BYOD Policies: Are Employees Protecting Your Clients’ Data?

The importance of a bring-your-own-device policy: Permitting employees to use personal mobile devices to fulfill their professional duties was common before the COVID-19 pandemic. Now, more employees are working from home than ever. More employees who previously did not use mobile devices on the job are expected to do so. Put simply, more business is done on mobile devices. Bring-your-own-device (BYOD) policies have never been more important for businesses looking to avoid the cost of supplying mobile devices yet still maintain adequate data security measures for confidential information. If employees handle sensitive matters and information for clients on mobile devices, some kind of device policy is a necessity whether it entails company-provided devices or BYOD. Failure to have any kind of policy could subject employers to liability for data breaches or disclosure of confidential client information by employees. Employers should consider whether their business is best suited for company-supplied devices or a BYOD policy based on considerations such as size of the company, cost, sensitivity of the data being handled, and other factors. Further, many companies with employees who are newly working remotely and using personal devices (e.g. administrative personnel) should consider updating existing policies that may be in place.

What Are the Advantages and Risks of BYOD?

Compared to a company-supplied device policy, a BYOD policy offers cost savings while providing less security and control. Advantages

• Cost. With a BYOD policy, employers leverage existing personal mobile devices instead of purchasing new devices for employees.
• Better care and maintenance. Mobile devices are a necessity in modern society. Employees can be expected to take good care of their personal devices.
• Staying current. Employees upgrade their own devices as necessary, saving employers recurring expenses of keeping mobile devices up-to-date.

Risks

• Less security. Especially as companies grow, it becomes harder to monitor and enforce BYOD policies. Unregistered, private devices present a greater security threat from malware, and via threats over unsecured networks. If a company’s client is subject to a data breach and the company lacked sufficient data controls, the employer could be liable for the damages.
• Attrition. As employees leave, employers may struggle to find the means to ensure that sensitive information has been deleted from employees’ private devices.

Who Should Be Eligible for BYOD?

Once an employer decides to institute/update a BYOD policy, the next question is: who needs to use mobile devices to accomplish job duties. Is an employee client-facing or expected to be available after business hours? That employee is a good candidate to be eligible for a BYOD policy. Conversely, if an employee’s duties are more administrative in nature and is not generally expected to be available outside of business hours, an employer should question whether that employee needs to use a mobile device to accomplish his or her job functions. As mentioned above, there are risks to instituting a BYOD policy. To mitigate these risks, it stands to reason that an employer shouild carefully consider eligibility for employees whose access to mobile devices might be non-essential to their positions.

Important Considerations in Drafting a BYOD Policy

Proprietary Information The top priority in creating an effective BYOD policy is to offer clear requirements to employees concerning the handling of confidential and proprietary information. Make sure employees understand that materials received by, sent from, and stored on their personal devices for work purposes are subject to monitoring by the employer. There should be no expectation of privacy with respect to such items, which are owned by the employer. In order to avoid a perceived intrusion on privacy by employees, employers should take care to make sure the policy is well-crafted to delineate between personal and work-related data and materials and the employee’s expectation of privacy with respect to each. Unsecured Networks A BYOD policy should remind employees of the dangers of sending sensitive information via unsecured networks and prohibit such conduct. Lost or Stolen Devices Employers should give employees steps to follow in the event that an employee loses his or her mobile device. Departing Employees A BYOD policy should set forth the required procedures for departing employees to remove company data from their devices. The more specific, the better. Existing Policies A BYOD policy should remind employees that any work-related use of a personal device must conform to other policies in place by the employer. For example, policies addressing such things as harassment and treatment of confidential information.

Cyber Liability Insurance

Finally, any employer who handles information necessitating a device policy–whether BYOD or company-supplied–should consider purchasing a cyber liability insurance policy. If your client’s data is breached, your company can be held liable for that. Cyber liability policies provide coverage and defense for such claims. For those who end up seeking cyber liability insurance, a well-tailored device policy can serve to decrease the premiums associated with such a policy. DISCLAIMER: This is for general informational purposes only and not furnished for purposes of offering legal advice. The best source of information for your specific matter is consulting an attorney. Related: Defense Law in Colorado State