How HR can craft effective BYOD policies

Although the management of BYOD programs has primarily fallen on IT, experts say HR must now get involved to create BYOD policies for employees.

The bring your own device, or BYOD, trend, which allows employees to use personal devices including smartphones, tablets and laptops to access company data and applications, isn't going away. If anything, the movement is continuing to gain momentum with companies looking to boost productivity and increase employee job satisfaction.

While the responsibility for ensuring that corporate networks aren't compromised and sensitive data doesn't fall into the wrong hands has rested squarely on the shoulders of the IT department up until now, experts say the implications of BYOD are now moving past IT into the human resources (HR) arena because at its core, BYOD is really an employee issue.

A great deal of risk and liability comes along with BYOD that both employers and HR managers need to be aware of, according to attorney Beth Zoller, legal editor at XpertHR, an online compliance tool for HR professionals based in New Providence, N.J. For this reason, it's critical for employers to have clear and effective BYOD policies that they provide to all employees.

So, the burning question today is this: How should HR craft an organization's BYOD policy so that it strikes the right balance between employee convenience and corporate security?

"HR should definitely be setting policies, because there are a lot of inherent difficulties with BYOD," said Casey Sipe, a management-side employment law attorney with Scaringi & Scaringi in Harrisburg, Pa. "HR is going to have to work with IT to figure out what is possible and what's not, given the company's system."

BYOD policies should address data, usage and liability

To protect the business as well as employees, a company has to have BYOD policies governing security. For example, if employees are accessing the corporate network on personal devices, they need to have login requirements on these devices, like security keypads, passwords or some other type of mechanism, Sipe said.

HR leaders should also think about data retention on personal devices. "A company [should] have a policy in place that requires employees to understand that if they lose their phones or leave the company, the company reserves the right to wipe them," Sipe said.

In Sipe's experience, although these policies state that the company will strive to delete only corporate data from personal devices, they don't make guarantees that personal information won't be lost as well.

In addition to security threats to an employer's network and data, there are other risks that come along with BYOD that HR needs to be cognizant of when it develops BYOD policies, according to experts.

"An employer can risk overtime wage and hour lawsuits from employees who are using their own devices to answer calls or emails after working hours," XpertHR's Zoller said. "There's [also] distracted driving and safe-driving lawsuits. Just recently Coca-Cola was hit with a $21 million court judgment after a Texas woman was struck by a Coca-Cola truck driver who was talking on her cell phone when driving."

Because of the possibility for such lawsuits, companies should create BYOD policies that address potential litigation against the business. And both Sipe and Zoller agree that employees need to understand that they might have to make their phone available for the company to pull information off it in the case of a lawsuit.

In addition, HR should also include a regulation that forbids employees to jailbreak Apple iOS devices or root Android devices. Jailbreaking and rooting enable users to bypass the installed operating system, download unapproved apps and make changes not sanctioned by their employer, all of which Sipe said could potentially compromise the company's network and data.

"The policy might include an acceptable use agreement -- what the device can be used for," Zoller said. "The company also needs to include a policy about conducting periodic audits to ensure that the employees are complying with the employer's rules." In addition, HR should provide training sessions to employees and managers, she said.

BYOD policies can be either written as standalone guidelines or incorporated into an employee handbook. But if an organization opts for the latter, HR managers should alert workers to the fact that the handbook contains new BYOD policies, Sipe said. It's also advisable to require workers to acknowledge receipt of these policies, Zoller added.

Finally, because it's critical for employers to create effective BYOD policies, both Sipe and Zoller advised that organizations might want to consult with attorneys to ensure they get it right.

IT and HR should work together on BYOD policies

Wolters Kluwer, a global information services and publishing company based in the Netherlands, hasn't moved to a BYOD program yet; currently, the organization usually supplies employees with dedicated mobile devices. However, Kathy Baker, its senior vice president of HR, said the possibility of launching a BYOD beta program is on the table.

Baker also said the company has broadened employees' mobile capabilities in recent years, with the option to use personal devices. "A couple years ago, we expanded the number of devices and the types of devices we would [purchase] for employees and support. That was directly in response to the laptop to the iPad explosion," she said.

HR supported this effort with a policy change, where device options were listed and caveats for personal device use were spelled out. "If you decide to use your own [device], we're not necessarily going to support you technically, and we may require you to separate your work stuff from your personal stuff," Baker said. "And we're going to potentially install management devices so that we can have a line into what you're doing."

Now that the company is thinking about embracing BYOD full-on, the IT department is convening with HR to hash out the issues from an HR standpoint, Baker said.

"What's our obligation around protecting data? What do we do when people leave the company? [Today] they don't get to keep their work device, so we don't have to worry about scrubbing data," Baker said.

And to Baker, the issue also goes beyond her organization.

"For me, IT works very closely with HR in developing the policies, so I'm not particularly concerned that I get left out of the loop," she said. "But the question is, is the world ready to understand that the line between privacy will get blurrier once you mix ... information from your personal life and your work life? That's the part that I sometimes think we should all take a breath and consider."

About the author:
Linda Rosencrance has written about technology for more than 10 years and has been a reporter for more than 20 years. A former Computerworld reporter, she is a freelance writer in Massachusetts and also an author of several true-crime books.

Dig Deeper on Mobile HR software