Troutman Sanders LLP: Risks Associated With Bring Your Own Device ('BYOD') Policies

Over the past year, more and more employers are letting their employees connect personal smartphones or tablets to the employer's network. Some companies have even stopped supplying their employees with computers; instead, employees bring their own laptops to work (or work remotely from home).

These policies are popular with employees. They no longer have to carry around a work and a personal device. They get to choose the technology they prefer to use. And they are able to get their work done efficiently and from any location. They're also popular with employers, who expect to achieve cost savings by not having to supply their employees with devices, and who are very happy with their employees' increased efficiency and work product output.

As technology continues to proliferate throughout our society, it seems that BYOD, for better or worse, is here to stay. But BYOD carries with it substantial risks.

The risks to employers are serious and numerous. The most obvious concern is the dissemination of confidential information-what if an employee leaves his smartphone, containing your company's trade secrets about your top secret new product, in a cab? In addition, there is an increased security risk. For example, employees who have smartphones operating on the Android operating system may download an app from the Android market-which is not screened in the way that the Apple App Store is-only to find that the app contains malware that then infects the company's network. Cloud-based file-sharing applications like Dropbox and Google Docs introduce further complexity-what if your employees are, without your knowledge, storing their work product in their personal Dropbox accounts?

There are several ways that employers can-and should-address these risks, though none of these solutions is perfect.

It is crucial that employers use mobile device management software so that they may remotely wipe employee devices that have been lost or stolen. Because such wipes may result in the loss of the employee's personal information, and because there is the potential for the device to become unusable after such a wipe, employers should require that all employees sign acknowledgements that they are aware of such risks before employees' devices are permitted to access the employer's network. These acknowledgements should be maintained in the employee's personnel file.

The freedom to use mobile device management software is important not only to protect the company's confidential information, but it may also be necessary to comply with various state and federal data security requirements. Employers in regulated industries, such as the banking and healthcare industries, face additional challenges in ensuring that statutory data security requirements are met.

Because of such data security concerns, as well as because of concerns about maintaining confidential information, employers may want to consider banning employee use of cloud-based file sharing sites such as Dropbox. If employees are using such websites because they want to be able to work outside of the office, you may be able to meet their needs by providing those employees with remote access via such programs as Citrix or virtual private network (VPN) access. Keep in mind, however, that it may be impossible to enforce such a ban. Accordingly, employers should also use the tools of monitoring and confidentiality agreements as further protections.

Employers with Company-Issued Communications Devices (CICD) policies or monitoring policies may also want to revise these policies to make it clear that they apply to employee-owned devices as well. Other policies that should be reviewed include, but are not limited to, anti-harassment policies, codes of ethics, e-discovery plans, and confidentiality agreements.

Employees must be reminded that when using their devices to conduct company business, they may not use such devices in a way that would reflect badly upon the company or subject it to liability.

Over time, employees may also find that there are unexpected risks involved with connecting their devices to their employer's network.

As the lines between work and personal lives blur, employees may find that their employers have an increased ability to monitor their off-duty activities via monitoring of their smartphones or other devices connected to the employer's network. As we considered in a recent post, litigation over these types of issues is sure to increase.

Moreover, employees may be very willing to agree prospectively to remote wiping of their devices at the outset, but when it actually occurs and they find that they have lost personal photos, or even the use of their device, they may be sorry they did. Already there are instances of terminated employees whose devices were wiped and made unusable demanding that their former employer replace their device.

Employees should think about such consequences before connecting their devices to their employer's network.

BYOD has introduced a vast amount of complexity to the world of data management and information security, and at this point, there are many more questions than answers. The only thing that is certain? You need to keep up with the challenges in this developing area.

For more information, please contact Christina Bost Seaton or John Hutchins

­­­­­­­­­­­­­­­­­­­­About Troutman Sanders

Troutman Sanders is an international law firm with offices in North America, Europe and Asia. Founded in 1897, the firm's heritage of extensive experience, exceptional responsiveness and an unwavering commitment to service has garnered strong, long-standing relationships with clients across the globe. These clients range from multinational corporations to individual entrepreneurs, federal and state agencies to foreign governments, and non-profit organizations to businesses representing virtually every sector and industry.

Troutman Sanders lawyers provide counsel and advice in practically every aspect of civil and commercial law related to the firm's core practice areas: Corporate, Finance, Litigation, Public Law and Real Estate. With more than 50 practice groups focused on specific aspects of these areas, the firm is defined by its considerable knowledge base and proactive approach to addressing legal and business challenges.

For more information about LexisNexis products and solutions, connect with us through our corporate site.