I was recently asked to write a Bring Your Own Device (BYOD) policy for a company. While I have some experience writing policies, I had never done a BYOD policy and it opened up a lot of questions which I had not thought of and I thought I would share them for your consideration.
In this day & age, a company must have a BYOD policy due to the simple fact that virtually all employees have smartphones & have access to company (&/or client) data on their phones (e.g. through Dropbox, Google Drive, or by having data directly on the device, etc.). Your company must have an official position on how to handle this access to data in order to be in compliance with any NDAs, contracts, etc. A major concern your policy should handle is – what happens when an employee leaves your company & takes a device that stores company data with them?
You need to be very clear of who owns what. The employee owns the device but who owns the apps & data? For example – what happens if the employee is terminated and the company remote wipes their device to remove company data, but this also deletes personal data? Is the company liable?
What types of security should a company require & how will you enforce your requirements? Do you require just a password? Do you require whole device encryption? Do you require the company to have the ability to remote access / wipe the device?
Who is responsible for supporting devices? If so, What devices are allowed or included in the policy? What level of support will you provide?
What does an employee have to do to leave with their device? Do they have to prove that they’ve removed data, apps, access?
What do you do if you find illegal information or activities (such as child pornography) on the device? Does it make a difference if it’s in an “area” of the device that’s not work related?
What level of involvement does the legal team need to have? What rights does the company have to audit or look at the device holistically vs. just company data, apps, etc.? Example being if there are multiple email accounts in the same app (work & non-work), what rights does the company have to access just the work email account of the app (if it’s even technically possible)?
If your employees are consultants and work for multiple clients and those client’s email requires different device management controls – how do you reconcile multiple security policies on the same device?
An interesting fact I came across is Juniper Networks released results of a survey (back in 2012) of more than 4,000 mobile-device users and IT professionals & found that many employees circumvent their employers official mobile-device policies, with 41% of all respondents who use their personal devices for work doing so without permission from the company.
In other words, at a bare minimum, you need a policy to cover yourselves legally but it may not be enforceable & you may just have to live with that (which could unfortunately backfire in court as well – if the argument is that you had a non-enforceable policy, the court could invalidate the entire policy).
Tricky thing writing policies…
Got an example of a good or bad BYOD policy? I would love to hear from you!