What are the Challenges of a Bring-Your-Own-Device Policy?
Given that personal electronics are so prevalent in today’s society, navigating how to implement and enforce policies in the workplace regarding the use of devices (such as cell phones, tablets, and computers) can be challenging. It is often questioned who has the control over the records that are created and stored on such devices – is it the employee or the employer? Employees argue that they have the legal rights to the digital records since they are the ones who physically own and pay for the devices. Employers, on the other hand, maintain that because they pay their employees to create those records and the work product is created specifically for the organization’s use, they have the legal rights to the digital records.
Organizations that offer a bring-your-own-device (BYOD) policy are faced with establishing appropriate legal relationships with their employees that explicitly makes clear the ownership of the digital records created on employees’ devices. This policy should also explain that the employer has the right to take control of a device, right to confiscate a device, and the right to conduct a full investigation of a device. Because employees are likely to be more sensitive about having their personal property confiscated or investigated, it is paramount that employers make policies as clear as possible to avoid any possible issues with employees.
To avoid the challenges of a BYOD policy, organizations might instead opt to implement a program that supplies employees with devices. These programs, commonly referred to as company-owned personal-enabled (COPE), limit the amount of personal purposes that an employee can use the device for. However, even with a COPE program in place, organizations should still establish policies clarifying the authorized uses of the device, the possibility for confiscation and/or investigation, and the legal rights to the digital records kept on the device.
A controversial topic in the modern workplace is bringing your own device to work. Many employees today use their own smartphone or tablet in order to do work on behalf of their employer. Questions arise about who has control over the records that are created and stored through these devices. In a physical sense, the employee has control; however, the employer may maintain that they paid their employee a salary to write a spreadsheet or create a video, so they own that work product and need access to it. An employer may argue that if an employee doesn’t work for them in the future, they should have the legal right to take control of that work product.
A challenge today is having an appropriate legal relationship between the employee and the employer, expressing ownership rights with respect to the records that are created through bring-your-own-device (BYOD). Some organizations will have very stringent agreements with employees that makes clear that the employer has the right to take control of a device, to confiscate a device, and to conduct a full investigation of the device. However, this is controversial in the sense that a lot of employees think, “That’s my personal phone. I pay for the service. I own that phone. I use that phone for family and personal matters. I don’t want my employer seizing my phone. I don’t want them digging around looking at pictures.” Therefore, for an employer to work out the appropriate type of agreement can be a very sensitive topic. What I see in the workplace is that many different employers have many different outcomes in what is actually stated in a BYOD policy or contract with employees.
As a result of this controversy, I see another option. I see some organizations decide that they are going to own the device. They buy and pay for the service, but they give it to the employee to use for limited personal purposes. That formula is called COPE: company-owned personal-enabled. If an organization decides to have a COPE relationship with employees, the organization is often wise to have an appropriate contract and/or policy. For example, the organization would want to make clear in a COPE agreement that the employee will not use the company-owned product in a way that would be offensive to the employer or other employees. You wouldn’t want the employer to find that the employee is using the company-owned equipment to create a hostile work environment where discriminatory messages and pictures and so on are exchanged in the workplace.
In order to learn more about the course that I teach at the SANS Institute, you can click the link below. Also, another link below provides more information about me and my work in private practice.