BYOD (Bring Your Own Device) Policies: Considerations for Data Security

The technological advancements of the past decade, especially the smartphone, have brought about drastic changes in the way we go about our everyday lives. As many of these advancements have seemingly made our lives easier, we have come to depend on them more and more. To a great extent, the “business phone” has disappeared and employees at all levels now often use their personal devices for both work and personal use. Whether smartphone, tablet, or laptop, it has become easier and cheaper for both employers and employees to maximize the use of these devices by using them for virtually everything. However, this mixing of uses for work and play carry potentially heavy consequences.

A device used for both work and personal use likely contains information of customers, clients, independent contractors and other employees – including personally identifiable information. At work, such devices may be protected by firewalls, secure WiFi networks, strict use policies, and other mechanisms. But what happens when these same devices are used for work purposes in other settings? Though password protections and program encryption help to minimize these risks outside of the workplace, there are still numerous vulnerabilities. An employer has no concrete control over the software, operating systems, updates, or applications on their employee’s personal devices. Also, many of us are all too familiar with our carrier monthly data plans, and as such tend to take advantage of free wifi in places like airports, hotels, cafes, and many other venues. These types of situations raise the risk of a data security incident occurring.

Then there is personal use on these same devices, in or out of the workplace. As the recent ransomware incident that crippled the National Health Service of the United Kingdom shows, there are countless ways hackers, viruses, malware, ransomeware, phishing, and otherwise cyber-thievery can take place. Of course, losing or having a device stolen can produce the same results, and is yet another example of the need for adequate data protection. If your devise is used for work and personal use, there are simply more opportunities for a data security incident to occur. Personal email and social media accounts are in-routes to the more valuable data stored on that device. Because these risks can be minimized, but not completely negated, it is best to have a strong BYOD (“bring your own device”) policy in place if your employees use devices for both work and personal use. As the use of personal devices in the workplace has become the norm, and as a cost-saving mechanism, a strong BYOD policy can help employers to better realize those savings.

A well-drafted and implemented BYOD policy will help to lessen the chances of a data security incident occurring in the first place by creating a technical and organizational governance structure designed to expose and mitigate data security risks. The BYOD policy can also set ground rules for employee uses of work-related programs and storage of work-related data, such as secure access requirements. Further, effective plans often prohibit certain applications from a device used for work purposes and require certain upgrades and maintenance intermittently.

It is important to remember the value of personal information, and the premium placed on it not only by the person it belongs to, but by governmental agencies dishing out punishment if such data is made wrongly accessible. There are countless federal and state privacy and data statutes, as well as the potential for criminal and civil liability to private parties for any such data security incidents. The technology has now been here long enough that are no more excuses for a lack of proper safeguards, and employers of all sizes and fields must be proactive in their data security.