Bring Your Own Device, Don't Bring Your Own Drama
From the Experts
The Bring Your Own Device (BYOD) movement is in full swing. A Cisco Survey revealed that 71 million BYOD devices are in use today in the United States, and that number is expected to grow to 108 million by 2016. These numbers are not surprising given the reduced costs a BYOD program can offer employers. Cisco has estimated that, if done correctly and comprehensively, U.S. companies can save as much as $3,150 per employee per year with a BYOD program.
In the face of these numbers, a company is putting itself at risk, not to mention an economic disadvantage, by moving forward without a clearly defined BYOD policy. Below are some key issues to consider as a starting point when crafting a BYOD policy.
Confidential Business Information and Trade Secrets
A crucial concern associated with BYOD programs is the protection of an employer’s confidential information and trade secrets. The use of personal devices in the workplace opens up a myriad of different avenues through which company information might be accidentally leaked to the public. And accidental disclosures of company information may result in the loss of a company’s trade secrets.
An employer could certainly choose to eliminate or prohibit all personal devices in the workplace. Many employers, however, choose to allow employees to use their personal devices for work. Rather than turning a blind eye to the realities and demands of today’s workforce, an employer should take a proactive approach in preserving its confidential business information and trade secrets. Indeed, an employer that has failed to take any measures to protect the secrecy of its data is in serious danger of losing it. A BYOD policy can be a game-changer.
A written BYOD policy is one of the first steps an employer can take to help demonstrate to a court that the company has made reasonable efforts to protect the secrecy of its confidential information. Not only must a BYOD policy meet the company’s individual goals and facilitate smooth day-to-day business practices, it also must be easily understood and followed by the company’s employees. If the employees cannot understand it, a court may not view the policy as an adequate protective measure.
Implementing a well-written policy should not be the end of the road. An employer should be able to show a court that the company provides sufficient instruction and training—not only at initial hiring, but also on a regular basis. And in light of the increasing capabilities of employees’ personal devices, employers must also periodically review their policies to ensure that these stay current, and must manage any new security risks created by technological advances. (When updates to the policy are necessary, additional employee training should be conducted.)
During any employee BYOD training, an employer needs to address the security risks associated with employees’ using their personal devices. Many employees are simply unaware of the various ways in which company information might be vulnerable to disclosure. Some common examples include employees:
- Losing personal devices or having them stolen.
- Sharing personal devices with family and friends.
- Connecting personal devices to unsecured wireless networks; upgrading their personal devices.
- Resigning or being fired from their jobs, and taking the data on their devices with them.
By considering and addressing the various ways in which confidential business information might leak—both in the policy itself and in training—employers and employees can manage security risks at the outset.
The considerations identified above are just a starting point. Employers should consult with their IT departments to identify and implement measures to secure company data on employees’ personal devices.
Employees’ Right to Privacy
The need to protect a company’s confidential information and trade secrets can often conflict with the need to respect an employee’s right to privacy. Indeed, violating employee privacy rights is another risk that employers face in implementing BYOD programs.