Pub. 3 2014-2015 Issue 1

18 San Diego Dealer Blurring the Line Between Yours and Mine: Best Practices for Bring Your Own Device Policies By Michael Elkon Let’s face it: bring-your-own-device (BYOD) situations are here to stay. With the ubiquity of employees having and using smartphones and tablets – devices that have more capacity and processing power than desktop computers fromnot so long ago – it was inevitable that employees would eventually start to use their own devices in a work capacity. This new reality presents benefits for employers, as their employees can now be productive away from the office and be responsive to work situations as they arise. Additionally, there are cost savings that can be achieved when an employer is no longer responsible for supplying devices to its employees. The situation also benefits employees, as they often derive personal satisfaction from being able to link up their own preferred devices to the work system, creating a little node of personalization in an environment that they do not otherwise control. Surveys reflect that a significant percentage of job seekers will viewa prospective employer more favorably if it has an IT system that supports the seekers’ personal devices. But if employers do not manage BYOD scenarios proactively, then they present risks in addition to rewards. To state the obvious, when your company’s information is being sent, received, and stored over a device that you do not own, then the specter of data loss is present. This risk can come from an employee who intends to hurt the company by taking information and either using it on behalf of a competitor, or simply disclosing it to cause embarrassment. It can also come from an employee who inadvertently retains or loses it. Either way, the employer that thinks through BYOD issues in advance and charts out rational, balanced policies before issues arise is going to place itself ahead of the game. Here are some best practices for BYOD situations: Have Technology In Place To Protect Your Information Take the typical employee’s smartphone. Some employers require that the employee use an employer-issued email application like Good Technology. Other employers require that their employees download an application that allows the employer to shut down or access a device in certain circumstances. Some employers take the simple step of requiring that employees activate passcode protection on their devices, a policy that costs nothing because just about every device contains this option. Regardless which of these options an employer chooses, it is the most basic step in dealing with BYOD situations. You need to acknowledge and deal with the fact that if your information is going to migrate to your employees’ personal devices, then those devices need protection measures in place to ensure that the information is not lost or stolen. Think Through Your Key Information And Take Steps To Protect It Some information is simply too important to permit it to migrate to an employee’s personal device. Even with one of the data-security fixes in place, an employer might worry about information that remains on the device after the end of the individual’s employment or that an employee will leave the device unattended for a moment and allow a third party to see sensitive information on the screen. It’s important to ask yourself three questions. First, what information would be most useful to its competitors if an employee left with it? Second, what information would be most embarrassing if it were leaked to the general public? Third, if asked on a witness stand “how many measures do you take to ensure that the company’s most valuable, sensitive information remains private?”what would you or your Human Resources manager say in response? It’s valuable to put yourself through this sort of self-critical analysis in many scenarios; but it is specifically important in addressing BYOD situations. Make Clear That Employees Cannot Misuse The Computer System With the increased use of the federal Computer Fraud and Abuse Act and analogous state computer-protection statutes, employers are learning the importance of putting employees on written notice as to what they are not authorized to do on the company computer system. This includes both taking files from the system (such as by emailing files out as attachments or saving them to thumb drives) and deleting files prior to departure. The key to unlocking the power of federal and state computer protection laws is showing that the employees were on notice that they were not authorized to perform certain acts on the system. This general rule extends to BYOD policies. Put your employees on notice as to what they can and cannot do with respect to company information on their devices. Just as it is helpful to think through confidential information issues in advance, it is also worthwhile to spend some time addressing common employee misconduct or negligence scenarios involving data security on personal devices and then covering them with written policies. A policy laying out general rules and then covering specific scenarios in an “including, but not limited to” string (a construction much beloved by lawyers) is ideal. Pay For The Employee’s Cell Phone In the grand scheme of things, it is penny wise and pound foolish to have key employees pay for their own cell phone plans. If a company owns and maintains the account, then it can: a) terminate the account when an employee leaves so customers cannot reach out to him or her; b) determine whom the employee has been contacting in the final weeks with the company by reviewing call and text logs; and