More and more businesses are allowing employees to use their own laptops, tablets and smartphones for work, instead of providing the equipment themselves.
About a third of all large companies in the U.S. now have a “bring your own device” policy, and about half of smaller companies do.
These policies have a lot of advantages, but they can also create security and legal risks. If you have such a policy, or you’re thinking of adopting one, it’s wise to have a written agreement with your employees that will protect you if something goes wrong.
In fact, it’s always wise for a business to have written agreements and policies about the use of personal technology, since employees today are increasingly likely to use their own devices for work purposes, whether it’s officially allowed or not.
The basic advantage of a “bring your own device” policy is obvious – the company can save the cost of providing workers with expensive computer equipment.
But there are other advantages, too. Employees are usually more comfortable working with their own device, and there’s no “learning curve” as workers gradually get used to the ins and outs of a different machine.
But the risks are very serious. Here’s a look at some of them, and the ways that employers need to protect themselves:
Security. Workers’ personal devices are much more likely to be lost or stolen. If that happens, sensitive company data and e-mails may be compromised. A written policy can require workers to allow the company to remotely wipe clean data from a lost or stolen device, and require them to install software enabling the company to do so.
At the very least, companies can require workers to maintain password locks on phones.
Another issue is that there are many new laws requiring businesses to notify customers if there is a security breach, and companies should be aware of whether a lost or stolen personal device will trigger these laws.
Viruses. Statistically, personal devices are twice as likely as company-owned devices to become infected with malicious software. And viruses can spread throughout a company when the victim logs into a company network. A written policy can require workers to update their machines with the latest anti-virus software.
Who owns the data? If an employee leaves the company, who owns the data on the employee’s personal device? A written policy should make extremely clear that the company owns the data, and should also allow the company to retrieve the data if the employee leaves, and remove it from the employee’s machine. Otherwise, the company might be deprived of essential information and records.
This is tricky, because it’s not always easy for a company to extract work-related information from a personal device without extracting personal information as well. Unless the company is careful, it could wind up facing complaints of invasion of privacy from a former employee.
Sensitive information. There are many new laws that impose detailed restrictions on how a company stores sensitive data, such as credit card numbers, Social Security numbers, and driver’s license and bank account information. You’ll need to determine whether you can legally allow employees to store this type of data on their personal devices. If not, you’ll want a written agreement to prohibit employees from doing so, so you can show that you made every effort to protect the information.
Other laws require certain types of information to be encrypted or securely destroyed, such as health records and consumer credit reports. And if you enter into a non-disclosure agreement with another company, you’ll need to consider whether the agreement allows storage of information on personal devices.
Trade secrets. What happens if an employee goes to work for a competitor and shares confidential information that was on his or her device? In the past, it was easy to show that an employee did something wrong if he or she copied company data onto a personal computer, but if a company explicitly allows or even encourages employees to do so, it may make it harder to prove in court that the information was protected. This needs to be covered in a written agreement.
The reverse is also true; companies need to protect themselves from being sued for misappropriation of trade secrets if a new employee shows up for work with confidential information from a former employer on a personal device.
Overtime problems. Companies need to be aware that if employees are responding to e-mails and otherwise performing work at home after-hours on a personal device, this can lead to claims for overtime pay. One way to solve this is for a written agreement to say that e-mails should be responded to only during working hours, unless a supervisor has given specific instructions otherwise.
In general, a written policy should emphasize that using a personal device for work is a privilege, not a right – and the privilege is contingent on the employee observing the sorts of basic requirements outlined above that are necessary to protect the company’s interests.