threat to the organization.

These suggestions only temper the risks posed by BYOD. Ensuring that your organization is prepared to deal with worstcase scenarios, particularly security breaches, is still necessary. With careful planning and implementation, the gains inherent in BYOD should outweigh the risks.

Elizabeth Johnson, an attorney no longer with Poyner Spruill, was the original author of this article.

◀︎ Back to Thought Leadership