More employees are using their own smart phones, iPad and other electronic devices for work purposes -- even though this practice could expose companies to financial, legal and other types of risks, experts said.
“One of the biggest risks on the security side is security breaches,” said Phillip Gordon, chair of the privacy and data protection practice group at Littler Mendelson P.C., an employment and labor law firm with offices around the world. “Millions of devices are lost or stolen each year. And a locate request is sent every 3.5 seconds.”
There is the question, too, of what to do when an employee quits -- with the company’s data on the employee’s personal device.
More employees are using personal electronic devices for work -- whether their employer approves or not. About 77 percent of information workers in the United States and Great Britain use their personal mobile devices and tablets for work, according to a survey released in June 2012 by SkyDox, a file sharing, synchronization and storage collaboration platform.
Major corporations such as IBM, Kraft, and Cisco have crafted policies to guide workers who want to bring and use their own devices for work (commonly known as BYOD). However, these companies often do not extend this privilege to all workers. IBM recently told employees that while they could use their iPhone devices for work, they weren’t allowed to use the Siri app, Dropbox and Apple’s iCloud, saying it posed a security risk.
Gordon and other experts from Littler Mendelson took part in a June 6, 2012, Society for Human Resource Management (SHRM) webcast to discuss the challenges of letting employees use their own devices for work. For employers, the dangers and expense of allowing BYOD outweigh the advantages, experts said.
Many companies say that letting their employees use their own device saves money, but this is not true, said Michael McGuire, chief information officer in Littler Mendelson’s Minneapolis office. A recent CIO Magazine survey said that allowing BYOD costs companies more because they end up having to pay a portion of their employees’ wireless plans, McGuire said.
A company can see a big spike in help desk and support costs, too, as employees call in to figure out how to get their iPhone, Android or other electronic device to work with company software.
“The number of devices out there is staggering,” McGuire said. “There is not one Android operating system but hundreds with subtle, different tweaks.”
For instance, a Texas jury awarded a woman $24 million when she was hit by a Coca-Cola van driven by an employee who was using a cell phone. What’s more, companies have no control over an employee’s device (or company data stored on it) if law enforcement officials demand that the person turn over their device as evidence, experts said.
Experts offered HR professionals these tips on how to handle BYOD:
• Limit the number of employees who are allowed to use their own devices for work purposes. Limit the privilege to employees with a “need to know, a need to use, and a need to have” their own devices, Gordon said.
• Consider what would happen if an employee left the company with a device with corporate data on it or if their device is lost or stolen.
• Consider installing remote wipe software on employees’ devices so sensitive company information can be erased if the device is lost. However, the employee’s consent must be obtained before such software can be installed.
• Consider using a “sandbox” on an employee’s device -- a separate area where company e-mail, calendar and other functions are stored. The employee would have to enter a separate password to enter this area, and remote wipe software could erase data only in the corporate sandbox.
• Prohibit nonexempt employees from answering work-related emails outside working hours when using their own equipment, said Josh Kirkpatrick, a shareholder at Littler’s Denver office. This way companies can avoid being liable for wage and hour and expense reimbursement costs.
• Consider restricting employees from using devices such as iPhones that sync automatically with other devices in their homes. This prevents company data from being transferred automatically to other devices.
• Make it clear to employees that they should not let family and friends use personal devices that are used for company purposes and should not share or store passwords on these devices. This lessens the risk that confidential company information will be compromised.
• Require employees to report promptly when a smart device they use for work is lost or stolen.
• Review exit interview processes for BYOD employees. How can the company ensure that data that is stored on an employee’s personal device is returned?
“It’s not just a tech-only solution,” Gordon said. “Your company needs policies, and your company policies are going to have to be supplemented with operation procedures and training.”
Greg Wright is a Washington, D.C.-based freelance writer who has covered Congress, consumer electronics and international trade for major news organizations.
Have HR-related questions and concerns? Get access to essential forms, policies and guides, plus a live call center, at ToolkitHR.com, powered by HCN and the Society for Human Resource Management (SHRM).