Does your company have a policy on employees bringing their personal electronic devices to work? Personal electronic devices include: smart phones, tablets, minicomputers, etc. They are showing up in the work place in massive numbers and employees are using them for work-related tasks. Allowing employees to bring their personal electronic devices to work brings a host of concerns for employers. While courts and legislatures have yet to decide who owns work-related data on employee-owned devices, the practice of comingling work and personal usage, data and ownership may create challenging legal and security implications for employers.
Employers should think about the following scenarios that may occur within their companies when employees use their personal electronic devices for work-related tasks:
- Your company is involved in a lawsuit and as part of the discovery (the exchange of information relevant to the lawsuit before trial) purged data is found stored on the employee’s personal electronic device.
- Your employee carries an unsecure personal electronic device and a hacker obtains company sensitive information.
- Information leaves the company’s control as employees store “confidential” data on their personal electronic devices.
- An employee leaves your company and still has company data on their personal electronic device.
To help avoid the above scenarios and others, employers should develop and implement policies to address these concerns. The type of policy that should be implemented will depend upon each companies business needs. However, they should include one of the following:
- A legal written agreement between the employee and the employer stating that an employee accessing business resources from a personal electronic device gives the company the right to manage, lock, and wipe all company-related information from that device.
- An agreement where the company issues the employee a company-owned device and employees are not allowed to use the device for personal-related matters. This helps to separate employee’s personal data from company-related data. The employee is required to return the device upon termination of employment from the company.
- A legal agreement where the company purchases the personal electronic device from the employee for an agreed to amount and then gives the employee the “right” to use it for personal matters. The employee may then have the “right” to buy back the device at the same price when he/she terminates employment from the company.
To decrease security risks related to personal electronic devices, employers should consider the following company-related factors when deciding upon the content of their personal electronic device policy:
- The security concerns of your industry.
- The sensitivity of information that your employees are exposed to and handle daily.
- Any legal regulations that your company may face.
- The company’s ability to oversee and manage the use of personal electronic devices.
In addition, employers should consider the following when designing and implementing a personal electronic device policy for their company:
- Require all employees who use a personal electronic device to download software that allows the company to remotely access and wipe devices.
- Have your employees sign written agreements that discloses all risks associated with the software and requires them to download it onto any device that will be used to access company-related information.
- Allow only certain employees to have the privilege of using personal electronic devices and limit the type of information that is accessible, e.g. e-mail.
- Make sure that employees consent in writing to have the devices inspected upon termination. This may be done remotely.
- Don’t allow employees to store corporate information on personal devices. Again, a signed agreement that they will not store company information on their personal electronic devices may be appropriate.
- Have employees sign a written agreement that they will turn over their personal electronic device for inspection upon a legitimate request from the company.
While personal electronic devices may be important to your employees in the workplace, companies need to decide the legal and security-related implications for allowing employees to use them for work-related tasks. It may not be a benefit for your company to allow employees to use their own devices? Remember to consider all of the risks before designing and implementing a policy.
For additional information on the creation and implementation of a personal electronic device policy and implications for your company, please either consult your employment law attorney or New Focus HR.
Written By: Kristen Shingleton, M.B.A., CCP
President, New Focus HR LLC