Do you allow employees to access company data using their personal portable electronic devices instead of company-issued devices? For example, do employees use their smart phones to contact customers and store customer contact information, preferences, etc., on their phones? When these employees quit or are terminated, have you implemented measures to ensure your customer lists don’t walk out the door with them?
Unfortunately, many employers have not yet promulgated policies to protect confidential information stored on employees’ personal portable communication devices (PCDs). Don’t fret if you are one of them, as I have created my “Top Ten Tips” to address in a Bring Your Own Device (BYOD) Policy. (Yes, I’ve watched too much David Letterman over the years.)
TOP TEN TIPS FOR DRAFTING A BYOD POLICY:
- Require employees to obtain written permission to use personal PCDs for business purposes. Set minimum requirements for what devices are allowed access to your network. Require installation of software by your IT Department prior to using the device for work purposes (e.g., mobile device management, security, anti-virus, remote-wipe, location services, etc.), which allows information to be erased remotely if the device is lost or stolen, or at the end of the employee’s employment. If the device is synced to cloud storage, require employees to sign a written consent that grants the company access to ensure no company data has been retained.
- Require submission of the device to the IT Department at the commencement of employment, upon request and before employees’ last day of work for monitoring, resetting and removal of company information. Caution employees that the IT Department will reset and remove all information from the device, and although you will make a good faith effort to save personal data in another form (e.g., on a flash drive) to the extent practicable, they may lose some or all of their personal data on the device.
- Require password protection and password changes every six months (e.g., enter a security code that locks the PCD after a certain period of inactivity and after a certain number of unsuccessful password attempts). Require encryption for all data sent outside the corporate firewall.
- Require employees to notify the company if their personal PCD is lost, stolen or hacked.
- Define acceptable use (include compliance with other company policies, e.g., anti-harassment, confidentiality, etc.). Prohibit copying, retaining, disclosing, or transferring of company information or trade secrets onto PCDs except solely for the company’s business, and mandate the removal of information after business use has ceased.
- Prohibit employees from using PCDs for business purposes while operating a motor vehicle, regardless of whether a hands-free device is used.
- To avoid an invasion of privacy claim, state clearly: “Employees have no reasonable expectation of privacy in any type of written or verbal messages sent or received using a personal PCD for business, including text messages, and to ensure compliance with company policies, the company will monitor the device to the extent permitted by applicable law.”
- Prohibit non-exempt employees from using personal PCDs for work purposes outside of regular work hours without prior written authorization from management. Require them to account for all hours worked, whether on or off the company’s premises, in accordance with company policies and applicable law.
- Remind employees that all company materials, communications and information created on, transmitted to, received or printed from, or stored or recorded on a personal PCD used for company business is the sole and exclusive property of the company.
- Require employees to sign an Acknowledgment form certifying that they read, understand and agree to comply with the BYOD policy and will be personally responsible to the company for violations. The Acknowledgement should grant the company access to review and collect PCD data to cover all needs of the business (e.g., to comply with a court order, to provide technical support, to assist in an internal investigation) and should discuss the company’s right to install software or remotely wipe the entire PCD, including personal content.
If properly implemented, BYOD policies can allow employees the flexibility of using their own devices to access company resources while ensuring that employers maintain control over confidential company data. Without a policy, you might kiss your customers good-bye.