Managers at Work
"Like many smaller businesses, our company has had an informal BYOD policy that employees use their own laptops and cellphones on the job. It's worked fine, except that now we need to terminate someone on our staff and we need to retrieve our data. This person can be somewhat confrontational (which is why we're terminating her). My first instinct is to have someone stop her at the door so we can remove our files and wipe her hard drive. But I don't know that we can do that with personal equipment. I'm anticipating that this will evolve into a showdown. What do you suggest?"
These bring-your-own-device policies are being used with increasing frequency by employers everywhere, including both public and private-sector employers. There are many unresolved issues, including the termination issue you're dealing with now. One look at the blogs can tell you that these policies-or the lack thereof-are driving lawyers and information technology people crazy.
Several factors are involved in the BYOD trend, says lawyer Steve Modica of Modica & Associates of Rochester. These include:
- Employees sometimes have better hardware and software at home than is available at work.
- It's easier to recruit talented and IT-savvy people who prefer their own devices and want to use them at work.
- Employees are downloading and installing software on hardware devices without permission from company IT departments.
- Many companies have not sorted out the best mix of devices that they need for their businesses. As a result, they may let employees pick their own tools.
With the rapid increase in the personal use of mobile devices, many employers have had difficulty dealing with issues involving the security of company data and the development of enforceable policies in the workplace.
"One benefit is that the employer doesn't have to purchase it for the employee, and the employee's technology at home may be better," says Sharon Stiller, partner with Abrams, Fensterman, Fensterman, Eisman, Formato, Ferrara & Einiger LLP in Rochester. "But the risks are large."
Indeed, in a survey of more than 4,000 organizations conducted by Ponemon Institute (and sponsored by content security provider Websense Inc.), 77 percent agreed that the use of mobile devices in the workplace is important to achieving business objectives. At the same time, 76 percent said these devices put their organizations at risk. Only 45 percent have enforceable policies.
Employers can generally protect information contained in work computers, but it's much more difficult to protect confidential information in personal devices, Stiller says. "More people have access to them, and they may be left in more locations."
In addition, New York law requires notification of customers or clients whose information was lost or stolen, Stiller says. "It is also easier for employees to download confidential information onto personal devices without the employer knowing about it."
Besides protection of company secrets and employee personal information, several other legal issues are involved, including whether an employer can monitor activity, including searches and personal contacts, what happens when a device is infected with a virus and what will occur if an employee quits or is fired.
In general, an effective BYOD policy contains three critical components, according to IT Manager Daily, which publishes a template for employer policies at www.itmanagerdaily.com/byod-policy-template. These components are a software application for managing the devices that are connecting to the network, a written policy outlining the responsibilities of employer and employees and an agreement that employees must sign, acknowledging that they have read and understand the policy.
The experts say these policies should be formal written documents.
"What troubled me most from this questioner was the word 'informal,'" Modica says. "When informal, such a policy is not 'Bring Your Own Device' but 'Bring Your Own Disaster' to the company."
In your situation, you may want to create an incentive for this employee to comply, Modica says. "The company could offer severance and/or agree not to challenge any application for unemployment insurance benefits that the employee may file to get full compliance on the data issue.
"If that occurs, I would recommend that these promises go into a written document that includes, among other things, an agreement by the employee to waive any legal claims that she could have against the company."
Modica noted there are common law theories which might allow you to sue the employee to recover the proprietary information on the employee's device. "Proving a violation without a written agreement makes a case like that more complicated. However, it's not impossible," he says.
To deal properly with the BYOD issue, you'll want to open communication on all levels so everyone knows the risks, both personally and professionally. You'll also want to create a formal written policy-and begin using the right tools for data management.
"There are many personal and commercial options for automatic backup, remote wipe, security and management of devices," Modica says.
Given all the complexities, employers have to make a "threshold decision" as to whether employees will be allowed to use their personal devices at work, Stiller says. Rather than making a blanket rule, employers might find it worthwhile to allow these devices for certain groups only or with express written permission.
She suggested that the policy contain more than a dozen provisions at a minimum, including requirements that an employee register the personal device with the employer, give the employer a copy of the password, consent to inspection of personal devices, agree not to delete work-related information without the employer's permission and agree to use only secure wireless networks in connection with any work-related information.
Managers at Work is a monthly column exploring the issues and challenges facing managers. Contact Kathleen Driscoll with questions or comments by phone at (585) 249-9295 or by email at firstname.lastname@example.org/7/12 (c) 2012 Rochester Business Journal. To obtain permission to reprint this article, call 585-546-8303 or email email@example.com.