Best practices for BYOD policies

Steps organizations can take to help prevent sensitive data from falling into the wrong hands

3. Make clear that employees cannot misuse the organization’s computer system.

With the increased use of the federal Computer Fraud and Abuse Act and analogous state law computer protection statutes, employers are learning the importance of putting employees on written notice as to what they are not authorized to do on the company computer system.  This includes both taking files from the system (such as by e-mailing files out as attachments or saving them to thumb drives) and deleting files prior to departure.  The key to unlocking the power of federal and state computer protection laws is showing that the employee was on notice that he/she was not authorized to perform certain acts on the system.  This general rule extends to BYOD policies.  It is important for an employer to put its employees on notice as to what they can and cannot do with respect to company information on their devices.  Just as it is helpful to think through confidential information issues in advance, it is also worthwhile to spend some time addressing common employee misconduct or negligence scenarios involving data security on personal devices and then covering them with written policies.  A policy laying out general rules and then covering specific scenarios in an “including, but not limited to” string (a construction much beloved by lawyers) is ideal.

4. Pay for the employee’s cell phone.

In the grand scheme of things, it is penny wise and pound foolish to have a key employee pay for his or her own cell phone plan.  If a company owns and maintains the account, then it can: (a) terminate the account when the employee leaves so customers cannot reach out to her/him; (b) determine whom the employee has been contacting in her/his final weeks with the company by reviewing call and text logs; and (c) stop the employee from walking out with a de facto customer list on her/his phone.  Thus, while an employee might choose to use his/her own device at work, the employer can still control the account and thus still be in command of the information on a device.

5. Employ tight exit procedures for departing employees.

Perhaps the number one issue with the BYOD phenomenon is that when employees use their own devices, they end up with a large quantity of employer information on those devices.  Whether intentionally or inadvertently, when those employees resign or are fired, they leave with a treasure trove of information.  That information can be used to compete.  It can be used to stir up issues with the employees who remain.  It can also be disclosed on social media or to reporters.  Therefore, it is critical for an employer to create and follow exit procedures for their HR personnel so that when an employee leaves, the employer can show that it did everything in its power to get its’ information back.  These procedures will never be fool-proof against employees who choose to keep information on their devices, but at a minimum, an employer should be in a position to show that it took all reasonable steps to maintain the confidentiality of its key information.  

The issue of protecting against data loss resulting from employees using their personal devices for work is a classic example of the maxim that an ounce of prevention is worth a pound of cure.  Relatively small expenditures of time and money on the front end can deter an employee from exploiting key information on a personal device, protect against that same employee accidentally losing information to a third-party and it can position the company to recover the information if it is indeed lost.  The critical first step is to acknowledge the reality of employees using their own devices and to plan accordingly.