This post is from the Apperian blog and has not been updated since the original publish date.
How to Mitigate the Legal Risks of BYOD
In a previous post, we introduced some of the legal risks of BYOD when implementing a program to manage the bring your own device movement within your company. In this post, we will talk about some ways that companies can work towards mitigating those risks.
Employment and Contractor Agreements
All employment-related contracts -- such as non-compete agreements -- must be written specifically enough to clearly state intellectual property ownership rules in different scenarios. For example, if code was developed on an employee-owned device outside of business hours, who owns it?
Don’t let your situation fall under default law, which may or may not be favorable to you, for lack of attention to these contracts. Likewise, contractor agreements must directly assign intellectual property to the company via “work for hire” terms and should include specific terms to address any potential BYOD scenarios.
Policies A BYOD policy is the first step a company needs to take to provide guidance to its employees. It should cover subjects such as:
- Acceptable use of the device
- Security procedures that must be followed by the company and the employee (e.g. PIN is required or a specific program must be downloaded before using the device for company business)
- Financial terms (what if any reimbursement does the company provide)
- Rules covering device and data loss -- including whether the company will wipe data from the phone in the case of termination or device loss
- Any monitoring of devices and when/how that may occur
- What devices are allowed or not allowed.
Ideally companies should require employees to agree to these terms before enabling their devices to be used. All company policies must be updated to ensure consistency. For example, a company may have less stringent security standards for BYOD devices than for employer-owned devices, which could present liability risk. Consistency with security policies for email, VPN and remote access is important as well. Other policies that should be reviewed include:
- Encryption and password policies
- Social media use
- Incident response guidelines
- Remote working rules
- And privacy policies.
All policies should be “overcommunicated” to avoid any misunderstanding or “I never got the memo” discussions later. For more resources, the US government has developed a significant amount of guidance for BYOD-inclined companies, including sample policies.
Technological Safeguards Policies are a good thing to have to mitigate risk, but companies also need to make sure sufficient infrastructure is in place to enforce them. This might include items such as; VPN access, creating a sandbox on the device for corporate apps, location-tracking, registration and authentication of devices, encryption, app blacklisting, control of access to corporate servers, and much more. By taking a mobile application management approach to BYOD, many of these safeguards can be implemented. For instance, since the control is focused on apps instead of the device, Apperian’s EASE platform enables companies to wipe only the corporate apps from a device when an employee leaves the company, allowing personal data to remain intact. Ultimately, if a company drafts its relevant policies and contracts carefully and backs them up with the appropriate technology solutions, they should be able to focus on the benefits of their BYOD program, not the risks.