Companies cannot stay still over mobile-device policies
As mobile technology has developed to become an inevitable aspect of our everyday lives, employers now face a range of related issues. In particular, these arise from the growing use of personal mobile devices (PMDs) – such as smartphones, tablets or laptops – by employees for work, instead of, or in addition to, devices issued by the employer.
The use of PMDs in this way may be desirable for both employer and employee. For an employer, it can save on the cost of company-issued devices, while at the same time increase employee engagement and productivity. For an employee, the benefits may include avoiding the need to use – and carry – separate company and personal devices, and increased flexibility to work when not physically present at the desk or in the workplace.
If an employer does decide to permit or support the use of PMDs by employees, it is important they understand the potential risks and issues which may arise. These include security issues relating to unauthorised access to the company’s systems; threats from malware and viruses; confidentiality issues if devices containing proprietary information are lost, stolen or misused; and data privacy issues, which can become complex.
There are a number of typical questions that need to be addressed. What happens if an employee loses the device or it is stolen? What happens if they deliberately share data on the device with others, or inadvertently do so by leaving the device unlocked? What happens to the data on the device if an employee leaves the company to join a competitor? How can an employee’s own private data, such as family photos and personal e-mails, be kept separate from work-related data? What happens if a device contains data relating to an individual’s previous employment and that data is inadvertently migrated onto the company’s systems? Could the security of the company’s systems be put at risk by malware or viruses introduced via an employee’s PMD?
In order to address these issues, any employer which allows employees to use PMDs for business purposes should consider putting in place a policy setting out an appropriate framework for the use of such devices. The policy should make clear that participation in a “bring your own device” (BYOD) arrangement is conditional upon continuing compliance with the rules set out in the policy and that any breach of those rules may be dealt with as a disciplinary matter.
The policy should also set out the criteria used to assess which PMDs can be used and whether the company will make any contribution towards the cost of purchasing a device. If the employer contributes to the purchase price of a device or its running costs, it is highly reasonable to expect an employee to accept any policy which regulates its use.
The safeguards needed to protect the company’s data and systems also need to be clearly detailed in the policy. These safeguards may include requiring an employee to hand over the device for inspection upon request – for example, where the employer is investigating an allegation of misconduct – and for wiping when employment comes to an end. As an employee may be unwilling to hand over his or her PMD to the employer, any such access requirements should be framed as a precondition to participating in a BYOD arrangement.
The policy should also cover data-privacy obligations and make it clear how these apply to both the employer and employee. Employers should be sensitive to the fact that an employee’s expectation of privacy is likely to be greater in relation to his or her own device than it would be in relation to the company’s property.
The policy should be transparent about the steps that the employer will take to monitor the use of company data on the device. Here employers need to take care to balance the need to monitor data use, particularly data leakage or loss, against employee privacy.
Besides implementing a policy, an employer should ensure that it has appropriate software in place to manage the use of PMDs. Such software will typically enable an employer to set up security features such as access passwords, automatic locking functions, data encryption and remote wiping. Particular care should be taken to ensure that company data can be segregated from the employee’s private data – such as family photos and personal e-mails – and that if remote-wiping arrangements are put in place, that only work-related data is wiped, and not the employee’s potentially irreplaceable private data. This removal of company information from the device should form part of the employer’s standard exit process.
A carefully constructed BYOD policy will assist in minimising the risks to an employer’s IT systems and its confidential and proprietary information. If employees are required to agree to such a policy as a condition of participating in a BYOD arrangement – and adequate security measures are put in place – such arrangements can offer significant benefits to both employers and employees.
Fiona Loughrey has headed Simmons & Simmons’ award-winning China employment group since 1999. Sarah Berkeley has extensive experience in advising on employment and discrimination issues, and has worked at the firm since 2001.
The information contained in this article should not be relied on as legal advice and should not be regarded as a substitute for detailed advice in individual cases. If advice concerning individual problems or other expert assistance is required, the service of a competent professional adviser should be sought.