Creating a BYOD policy
by Mark Adams, on December 18, 2014
Original article at: http://hr.blr.com/HR-news/HR-Administration/Employee-Privacy/Creating-BYOD-policy-Provisions-employers-consider#
Creating a BYOD policy
Earlier this year, I wrote an article that discussed the “bring your own device” (BYOD) movement and outlined important issues you may want to think about if you decide to develop your own BYOD policy. So what is BYOD again? BYOD describes the scenario when employees use their own devices to do their jobs and use an organization’s data or information systems in the process.
Although there are advantages for both employers and employees to implementing a BYOD program, there are also challenges and problems. Thus, you need to consider all the issues that go along with BYOD before allowing your employees to bring and use their own devices for work purposes.
Additionally, if you decide to implement a BYOD policy, it should be very unique to your organization and its particular needs and circumstances. My previous article discussed issues relating to eligibility, privacy, and overtime. The following is an overview of some additional important points and provisions you may want to think about including when developing your own policy.
Security. Decide what security requirements regarding personal devices used for work purposes you want to implement and provide details on what security measures authorized employees must have installed on their personal devices they use for work purposes.
For example, you may require employees to have anti-virus and/or mobile device management (MDM) software installed on their devices. Your organization may also want to bar employees from modifying their device hardware or operating software beyond routine updates. Potential security measures also include passwords, encryption, and remote wiping.
Passwords and encryption. Include your organization’s password and/or encryption requirements. For example, you should address whether encryption is required and/or what happens when there is a failed login.
“Remote wiping.” Your BYOD policy should make clear that employees are to protect their personal devices used for work purposes and should make every effort to prevent them from being lost, stolen, damaged, or subject to unauthorized access. Provide details on the person or department that employees must notify immediately if their devices are lost, stolen, damaged, or subject to unauthorized access.
In order to make sure sensitive organization data is safe, many BYOD policies require employees to have software that facilitates a “remote wipe” installed on their device. Such “remote-wipe” software allows organization-related data to be erased remotely if a device is lost or stolen.
If remote wiping is part of your BYOD policy, make sure employees that are allowed to use their personal devices for work purposes agree that the organization may remotely wipe such data if their device is lost, stolen, damaged, or subject to unauthorized access. Employees should also agree that the organization can remotely wipe such personal devices when they cease to be employed by the organization.
Since remote wiping may affect other data or applications, you would want to state that your organization is not responsible for any personal data or applications that are lost or impaired due to remote wiping.
Software agreement. You may want to include a provision in your policy that states that employees may be required to sign an additional written agreement that discloses all risks associated with organization-required software installed on their devices.
Software upkeep and updates. Your policy should require employees to agree to maintain the original device operating systems and keep the devices current with security patches and updates. You should also get employees to agree to install periodic updates to organization-required software. Make sure to include in your policy how such required updates will be determined.
You may also want to include a policy provision that states that employees will not “jail break” their personal devices used for work purposes by installing software that allows them to bypass standard built-in security features and controls.
Device support. In your BYOD policy, describe what support your organization provides for personal devices used for work purposes. You should also describe how employees can request such support.
Cessation of employment. Make sure your policy details what happens when an employee ceases to be employed by your organization. For example, you may want your policy to say that:
- Employees who resign or whose employment is terminated will be asked to produce personal devices they used for work purposes for inspection;
- The organization will remove all organization data on such devices at the end of employment; and
- Such removal may include remote wiping of personal devices.
Policy violations. Make clear that violation of your BYOD policy may result in discipline, up to and including termination of employment.
Authorization. Finally, emphasize that employees who have not been authorized to do so in writing and who have not provided written consent to these policies and requirements regarding use of personal devices for work purposes will not be allowed to use such personal devices for work purposes.