Bring Your Own Policies

Any successful BYOD program must include buy-in from the C-suite, legal, IT, HR and risk management

According to a recent Pew Internet & American Life Project survey, 55 percent of Americans own a smartphone. Employers need to pay attention to this number.

Given the proliferation of these devices, it makes sense that employees are bringing them to work. According to another recent survey conducted by analyst house Ovum, almost 57 percent of employees use personal devices at work. Seventy percent of those employees are using a smartphone, and of those employees, more than one-third either bring them to work without the knowledge of their IT department or do so in spite of a corporate ban.

In other words, your employees are BYODing whether you like it or not.

“BYOD” stands for bring your own device — employees connecting their own mobile devices to corporate networks. There was a time not all that long ago when BlackBerry was the mobile device of corporate America. Once iOS and Android started supporting email via Microsoft Exchange, however, executives started questioning why they needed to carry a work device and a personal device. In short, they wanted their email and “Angry Birds” wrapped up in one tidy mobile package.

Today, BlackBerry is going the way of Betamax, and BYOD is here to stay. If employees are going to bring personal devices into the workplace and use them to connect to your network, you need to deploy reasonable policies to govern their use and protect the security of your network. Any BYOD program should address these nine questions:

In other words, your employees are BYODing whether you like it or not.

What devices will you permit? Does BYOD mean any device, or does it simply mean iPhones or Androids? What about iPads or other tablets? Employee-owned laptops? Stick drives and other portable memory?

Are you going to mandate passwords? Employees generally resist having to enter a four-digit code every time they turn on their phones. The Touch ID fingerprint scanner on the iPhone 5s has simplified this issue, somewhat. Nevertheless, you should require that all employees use security-access limitations on all mobile devices. If your organization deals in confidential information, this requirement is that much more important.

What happens when a device is lost or stolen? IT must have the ability to remote-wipe a missing mobile device. Guess what happens, though, if an employee’s first call upon losing a phone is to a mobile carrier? The carrier turns off the device, and your organization loses the ability to remote wipe it. Employees must be instructed that if they lose a mobile device, their first call should be to IT, and not their mobile carrier, so that the device can be wiped of any corporate data.

Will you ban jailbreaks, roots and other hacks? These practices void the phone’s warranty. Also, consider banning the installation of apps other than from the official iTunes App Store or Google Play. It will limit the risk of the installation of viruses, malware and other malicious code on the devices.

How do you handle a departing employee? You should not only address what happens with the physical device, but also what happens with the data that lives on the device. You need a protocol to reacquire or wipe all corporate information on the device. Otherwise, you are putting your confidentiality at risk.

Do employees have an expectation of privacy on their devices? Do you tell employees that their expectation of privacy is limited or nonexistent? Are you tracking employees via GPS, and, if so, are you telling them? Limiting employees’ expectation of privacy is more important than ever.

For nonexempt employees, do you prohibit business-related mobile-device use during nonworking hours? Otherwise, you might be opening your organization up to a costly wage-and-hour claim.

Do you forbid employees from using their mobile devices while driving? Twelve states ban any use of handheld devices while driving, while 41 states ban texting while driving. In another few years, these laws will be national in scope. Even if your state is not included, do the right thing by suggesting your employees be safe while operating their vehicles.

How does your policy interact with other policies already in existence? Your BYOD policy should cross-reference your harassment, confidentiality and trade secrets policies.

BYOD is proving to be a powerful employee engagement, recruiting and retention tool. Any successful BYOD program must include buy-in from the C-suite, legal, IT, HR and risk management. Involve all of these departments to make sure that your BYOD program is successful and addresses all necessary security issues.

Jon Hyman is a partner in the Labor & Employment group of Kohrman Jackson & Krantz. Comment below or email  For more information, contact Hyman at (216) 736-7226 or Follow Hyman on Twitter at @jonhyman.