By Ted Claypoole, Senior Partner, Womble Carlyle Sandridge & Rice, LLP
1. Data Security
As data drifts toward the outer edges of your company network, it becomes harder to protect. When the data crosses over to a machine that is not part of your network - a smart phone, a laptop, a tablet or a jumpdrive - the difficulty magnifies. Most people do not password protect their mobile devices so that the device reveals its data secrets to anyone who steals or finds it. If your company will allow employees to mix business data and personal data on a personally-owned mobile device, then your company will need to understand how the business data is protected. Better yet, require the employee to utilize information protections designed by your IT department. In any case, your company's trade secrets, contract obligations, and even regulatory compliance requires protection of important business data on all machines across the enterprise, so these new handheld machines owned by employees will be no different. Many regulators and the state of Massachusetts require a written data protection plan covering certain types of information. Including all machines holding company data will be part of the requirement.
2. Records Management
Similarly, in addition to protecting the data on your company's system, your company will also be required to account for it. How will you know what work-related documents have been transferred to a personal iPad or smartphone? Can you tell if an important document has been created on an employee's hand held device? You may not know when an important file is destroyed if remnants remain on employee tablets. Depending on the industry, each company has different responsibilities for accounting for data. Sales records, customer information, account numbers, formulae, can be carried on employee machines, and your company must have a system of determining which important records are created, held or destroyed on each machine.
3. Litigation/Regulatory Holds
Federal Rule of Civil Procedure 34 states that a party to litigation must produce responsive documents and electronically stored information in its possession, custody or control. Cases have shown that even if a device containing company data is owned by an employee rather than the company, the data is still within the Company's control for purposes of the rule. If workers are creating, revising or using documents on their handheld devices, then those documents can be subject to discovery. The entire device may be subject to the court's litigation hold. You will need to find a technical way to comply with the court's order. Similar holds may be ordered in administrative proceedings or by a company's regulators.
4. Technology Controls
If a company is implementing a BYOD regime with its employees, then it should provide certain software and hardware controls over its employees' devices. At the very least, the company should include a remote monitoring application for records management and a remote wipe capability to destroy company information if the mobile device is lost or stolen. The company should confirm that encryption is available on employee-owned devices and that a VPN is available for access behind the company firewall. Employees should also be required to set the internal security available on modern smart phones and tablets, so that a device thief cannot easily access the company's network.
5. Policy Controls
Technology is not the only method of protecting information on employee-held devices. Much of the protection involved in a BYOD plan arises from policy and procedure. Employees may not be allowed to access certain information or to engage certain company systems through their mobile devices. Employees must immediately report the circumstances of lost or hacked devices. Set your policies to be protective of sensitive data, and to require employees to take care in how they access company systems. Your company's own well considered procedures will reduce risk in any BYOD system.
6. Employee Privacy/Rights
While protecting the company, you must not forget that the employee has interests too. More than ten states recently passed laws prohibiting an employer from demanding that an employee reveal her social media password, and it would violate some of these laws to skim that password while she entered it on her own smart phone. A company setting a BYOD policy must decide how much access it will grant itself to the personal items on an employee's mobile device, and then must inform the employee about such access. Hourly employees who work from home or the road may be able to document that word from their mobile devices. Business data is important, but so are the daily data collections of workers. Any BYOD plan must take the employee rights into account.
7. Address Cloud Back-ups
How will your employee be backing up his smart phone? Will the back-ups be within the company firewall or otherwise available to the company. Unfortunately, the growth in personal mobile computing has grown in parallel with cloud storage plans. It is likely that most of your employees backs up the information on mobile devices onto a cloud account that only the employee knows about or has access to. This can be problematic for trade secrets, for document destruction laws or other records management concerns. At the very least, a business should know about these back-ups, and a company may want to demand access to the cloud storage of company documents.
8. Termination Protocols
One of the most dangerous times for a company is the departure date of an important employee. When workers leave the company, business data can fly out the door and it may take days or weeks to terminate the employee's access to company files. These concerns are exacerbated when the employee takes her primary work tool away from the business. Any business allowing employees to supply their own mobile device must implement a practical plan for removing the access of that device to company systems and documents. Breaking up is harder to do when the exiting worker has a phone full of important documents. Find a way to address this issue before it is forced upon you.
9. Documenting Acceptance of Your Plan
Not only should each company develop a practical and protective BYOD plan, but the most important parts of the plan should be documented. Some jurisdictions and regulators require written plans to protect information, and the employee devices must be a significant aspect of these plans. In addition, it may create liability for a company to wipe all of the personal information off of an employee's lost smart phone without informing the employee that the company has the right to do so. So unless a business has some method of separating the business data from the personal data, it would be best to receive a signed permission from the employee to take such a drastic step if his device is lost. Your BYOD plan can protect your company when disaster strikes, but only if the company has properly documented its use and the employee's acceptance.
10. Training
No human-intensive policy will be successful unless employees are trained in how to properly meet the terms of the policy. Your company must teach employees how they are allowed to access company servers with employee-owned mobile devices, and how they are allowed to use those devices for accessing or developing company documents and information. Regular refresher courses are important so that no employee loses sight of the rules and procedures, or the reasons behind them. Without comprehensive employee training, a company will not be able to rely on the reasonableness of its policy when something goes wrong.
BYOD is more than just a trend. Every business will need to decide whether to accede to the demands of employees for flexible tools, or to maintain a tight grip on company information by forcing all work onto company-run machines. Mastering these ten items can ease the transition and greatly reduce risk to your business.