Employers are abuzz about a new acronym being discussed at the water cooler—“BYOD.” No, it doesn’t have anything to do with parties or beverages. It stands for “Bring Your Own Device,” and it signals the movement by employees to use their own cutting edge electronic devices at work.
It sounds like a great idea. An employee who is tech savvy gets a new device—iPad, Smartphone, laptop—and wants to use it for work projects to be more efficient or to work remotely. Or even to ease the pain of juggling so many different electronic devices. So why not just hook them up to the network? That’s what many employers are doing. And they are doing so without thinking first and certainly, without first establishing a BYOD policy. And thus the problem.
Issues abound with allowing employees to use their personal electronic devices to access the employer network and perform work including:
- Intellectual Property—Who owns the intellectual property that is created on the employee’s device? Surprisingly, the default answer is not always the employer in these situations.
- Privacy Issues—Both the employer and company have privacy issues in play. If employees have sensitive corporate data stored on their personal devices, is the data safe from hackers? What if the device is lost or stolen? If the employer needs to access the personal device (think termination of the employee, investigations into employee misconduct, need to preserve data under electronic discover obligations, etc.) how is that accomplished without violating the privacy of the employee as to the other personal data on the device?
- Wage & Hour—Are hourly employees allowed to use personal devices for work? If so, does that expose the company to off-the-clock claims (lawsuits where the employee claims he or she worked but did not record the time and thus was not paid overtime)?
- Security—Does the employer have access to wipe the device remotely if needed if it is lost or stolen (or if the employee is terminated)? If so, what about the employee’s personal data stored on the device (contacts, photos, etc.)? What if the employees personal device leads to a security breach, virus or attack by a cyber terrorist?
The best policy may be to prohibit employees from BYOD and, instead, invest in company-paid electronic devices. If the employer wants to allow BYOD, it should limit such activities to non-hourly workers and, quite clearly, must implement a BYOD policy to address the issues discussed above. Any such policy should specifically identify the devices to which it applies, should require proper security protocol to protect company data (software, virus detection, password requirements, etc.), should provide procedures to follow within specific time frames if the device is lost or stolen, should specifically address employer ownership of intellectual property, and must eliminate any expectation of privacy with regard to the personally-owned device that is being used to access the company network.