As mobile devices become more prevalent, employers are increasingly turning to bring-your-own-device (“BYOD”) programs that allow employees to use their personal devices for work purposes. More people are beginning to own multiple mobile devices, such as smartphones and tablets, and wish to use these devices for work purposes. Even without an employer-sanctioned BYOD program, many employees choose to use their personal devices for business purposes, allowing them to work from nearly anywhere.

A BYOD program can provide several benefits. Employees—who often develop preferences toward particular devices or brands—can use whatever devices they prefer. Instead of having to acclimate to company-issued devices, employees can use devices with which they are already familiar. Many people also find it inconvenient to carry company-issued devices in addition to their personal devices when traveling. With the growing emphasis on lighter and thinner mobile devices, many employees are reluctant to neutralize these weight savings by carrying extra devices. Companies may also find that they save money by not having to issue devices and manage data and voice plans. These savings can instead be used to provide support and maintenance.

While BYOD programs have potential benefits for both companies and employees, many companies struggle to design programs that maintain these benefits while protecting the privacy and security of sensitive data. Depending on the organization, such data may include individuals’ personal, financial, and health data, as well as important business-related data, such as human resources information, confidential information related to legal matters, and trade secrets. Therefore, employers need to consider various measures to minimize the risk involved in a BYOD program.

Concerns for Employers

By allowing employees to use their own devices for work purposes, employers lose some degree of control compared to a company-owned device. Although criminal cyberattacks frequently make headlines, employee negligence and lost or stolen devices continue to be a primary cause of data breaches. People tend to carry their personal devices everywhere, so when they are allowed to create, store, and transmit work-related information on these devices, there is a heightened risk of exposing sensitive company data to unauthorized individuals when these devices are lost or stolen.

There are also risks that do not involve loss or theft of devices. For example, if employees download malicious software, third parties may gain access to sensitive data. As another example, employees, especially those who own multiple devices, often store or back up their data in the cloud for convenient access across devices. In this instance, if the cloud service provider experiences a security breach, the company’s information may be at risk.

Employers also need to keep in mind that people frequently allow friends and family to use their personal devices. Compounding the risk is that when devices are shared with trusted friends and family members, the devices are often handed off already unlocked, potentially allowing unrestricted access to company information and networks. Friends and family members may also lack the employee’s security training and may inadvertently install malicious software that puts company data at risk.

Companies must consider business purposes, such as preserving reputation, as well as the numerous potential legal obligations surrounding data privacy and security. For example, federal and state breach notification laws would apply to the unauthorized use or disclosure of certain types of data. The information may be subject to many confidentiality laws, such as the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule. Businesses need to consider the various security laws that may apply, such as the HIPAA Security Rule and the Gramm Leach Bliley Act. There may be contractual obligations or trade secret laws to keep in mind. Employment laws may also enter the picture. For example, if nonexempt employees are allowed remote access via their BYOD devices, they might perform more “off the clock” work, which could give rise to wage and hour claims.

Moreover, employees may have privacy concerns. While some enjoy the freedom to use personal devices for both work and personal reasons, others may be hesitant to blur the lines between their work and personal lives. Some employees may be concerned about the privacy of their personal data, such as photos, text messages, personal email, and web browsing histories.

Implementing a Successful BYOD Program

One of the first steps in implementing a BYOD program is determining which employees should be permitted to participate. Not everyone in an organization needs mobile access to work e-mail and files. Certain positions in the organization may also involve greater risk that outweighs the benefits of participation. Employers should carefully analyze the various job functions within the organization and determine whether participation in the BYOD program is appropriate for each.

To address the concerns associated with a BYOD program, employers should have a carefully crafted BYOD policy and make sure that employees read, understand, and consent to its terms and conditions. The terms and conditions should describe the ways in which the employer will access and use employees’ devices. For example, employers should retain the right to access devices for business purposes, if necessary. The policy should also describe employees’ responsibilities, which may include reporting lost or stolen devices within a certain timeframe and refraining from using unapproved devices or installing unapproved applications.

Businesses should adopt procedures that address termination of employment, including procedures for deleting company data stored on terminated employees’ devices. Processes should be implemented to ensure that terminated employees no longer have access to company networks.

Companies should also implement various technical safeguards, such as encryption and passcode protection. Using a mobile device management (“MDM”) solution can help with configuring and enforcing these safeguards. MDM software can allow employers to require encryption and strong passwords, disable cloud services, lock devices after a period of inactivity, remotely wipe lost or stolen devices, and prevent the installation of unapproved applications on employees’ devices. MDM solutions can also help companies track which devices are participating in the BYOD program.

Training is vital to a successful BYOD program. Training should include regular reminders of good security practices, such as using strong passcodes, physically securing devices against loss or theft, and refraining from giving others access to devices that are used for work. BYOD programs shift much of the control over security to employees, so it is vital that employees are properly trained and receive periodic training refreshers.