Drafting BYOD Policies

Bring Your Own Device (BYOD) is ubiquitous in many industries, but allowing employees to retain confidential company information on personal devices poses a number of risks. Exposure resulting from a leak of information on an employee-owned device can be catastrophic, and allowing employees to use personal devices for business purposes leads to expanded discovery obligations in litigation.

Implement a written policy and require employees to accept it in writing before they are allowed to connect personal devices to the company network or engage in business communications on their personal device. The policy should be accompanied by appropriate training, and regularly updated. The policy should provide that the device’s password application must be enabled; the device should be required to lock automatically if an incorrect password is input too many times; and employees should be required to change their passwords every 60 or 90 days. The policy should prohibit employees from sharing their devices or allowing company accounts to be accessed by anyone other than the employee. Basic security requirements should be addressed.

Mobile device management programs are becoming increasingly sophisticated, and are an effective first line of defense; but where potential for human error exists, a properly drafted policy can serve to further reduce risk.

Whatever the approach, organizations should carefully consider the implications of BYOD — the benefits as well as the risks — before jumping into implementation. An appropriate written policy is an essential step in that process.