Introduction
This checklist will assist in-house counsel, private practice lawyers, and human resource departments in developing a ‘bring your own device’ (BYOD) policy.
This checklist addresses the following steps:
- Considering potential costs, benefits, and legal requirements associated with a BYOD program and policy
- Drafting and implementing a BYOD policy – general provisions
- Drafting and implementing a BYOD policy – security requirements and practices
- Developing procedures for initiating and discontinuing employees’ use of their own devices
The checklist is presented as a list of steps and suggestions that employers can check off as they are addressed. At the end of the document, there are explanatory notes corresponding with each item in the checklist.
For further information on this topic, see How-to guides: How to manage your organization’s privacy and security risks , How to determine and apply relevant US privacy laws to your organization, Overview of US employment law and How to draft the key provisions of an employee handbook, and Checklists: Understanding privacy laws in the US and Drafting internal privacy policies and procedures.
Step 1 – Considering potential costs, benefits, and legal requirements associated with a BYOD program and policy
| No. | Requirement |
| 1.1 | Assess whether a BYOD program would benefit the organization |
| 1.2 | Understand the organization’s current tools and technology |
| 1.3 | Understand the costs and benefits of implementing a BYOD program |
| 1.4 | Understand the roles and duties of employees who will participate in the BYOD program |
| 1.5 | Understand the impact of state and federal laws relating to privacy |
Step 2 – Drafting and implementing a BYOD policy – general provisions
| No. | Requirement |
| 2.1 | Clearly describe the organization’s rights relating to the BYOD program and the use of dual-use devices |
| 2.2 | Clearly describe employees’ rights relating to the BYOD program and the use of dual-use devices |
| 2.3 | Clearly describe the acceptable use of dual-use devices and employees’ responsibilities |
| 2.4 | Create and notify employees about reimbursement requirements and guidelines |
| 2.5 | Specify what will happen upon termination of employment or prolonged absence |
Step 3 – Drafting and implementing a BYOD policy – security requirements and practices
| No. | Requirement |
| 3.1 | Identify IT-approved devices |
| 3.2 | Implement tools for the preservation of organization data and communications |
| 3.3 | Implement device monitoring tools and procedures |
| 3.4 | Identify applications and websites that require restricted access |
| 3.5 | Provide ongoing security training for employees |
Step 4 – Developing procedures for initiating and discontinuing employees’ use of their own devices
| No. | Requirement |
| 4.1 | Create a simple sign-up process for employee participation in the organization’s BYOD program |
| 4.2 | Establish criteria for the discontinuation of an employee’s use of their own device for work purposes |
| 4.3 | Develop procedures for discontinuing an employee’s use of their own device for work purposes |
Legal framework
There is no legal requirement in the United States for organizations to implement a BYOD program or to have a written BYOD policy. However, if organizations allow employees to use their personal devices for work purposes, or fail to prevent employees from doing so, this can have significant implications for the organization in relation to matters such as data privacy and confidentiality, as well as trade secret protection. If an organization decides to allow employees to use their personal devices for work purposes, it is highly advisable that the organization considers the relevant costs, benefits, and legal implications prior to doing so, and implements a BYOD program which is documented through a written BYOD policy. The information set out in this note represents best practice for an organization in relation to the use of employee-owned devices for work purposes.
The creation and implementation of a BYOD policy is both industry specific and dependent upon federal and state laws. For example:
- medical professionals may be required to comply with the Health Information Portability and Accountability Act of 1996 (HIPAA) in addition to state-imposed medical privacy restrictions;
- financial institutions need to ensure compliance with the security provisions of the Gramm-Leach-Bliley Act of 1999;
- for organizations dealing with or dependent upon intellectual property, the Uniform Trade Secrets Act requires employers to take reasonable measures to protect privileged information; and
depending on what information is collected during an employee’s use of a personal device for work, the Stored Communications Act of 1986 , the Computer Fraud and Abuse Act of 1986, and the Genetic Information Nondiscrimination Act of 2008 may be implicated.
Key considerations
The use of an employee’s personal device, such as a computer, phone, or tablet, for work purposes (a ‘dual-use device’), raises two separate yet equally important concerns:
- the protection, privacy, and security of confidential, privileged, or otherwise protected business information belonging to the employer; and
- whether the other needs of the employer can accommodate the use of personal devices for work purposes.
The use of personal devices for work purposes by employees brings with it issues regarding compensation for work done outside of normal business hours, questions concerning what content is being accessed by the employee, and concerns over whether the employee is using the device to violate other workplace policies, such as those against sexual harassment, even if the activity is outside of the workplace and outside of working hours. An employee’s use of their own device to harass another employee could raise issues of whether knowledge of the harassment could be imputed to the employer because of the BYOD policy.
