In part 1 of this series, Mobile IT Policy, we looked at the need to create a mobile information technology policy to cover the issues surrounding the increasing number of employee owned devices being used inside of company networks. The Bring Your Own Device (BYOD) phenomenon is here to stay and growing with more than 57% of Information workers selecting and buying their own smartphones and other mobile devices.
Responding to the risks associated with this trend involves writing a BYOD Policy and implementing it uniformly across your organization. Your policy should address, at a minimum, three major sections including: Mobile IT Policy; Legal and Regulatory Requirements; and Mobile Device Management.
Part 2 – Assessing Legal and Regulatory Requirements
The two fundamental objectives in creating your BYOD Policy are one; mitigate risk to the organization and two, achieve a balance a between employee freedoms and privacy corporate security which essentially creates a partnership between the employee and company unlike the traditional employer-employee relationship. The BYOD policy acts as a memorandum of understanding that sets out the ground rules for the BYOD privilege. For the sake of clarity, it is best to have the understanding in writing so that it can be fair and uniformly enforced across the organization.
Make sure your policy is enforceable – get appropriate legal review and consents
Secure rights to monitor and audit all activity on employee owned devices – take into account any local laws or regulations
The ability to differentiate and mark liabilities for apps, features of use, and licenses that belong to the employee versus the organization
Obtain consent for the device to be accessed by the company for business purposes
Determine whether local, regional, or national privacy laws impact planned security measures and what consents are necessary to obtain the level of access required
Explain clearly how employee owned devices will be decommissioned and how sensitive organization data will be removed from the device
Describe employee’s obligation to report lost, stolen, or damaged devices and the organization’s right to wipe the device of data
Due to the complexity of the issues with BYOD, several departments and functions are involved including IT, Human Resources, Benefits, and Legal to name a few. It is very important to determine who owns this domain as you write your policy because they will be responsible for the execution of all documents relative to the policy and they should have complete authority to implement and enforce. As a result, it makes most sense for Human Resources to own the BYOD Policy and related activities.
To that end make sure that HR policies are written to:
Govern the use of employee owned devices both during work and off-hours as well as on-site and remote locations
Delineate control over corporate information accessed and stored on employee owned devices
Create an employee outreach and training program around BYOD risks, rewards, and responsibilities
Include the process for paying down any amounts owed to employer if a repayment plan is offered to cover cost of device
Modify independent contractor and vendor agreements to ensure their awareness of and compliance with Mobile Device Policy
While this information will get you started, there is no substitute for sound legal guidance to ensure your policies and agreements provide the maximum possible protection for your organization.
The next blog in this series will cover creating an Employee Owned Mobile Device Agreement.