Today, one can get lost with the ever-growing list of acronyms associated with “bring your own device” (see table of acronyms below). Regardless of your BYOD implementation choice, one overriding notion exists: Have a written BYOD policy that addresses your choices and have it acknowledged by each participant (e.g., by each employee it affects). The policy must spell out expectations from both sides: the company’s and the user’s.
There is a long Information Technology history of ensuring devices are secure and as the consumerization of IT has become more pronounced, companies are finding themselves in need of creating policies that protect corporate data used or accessed by individuals on their smart devices, phones and tablets.
Components of the policy include:
- A summary of your implementation choice. There are three basic strategies for BYOD policy implementation: strictly business only, walled garden, and limited separation.
- User obligations in the event of an eDiscovery need. Clearly stated, if the user is identified as an individual placed on legal hold, the user must preserve all data on the device and promptly make the device available for collection/preservation, if requested, with a recognition that personal information or data stored on the device may be collected along with any business data given the nature of such devices.
- The expectation of privacy. The BYOD policy should clearly state there is no expectation of privacy if one is using a device for business purposes even if that purpose is comingled with personal information and personal usage.
- Form of the policy. In writing that clearly discusses what is acceptable use and what is not.
- Acknowledgment of the policy. The user should acknowledge the BYOD policy in writing or by an acceptable electronic method.
Implementation choice has a significant impact on your written BYOD policy:
A “strictly business” selection is perhaps the easiest to implement from an employer’s perspective. All business all the time: it is our device and we can do what we need to with it at any time and you pledge to cooperate.
The “walled garden” approach is similar on the business portion of the device, whether the device is partitioned or has strictly business-only applications functioning alongside personal ones or business applications where data is not stored locally on the device (cloud or virtual applications). Here, the privacy implications must be clear in the policy. Even though the use of the device is segregated (business from personal), it is generally not possible in an eDiscovery collection to only capture business use data.
The “limited separation” is as it sounds. Some use of the device is business-oriented, while some is personal. Applications on the device may be used for business or personal purposes. Regardless of the use, the written BYOD policy should state that while it is recognized that you are using the device for both personal and business purposes, you understand that if called upon due to some business reason (litigation, investigation, regulatory requirement, etc.) you will cooperate and make the device available for inspection and/or preservation as requested. The policy should further state that it is possible the device may be unavailable to you for some reasonable time period to allow for the inspection or preservation to occur.
A clear written policy reflecting your BYOD implementation, or not (COBO), will provide a framework for your company or organization that gives clarity and sets expectations for your users as personal device use expands to an ever-greater level.
Here is one statistic that will help in recognizing the importance of such a policy: the rate of employee implementation of their own devices is approaching 40%; in the next 2 years it is expected to grow to over 80%.
As we mentioned above, the BYOD policy is important to ensure that corporate data is protected when employees depart the company. In this related article, read more about how to protect company data when employees leave the organization.