Formalizing Your Business’s BYOD Policy
When the pandemic hit about two and a half years ago, thousands of employees suddenly found themselves working from home. In many cases, this meant turning to personal devices to access their work email, handle documents and perform other tasks. Even before COVID, more and more businesses were allowing employees to use their own phones, tablets and laptops to get stuff done.
By now, many companies have established firm bring-your-own-device (BYOD) policies. Other businesses, however, have taken a more informal approach, allowing their policies to evolve with minimal documentation. Whichever camp your company falls into, it’s a good idea to regularly review and, if necessary, formalize your BYOD policy.
A comprehensive BYOD policy needs to anticipate a multitude of situations. What if a voluntary or involuntary termination occurs? What if a device is lost, shared or recycled? What if it’s infected by a virus or malware? How about if a device is synced on an employee’s home cloud? Other key questions to address include:
Who pays the bill? Payment policies vary widely. For example, an employer might pay for an unlimited data plan for employees. Any charges above that amount are the employee’s responsibility.
Who owns an employee’s cell phone number? This is a big deal for salespeople and service representatives — especially if they leave to work for a competitor. Customers may continue to call a rep’s cell phone, leading to lost sales for your business.
Are employees properly password-protecting their devices? A policy should require employees to not only use passwords, but also implement two-factor authentication if feasible. In addition, users need to set up their devices to lock if left idle for more than a few minutes.
A BYOD policy needs to address the fact that using a personal device for work inevitably opens the door for an employer to access personal information, such as text messages and photos. State that the company will never intentionally view protected items on a device, such as privileged communications with attorneys, protected health information or complaints against the employer that are permitted under the National Labor Relations Act.
In case your business becomes involved in a lawsuit, its data retention policies should address how data is stored on mobile devices and gathered during litigation. Keep in mind that Rule 34 of the Federal Rules of Civil Procedure covers all devices, including personal ones that access a company’s network.
Formalizing your BYOD policy should involve spelling it out in a written user’s agreement that all participants must sign. Consult a qualified attorney in drafting such an agreement. Contact us for help assessing the tax and financial impact of allowing employees to use personal devices vs. buying technology assets and providing them to your workforce.