Employee-owned personal electronic devices: Think ahead or lose control
May 16, 2012
Article courtesy of SBAM Approved Partner ASE
By Michael J. Burns
How often have you looked around the table at a business meeting to see one or more employees gazing intently downward, fingers furiously punching away on their personal hand-held devices? Hopefully, they are keeping up with their work this way; but, assuming they are, can you be sure that is a good idea? More businesses today permit employees to use their personally-owned equipment to access work, but how often do they realize the legal and security implications of that activity?
According to a BLR report of a recent survey by YouGov and Research Now, 67% of surveyed companies have no policy covering their employees’ use of their personal devices for work purposes.
What happens to company data and information, and even trade secrets, that find their way onto an employee’s electronic device and then leave with the employee to another job? Or to sensitive information that is hacked by an outsider from the employee’s smartphone? Or to information normally purged from the company’s system in a lawsuit that turns up instead on an employee’s personal device?
Employers are now confronted with several dilemmas around the value derived from the convenience of employees using their own devices—paid for by themselves—to work more efficiently. Typically the employer does not pay for the purchase of these devices, and many do not pay the usage fees even though they may have arranged for the device to “sync” up with the company system. Under those circumstances, who owns or controls the information and data on the devices when push comes to shove?
Suffice it to say, if an employer does not have a policy and certain controls in place, it is not the company that owns or controls what data and information gets placed in that device.
Companies have adopted three types of policies to address these concerns about employee-owned electronic device policies:
Shared Management. Company policy states that an employee accessing business resources from a personal device gives the company the right to manage, lock, and wipe that device. The policy is normally put into a written agreement.
Corporate Ownership. The company owns and buys the device. If employees don’t like the company-issued device, they can buy their own personal device that has no corporate access.
Legal Transfer. The company buys the device from the employee. Normally, the company will purchase the device for some nominal amount (e.g., $5) and give the employee the right to use it for personal purposes. The employee has the right to buy the device back for the same price when he or she leaves the company.
If a company wants to have access to all communications the only way to guarantee control over the device and information by the company is to buy the device. Otherwise, employers need to determine what their tolerance is to the security risk. What is the sensitivity of the information being handled? What security concerns exist in the company’s business/industry?
Short of owning the device outright, employers should fashion policies that address the following:
- Initiate a “wipe” policy. This is done by requiring employees download software that allows the company to access the device (remotely even) and remove the company data.
- Require written agreements that confirm employee’s understanding of the risks and responsibilities.
- Make the use of the company system by personal electronic devices exclusive only to designated persons or positions.
- Require employees to submit their devices to periodic inspection and make device inspection part of the exit interview. (This should be agreed to in writing and in advance.)
- Do not allow employees to store corporate information on their personal devices.
These are all intrusive policy requirements. They would compel an employer to put these terms and conditions of employment in writing. This would be the only way to avoid an unpleasant confrontation with an uncooperative employee when the company requests access to the employees personal device.
SBAM’s Approved Partners can help you navigate this growing area of concern. Turn to the American Society of Employers (ASE) for assistance in the human resources aspect, and to NuWave Technology Partners for information technology assistance.