Many companies permit their employees to use personal mobile devices, such as smartphones and tablets, to access company-specific information, such as email, under a Bring Your Own Device (“BYOD”) policy. BYOD policies can be popular for employees that want to use hand-picked devices and for employers that want to avoid the cost of providing, and maintaining, company-owned devices. Nonetheless, the use of company data on non-company devices implicates both security and privacy considerations.
Estimate of the number of people that bring smartphones to work.1
Percentage of companies that reported “security concerns” were the main inhibitor to full BYOD adoption.2
The percent of companies that offer BYOD to all employees.3
Percent of organizations that reported data leakage as their main security concern.4
Percent of organizations that reported malware as their main security concern.5
Percent of organizations with BYOD policies that reported that malware was downloaded via a BYO or corporate owned mobile device.6
Consider the following when deciding upon a BYOD policy:
1. Is the scope of your organization’s control over employees’ mobile devices consistent with the organization’s interest? Organizations should consider why they have an interest in knowing about their employees’ mobile devices; that interest should be the basis from which a BYOD policy should emerge. If the organization simply wants to allow an employee to access work email on a mobile device, then the policies and restrictions should proceed with that focus.
2. To what extent and for what purpose does the organization monitor employees’ use of mobile devices? Many servers create logs showing when an employee’s device accessed the organization server using certain authentication credentials. As security measures such logs are often appropriate. To the extent that the organization wants to monitor more substantive actions by an employee on a mobile device, such monitoring should be in line with an appropriate purpose.
3. What procedures are in place to restrict the transfer of data from the organization’s network by way of the mobile device? Organizations often protect against the risk that organization data will be “floating” on multiple devices by (a) limiting the types of data accessible to mobile devices (e.g., email) and (b) restricting, to the extent possible, how that data can be used on the mobile device (e.g., policies on copying and requiring certain security settings).For example, some organizations use sandboxed applications for accessing work-related email. Such apps open email in a program that is separate and apart from the native email system that is built-into the device and control aspects of the user’s experience. For example, they may restrict the user from locally saving any emails, or attachments, to the user’s device.
4. For security purposes, does the organization require a minimum version of the operating system and/or software before an employee can use a mobile device? Minimum versions ensure that certain security protections and bug fixes are present on the device.
5. Can data on a mobile device be remotely wiped? By whom? A best practice for devices that contain confidential or sensitive organization information is to ensure that the data can be remotely deleted from the device by the organization if, for example, the device is stolen or the employee is terminated. To the extent that the employee only accesses work-related data when accessing a sandboxed application, it may be relatively easy to restrict the device from accessing such data remotely. To the extent that an employee was permitted to locally store work-related data (e.g., cache work emails locally, or download attachments), an employer should consider whether it has the right, and technical means, to remotely wipe the entire device.
6. What procedure is in place for an employee to report a missing mobile device? Accidents happen to everyone, but their aftermath can determine whether they become catastrophes. Employees should report a missing device to someone – perhaps the IT department or help desk – so that the organization’s device removal policy can be followed.
7. What steps does the organization take to proliferate its mobile device policies? Organizations often rely on their IT staff, self-help materials, and employee certifications to ensure (a) employee awareness of the organization policies and (b) enforcement of organization policies.
8. Do the security measures in place match the sensitivity of the data accessed through the mobile device? For some employees that receive non-sensitive information minimal restrictions may be appropriate. For employees that receive sensitive or confidential information higher restrictions may be appropriate.
9. Is BYOD required of the employee? Although BYOD programs are widely lauded for increased productivity and “off-the-clock” accessibility, this benefit can expose employers to potential wage-and-hour issues if the BYOD user is a nonexempt employee.
10. Does the employee have a means of tracking and recording his time? If a nonexempt employee is permitted to use a mobile device for work related purposes after working hours, is there a policy that mandates that the employee must report the time that he or she worked? Is there an effective and efficient means for the employee to report such time?
1. Matt Hamblen, With BYOD smartphones on the rise, IT headaches will become migraines, Computerworld, (January 27, 2014), http://www.computerworld.com/article/2487005/byod/with-byod-smartphones-on-the-rise--it-headaches-will-become-migraines.html.
2. Crowd Research Partners, BYOD & Mobile Security at 9 (2016), http://www.crowdresearchpartners.com/wp-content/uploads/2016/03/BYOD-and-Mobile-Security-Report-2016.pdf.
3. Id. at 7.
4. Teena Hammond, Research: 74 percent using or adopting BYOD, ZDNet, (January 5, 2015), http://www.zdnet.com/article/research-74-percent-using-or-adopting-byod/.
5. Id. at 11.
6. Id. at 16.