Step 1 – Consider potential costs, benefits, and legal requirements associated with a BYOD program and policy
1.1 Assess whether a BYOD program would benefit the organization
Consider what organizational needs might be met by a BYOD policy. Some examples are listed below.
- Is it necessary for the scope of their role that employees have a device? For example, a travelling HVAC technician may need a phone in order to accept calls remotely from the office.
- Does the organization already have devices for all employees and are there any issues with the current arrangements, such as increasing costs or recurring problems with employees losing or damaging devices that are issued to them?
- Does the organization aim to reduce capital expenditure on IT equipment and shift some of the device procurement and maintenance responsibilities to employees?
1.2 Understand the organization’s current tools and technology
Consult the organization’s information technology department regarding the security and privacy limitations of the organization’s current infrastructure in the context of a BYOD policy. Does the organization have the ability to remotely wipe a lost or stolen device? Are there resources in place to prevent a malware or ransomware attack? What are the encryption and security protocols? What safeguards will be in place to protect an employee’s non-work data from being wiped or deleted from their own device?
1.3 Understand the costs and benefits of implementing a BYOD program
Consider the costs associated with allowing employee-owned devices and balance this against the benefits.
- What savings are available to the organization through a BYOD policy?
- What mobile device applications or software will be needed to allow employees to use their own devices effectively alongside the organization’s existing systems?
- Will employees’ automatic phone backup be secure and sufficient for the organization to meet its business needs and any legal obligations such as those relating to data privacy? The backup and other security measures on a device used for personal or household purposes may not meet the technical requirements for a business.
- Will the organization be responsible for ongoing costs such as monthly mobile phone bills?
- What are the potential costs associated with providing technical support and training to employees using a diverse range of personal devices with varying operating systems and configurations?
Ensuring that an employee-owned device is sufficiently secure to use for work purposes may prove even more costly than the organization providing the device upfront.
1.3.1 Understand the organization’s potential savings from the implementation of a BYOD program
Having a BYOD policy can reduce an organization’s expense of buying the equipment meaning cost savings. Some devices, such as a computer, may have a relatively long user life, but for devices easily misplaced or broken, such as mobile phones, bearing the burden of the cost of devices can prove substantial.
However, consider the possibility that an organization will lose any group benefits or tax deductions by implementing a BYOD policy.
1.3.2 Organization costs relating to the implementation of a BYOD program
The organization’s costs relating to the implementation of a BYOD policy can also prove substantial. Devices can be managed, to a certain extent, by the mobile device management system inherent in such devices, such as auto-timeout, find-my-phone, and password features. However, not every device offers a mobile device management system, or the system may not meet the security and encryption requirements of an organization.
Consider the limitations of current employee-owned devices. It may be necessary for the organization to purchase additional applications or software in order to ensure employee-owned devices are suitable for work use, and such purchases could be on either a one-time or a recurring basis. Also, consider that opening up the organization’s network to outside access may also require a substantial upgrade to a server or the purchase of additional security software.
1.4 Understand the roles and duties of employees who will participate in the BYOD program
Not all employees will need to participate in a BYOD program and there may be some categories of employee that should not be included. For example:
- employees who deal primarily in trade secret information or the organization’s intellectual property may pose substantial risks to the organization if their personal device is accessed, lost, or stolen; and
- non-exempt employees with dual-use devices may argue that they are being required to work unpaid hours if they are contacted regarding work-related matters outside of their regular working hours.
1.5 Understand the impact of state and federal laws relating to privacy
The applicable federal and state laws vary widely depending on the industry in which a business operates and the location of the business. Some key considerations are listed below.
- A hospital or medical clinic must comply with the HIPAA including, but not limited to, notifying patients and the Department of Health and Human Services in the event of a data breach that causes the release of protected health information.
- The Gramm-Leach-Bliley Act of 1999 requires those operating in the financial sector to meet rigorous security and encryption protocols as does the Fair Credit Reporting Act of 1970.
- An organization that is dependent upon intellectual property, such as a graphic design or software company, should consider whether it may lose the protections provided by the Uniform Trade Secrets Act of 1979 by failing to take reasonable measures to protect privileged information.
Employee-owned devices may not be able to support all of the security and encryption requirements, or, if the device is used only occasionally for work-related purposes, an employee may be reluctant to install the necessary software. In addition, an employee-owned device may be subject to access – either permitted or unpermitted – by household or family members who may be careless with the data.
Step 2 – Drafting and implementing a BYOD policy – general provisions
2.1 Clearly describe the organization’s rights relating to the BYOD program and the use of dual-use devices
A BYOD policy must clearly articulate the organization’s rights relating to dual-use devices and should include the following:
- a statement that the use of a dual-use device may be terminated at any time by the organization, without advance notice;
- the organization’s rights to access an employee’s device when necessary for business operations, such as during the scope of litigation and for the purpose of preservation of discoverable material;
- provisions about how dual-use devices may not be used to violate other organization policies, such as those against discrimination, sexual harassment, or equal employment opportunities;
- a list of approved devices that may be used if the organization only allows certain devices; and
- every right the organization retains so that employees are put on notice of those rights; for example, if the organization intends to do random security checks of devices, that should be stated clearly in the policy.
