By Michael Burns, courtesy of SBAM Approved Partner ASE
Allowing employees to use their own personal electronic devices for doing work presents compliance concerns. From the human resources compliance perspective, employers’ concern is often focused on non-exempt employees being paid legally for working off the clock by responding to emails, texts, and phone calls after hours. Other compliance concerns include performance management, discrimination, harassment, privacy, and safety.
Employers are also concerned about whether and what to subsidize for employees using their personal devices for work matters. ASE’s 2017/18 Policies and Practices Survey found on average just under 40% of member employers reimbursed segments of their employees for the use of their personal cell phones.
The other major concern is security. Regardless of whether the employee’s use of a personal device was reimbursed, a recent survey by business to business research firm Clutch found 64% of employees use an employer-approved device for work but only 40% use a personal device that is monitored for security purposes.
What are workers doing with their personal device? 86% are checking their emails, and 67% are accessing shared company documents.
The Clutch survey identified the use of unsecured devices as the biggest threat to an employer’s system for unauthorized or illegal access. And don’t forget, this issue is not only about external breach threats, it also includes the unauthorized access to systems and data by employees – an internal threat. The above noted survey found 95% of organizations’ workers tried to override their employer’s security mechanisms. An earlier survey of BYOD practices by Fiberlink found that when employees went to upgrade their devices they failed to properly dispose or wipe corporate information from the phones being replaced. Only 16% of respondents answered they had their device professionally wiped and only 5% responded they had the device securely destroyed.
Having a personal device policy in place and educating employees on that policy is paramount to protecting employer systems. The Clutch survey found 52% of employees receive security policy training once a year.
The second important protection practice is requiring passwords to access systems. The Clutch survey found over 75% of employers use password protection. That leaves 25% that currently do not. An active security system includes updates being pushed out to employees (67% of employers do this), having internet restrictions (55%), and user permission prompts (53%).
What should employers do?
- Properly plan out the Bring Your Own Device (BYOD) program
- Modify or create employee agreements detailing proper BYOD use
- Require employee consent in writing to access company data on their personal devices
- Restrict usage by executives, legal, HR, and other members that normally have access to highly confidential company information
- Evaluate which employees should be permitted BYOD privileges
- Install mobile device management software. This gives employers control to remotely access devices or prevents the use of certain software apps on the device
- Prohibit the use of the device by friends and family
- Consider what BYOD means when an employee leaves the organization, and text messages become an issue in subsequent litigation.
Additional ASE Resources
Handbook Development Services – ASE can help you create a BYOD policy to your existing handbook. For more information on this service click here.