It’s Monday a.m. Everywhere you look your employees are texting, tweeting and tapping away on their own devices (Droids, iPads, laptops, iPhones).
You survey the terrain and smile. After all, that’s less money you have to pay for equipment yourself, right? You make a note to ask your lawyer if you need a policy to cover your decision to let them work on their personal equipment.
Your lawyer has two teens and when you ask her about BYOD she blurts out: “Let me give u the 411 str8. AISI you need a BYOD policy ASAP!! BYOA too B/C LBH, it’s complicated” (Translation “Let me give you the information straight. As I see it you need a bring your own device policy as soon as possible!! Bring your own Advil too because let’s be honest, it’s complicated.”)
Seriously, this is a huge topic and there is no way I can do it justice in a newsletter but let me give you a few “must do’s” if you are thinking of letting your employees BYOD.
1. BYOD Policy? You betcha!
Yes, you absolutely need a comprehensive policy and yes it needs to be in writing. As an employer, you must clearly state your right to access, monitor, remove and delete information from any employee-owned devices. Period. If you want to say you will protect personal information, say so but leave yourself a strong out because sometimes privacy takes a back seat to something like a court order. Remember when formulating your policy you need at least three views in the room: (1) your lawyer (in-house or outside); (2) your IT guru; and (3) an HR professional. If you have Ops and Risk Management, throw them in, as well. A BYOD policy simply won’t work without having these players on the same page.
2. MDM Solution? Yes, please.
What happens if and when they quit, are fired or there is a lawsuit? How can you retrieve data from their device? Things become much more complicated unless you have a Mobile Device Management solution--MDM in techie shorthand. MDM allows the employer to build a partition “fence” or sandbox around critical data. Data outside the sandbox is of no concern to the employer. This gives the employee the comfort they need that someone can’t view their kid's pictures, for example. A bonus -- MDM solutions also help employers effectively roll out the kind of added security measures BYOD calls for (encryption and passcodes anyone?).
3. Do I need to allow every device type known to man? Nope.
It is okay to limit the device platforms, operating systems and versions your employees can use. Make your decision as a team and stand firm.
4. My workforce is primarily hourly - does that matter? Yep, that matters.
If you let hourly (non-exempt) workers BYOD you may be in overtime territory. How will you deal with time spent on their devices “off the clock” and outside of their daily timesheet? You need a reliable process to capture that. Some MDM solutions have applications which limit non-exempt employees from using devices outside of regular work hours. Also, consider whether the potential up-side of BYOD outweighs banning the practice for non-exempt workers altogether.
5. What about record retention? Glad you asked.
A BYOD policy does not stand alone. Make sure you look at other policies that may also go along with BYOD like record retention. You want your policies to be cohesive, easy to implement and consistent across the board.
6. I only need one BYOD policy, right? It depends.
Yeah, I know that is a lawyer answer but it really does depend. You know your business - your key initiatives, the unique personalities of the people staffing individual divisions, the practical nuances of the day-to-day operations, the areas most likely to face those pesky litigation holds. BYOD policies that work the best take these considerations into account. BYOD for employees who are doing critical engineering work may be a non-starter. In a regulatory-heavy environment or those dealing with sensitive data, like personal health information, you may just need to issue equipment, ban the practice and be done with it. If that is your decision, messaging it is half the battle. Your employees will likely understand.
If you are breaking out in hives by this point, you are not alone. The sheer volume of considerations and the steady march of technology is truly overwhelming. Even those of us who do risk assessment for a living struggle with this one. Having said that, the worst option at this point is to do nothing. Remember you don’t need to over complicate it or cover all possibly contingencies; you just need to get it rolling.