Note that laws in many jurisdictions prohibit organizations from compelling employees to provide their personal email account information or their social media passwords.
Example
Arkansas Law prohibits an employer from requiring, requesting, suggesting or causing current or prospective employees to provide their social media account usernames and passwords, change their privacy settings, or add employees or supervisors as contacts on social media.
2.2 Clearly describe employees’ rights relating to the BYOD program and the use of dual-use devices
Set out employees’ rights regarding dual-use devices. Specify the manner and the amount of reimbursement, for example, if employees will be entitled to reimbursement for the use of a device or for a monthly charge related to that device. Note that the Fair Labor Standards Act prohibits requiring an employee to pay for any business expense if paying that expense would cause the employee’s earnings to dip below applicable wage or compensation rates.
2.3 Clearly describe the acceptable use of dual-use devices and employees’ responsibilities
The BYOD policy should clearly set out the acceptable uses of dual-use devices, as well as the responsibilities of employees. If dual-use devices should be accessed only when an employee is working remotely, then the BYOD policy should state this. The BYOD policy should specify the security measures employees are required to take, for example, if an employee must auto-lock their phone or password protect it. Finally, the BYOD policy should state what training the employees are required to participate in before using a dual-use device.
2.3.1 Acceptable uses of device
Specify the acceptable uses of dual-use devices. A generic ‘any use relevant to business needs’ provision does not specify to employees what is and what is not acceptable. This can cause unnecessary frustration for employees and expose the business to security risks and data privacy breaches.
2.3.2 Acceptable uses of the organization’s network
The BYOD policy should also specify the acceptable access to the organization’s network from a dual-use device. Limit the use of the organization’s network to the scope of the employee’s work. Furthermore, employees should not be allowed to download or store organization data on their dual-use devices without prior written approval from the organization.
2.4 Create and notify employees about reimbursement requirements and guidelines
If reimbursement to employees for the cost of purchasing a dual-use device, or ongoing costs such as mobile phone charges, is a part of the BYOD policy, specify when, how, and to whom reimbursement will be made, as well as any requirements for the employee to submit reimbursement claims.
Tax considerations should be assessed by the organization.
2.5 Specify what will happen upon termination of employment or prolonged absence
The BYOD policy should also specify what will happen in the event of an employee going on leave, such as under the Family and Medical Leave Act of 1993, and in the event of termination or resignation. For example, it is common for employees to have their access to an organization’s systems, including internet access and employee email, terminated immediately upon their resignation. A terminated or resigning employee could also be required to have their device checked and wiped of the organization’s data. A policy could also require, as a condition of an employee being allowed to use their own device, to provide an undertaking that no data from the organization will be accessed after termination or resignation.
Step 3 – Drafting and implementing a BYOD policy – security requirements and practices
3.1 Identify IT-approved devices
A BYOD policy should also specify which devices, if any, meet the security, encryption, and privacy concerns of the organization. In addition, organizations should consider whether certain devices integrate with necessary business applications.
Example
At the Y-12 National Security Complex, a premier manufacturing facility with a vital role in the US Department of Energy’s Nuclear Security Enterprise, all personally owned Information Technology devices are prohibited without prior written approval. Prohibited personal devices include the iPhone, iPod, iPad, Droid, Blackberry, Evo, Pro Plus, Rogue, e-readers, netbooks, and laptop computers. However, these devices may be used in areas designated by the organization called ‘Property Protection Areas.’
3.2 Implement tools for the preservation of organization data and communications
To ensure work products are not inadvertently destroyed, especially in the event of litigation, the BYOD policy should specify employee requirements for the preservation of organization data and communications. The BYOD policy should specify which backup methods are required including the method, security, and timeliness of such backups.
3.2.1 Device authentication and single sign-on (SSO)
Single sign-on allows a user to use the same set of credentials for every application. Implementation of SSO can save the organization, and the user, time and money from the headaches associated with (mis)remembering multiple passwords across various platforms. It can also prove a security risk, however, if proper security protocols are not followed. A BYOD policy should set out the parameters of SSO together with any limits on its use and any necessary security measures.
3.2.2 Passwords
If the dual-use device will be able to access protected, confidential, or otherwise privileged organization information, the BYOD policy should also require the use of a strong password that will not be easily guessed. Organizations might be advised to specify password complexity requirements and give guidance on passwords that can be easily guessed.
3.2.3 Lock screens and session-timeouts
Employees should be required by the BYOD policy to enable session timeouts and auto-locks of the dual-use device after a certain period of inactivity.
