Monday, January 21, 2013

The BYOD Thicket: Some Basic Steps to Take for Businesses

One of the hot-button issues for business clients in 2012 was the advent of "Bring Your Own Device" policies. The idea behind BYOD in the workplace is that employees who are allowed to use their own cell phones, tablets, and other storage devices may be more productive. And, of course, it may cut down on technology and training expenses for the company as well.

How does BYOD relate to non-competes? Because a substantial amount of potentially relevant evidence can be found on these personal devices. An obvious example is the use of text messaging to contact or solicit customers.

It is not clear if BYOD is a fad. The numbers on data security are fairly alarming, and corporate-owned devices may be in vogue if business owners feel as though relinquishing control over devices is too much of a risk.

But, for now, at least, I have had several clients who want to implement BYOD. Below are some key features of the BYOD agreement I use:

1. Registering the Device. It is not enough for a company simply to allow an employee to use his own cell phone for business purposes. The company must know what it is to ensure the security settings and installed software are consistent with company practice.

2. Security Maintenance. A strong BYOD policy has at its core the specific security requirements the company deems necessary. These include, at a minimum: implementing password protection, updating the device with security patches, and prohibiting the installation of unapproved software.

3. Account for Cloud Storage. Employees increasingly want to back-up a device to a cloud-based storage program. This may be acceptable to the company, but if it is, the company must have a means and procedure to ensure data is removed from the program upon termination of employment.

4. Remember Federal Law. This can come up in three circumstances. First, the BYOD policy should ensure that the device is not used in a manner that could lead to discrimination or harassment suits. Second, the employer can't inadvertenly run afoul of the Fair Labor Standards Act. Specifically, non-exempt employees should not be permitted to use the device during non-working hours for work purposes. Third, with the National Labor Relations Board cracking down on the use of social media policies, a comprehensive BYOD should specifically provide that the policy does not preclude employees from discussing the terms of their employment, or anything else that can be described as concerted activity under the NLRA.

5. Confidentiality Policies Must Apply. Any employer policy, whether expressed in a handbook or agreement, must relate to personal devices. If a company implements BYOD, it should place the employee on notice that confidentiality and proprietary rights restrictions apply to covered devices as well.

Every BYOD is different and should be tailored to achieve company objectives. My personal feeling is that BYOD will remain hot for a while until companies decide that the policies are too much of a security risk. I doubt BYOD ever will be held to undercut a claim that a company takes reasonable steps to protect its trade secrets. But a strong, clearly worded policy would certainly help eliminate that risk.

No comments:

Post a Comment