3.2.4 Remote data wipes
An organization with a BYOD policy should have the capacity to enable a remote data wipe of a lost or stolen dual-use device. Employees should be advised in the policy that such a wipe will result in the loss of their stored information, including any impact this may have on their personal information. Make such notification explicit – best practice requires employees to provide a signed and dated acknowledgement of their receipt of the notice of the policy.
3.3 Implement device monitoring tools and procedures
The implementation of device monitoring tools and procedures should be specified in the BYOD policy. Monitoring may involve the installation of an application which prohibits the employee user from accessing unsecure sites or downloading suspicious apps. It may also involve the organization occasionally reviewing the dual-use device for impermissible activity.
Not that employer monitoring may not interfere with union activity or access irrelevant employee personal information.
3.3.1 Mobile device management (MDM)
An organization may also choose to implement mobile device management software, which enables organizations to access, monitor, and – most commonly – remotely wipe dual-use devices. Employees should be advised about, and consent to, the installation of such software as a part of their participation in the BYOD policy, and it is best practice to keep a written record of such notification.
3.3.2 Mobile application management (MAM)
Mobile application management software allows an organization to enforce its policies on dual-use devices. It can also be used to secure certain business-related applications through what is known as ‘sandboxing’ (defined as a security practice that uses an isolated environment, or a ‘sandbox’, for testing) or ‘containerization’ (defined as packaging software code with just the operating system libraries and dependencies required to run the code to create a single lightweight executable that runs consistently on any infrastructure). Mobile application management services can fill the gaps mobile device management services cannot, such as the monitoring of the employee’s use of the device and prevention of installation of applications that pose a security risk to the business.
3.4 Identify applications and websites that require restricted access
Specify any apps or websites that require restricted access, such as those associated with the organization’s email or those that allow remote access into the organization’s operating system.
3.5 Provide ongoing security training for employees
Employees with a dual-use device should be trained on a BYOD policy on an ongoing basis, as often as once or twice a year. The organization’s compliance department or human resources department should keep a log of the training given.
Step 4 – Develop procedures for initiating and discontinuing employees’ use of their own devices
4.1 Create a simple sign-up process for employee participation in the organization’s BYOD program
To encourage employee participation, adopt a simple sign-up process for employees to register their dual-use devices. A sign-up process should record the following:
- employee name;
- the device’s make and model;
- methods of access to business information (ie, email, various applications, web portal, etc.);
- date access given; and
- a record of training given to the participating employees. If participation involves the installation of an application or software, an assigned staff member should personally guide the employee through the installation. Alternately, make instructions for installation, including screenshots of steps, readily accessible.
4.2 Establish criteria for the discontinuation of an employee’s use of their own device for work purposes
The BYOD policy should specify the criteria for the organization to discontinue the use of an employee’s personal device for work purposes, for example, on termination or resignation. Organizations should also consider adding discontinuation of use as a sanction for improper use of the device, such as sending messages that constitute sexual harassment.
If the policy may be terminated at any time, for any reason, employees should be given notice of that possibility.
4.3 Develop procedures for discontinuing an employee’s use of their own device for work purposes
A BYOD policy should include procedures for discontinuing use of the device for work purposes. The BYOD policy should specify when a remote wipe would be required and who would perform the wipe. The policy should include information on whether an IT professional would simply ensure the erasure of any business applications or the unlinking of applicable email accounts. Organizations should ensure that those who conduct remote wipes are trained to consider whether employee consent was given. It remains best practice to gain remote-deletion consent before entering into a dual-use device arrangement.
Additional resources
Related Lexology Pro content
How-to guides:
How to draft a business continuity plan
How to manage your organization’s privacy and security risks
How to determine and apply relevant US privacy laws to your organization
Overview of US employment law
How to draft an employment contract
How to draft the key provisions of an employee handbook
How to protect trade secrets in the employment relationship
How to develop a whistleblower policy and reporting program
How to use arbitration agreements in employment
How to prepare for an Occupational Safety and Health Administration (OSHA) inspection
How to comply with the unemployment insurance program
Checklists:
Understanding privacy laws in the US
Drafting internal privacy policies and procedures
Determining the difference between an employee and an independent contractor
Dealing with workplace injuries
Employee drug testing
Terminating the employment of an at-will employee
Drafting a non-compete agreement
Reliance on information posted:
While we use reasonable endeavors to provide up to date and relevant materials, the materials posted on our site are not intended to amount to advice on which reliance should be placed. They may not reflect recent changes in the law and are not intended to constitute a definitive or complete statement of the law. You may use them to stay up to date with legal developments but you should not use them for transactions or legal advice and you should carry out your own research. We therefore disclaim all liability and responsibility arising from any reliance placed on such materials by any visitor to our site, or by anyone who may be informed of any of its contents.