According to a recent survey by the IT governance, risk, and compliance services company Coalfire, 84% of participants said they use the same smartphone for personal and work purposes. It’s tough to say how many employers have policies on employees using their own mobile devices for work, but “not enough” is probably a good guess.
A PricewaterhouseCoopers information security survey found that 43% of respondents had a security strategy. And a survey by YouGov and Research Now found that 67% of surveyed companies had no policies or procedures to manage employees’ use of personal devices for work purposes. The Coalfire survey also indicated that 47% of respondents said they have no passwords on their mobile phone, 36% reuse the same password, and 60% admit to writing down passwords on a piece of paper.
What’s an employer to do, especially since smartphones are becoming smarter and cheaper and the odds are that employees already are accessing your data from them?
In crafting a policy on employees’ use of their own smartphones and other devices for work purposes, aim for balancing your need to safeguard data and hardware with your employees’ need for privacy. You also may need to address overtime work since smartphones can tether an employee to the organization throughout the day.
No action is required. However, here are a few factors to consider in implementing a policy on employees’ use of their own mobile devices. Your AlphaStaff HR Manager is available to help draft and/or review your policy.
Initiate a “wipe” policy. Require your employees to download software that allows you to remotely access and wipe devices. That provides protection if devices are lost or stolen. Additionally, there are software programs that can sequester work-related information into a software “sandbox,” creating a virtual folder in the personal device.
Require written agreements. Once you locate software that fits your needs, have your employees sign a written agreement that discloses all risks associated with the software (such as information loss) and requires them to download it onto any device that will be used to access work-related information. Make sure employees understand they have no expectation of privacy in personal devices used for work purposes.
However, in monitoring employees’ use of their own device for company purposes, make sure you examine only items related to company matters. It may be possible to have a third party perform the monitoring so that otherwise unavailable data (health information, for example) isn’t revealed.
Ideally, you would have a signed agreement in place before allowing employees to work using a smartphone or other personal device, but that may not be possible. Check with experienced counsel on how to handle past usage of personally owned devices for business purposes.
Limiting the privilege? Consider restricting the privilege of using personal devices for work purposes. Allow only certain employees to have the privilege of using personal devices, and exclude personnel who frequently handle sensitive data or personally identifiable information. Further, limit the type of information that’s accessible from a personal device (e.g., e-mail). Again, employees may have already begun using their personal devices, so it may not be practicable to restrict privileges.
Make device inspection a part of the exit interview. Have employees consent in writing to have their devices inspected at exit interviews. Also, obtain permission to remotely wipe the device of any terminated employee.
Don’t allow employees to store corporate information on personal devices. Have them sign a written agreement that they won’t store any corporate information on their personal devices.
Require employees to produce their devices for inspection. Have them sign a written agreement that they will turn over their personal devices for inspection upon a legitimate request.
Finally, make sure employees know that all overtime must be preapproved. That will help preclude claims that work done after being contacted on a personal cell phone should be paid at overtime rates.
It’s probably out of date. Keep abreast of changing technology, including how software or apps on a smartphone may affect your data. And if you already have a policy in place, we recommend that you review it soon because it likely hasn’t kept up with changes in technology.
This is a tricky area of both HR policy and the law. There may be some guidance on the horizon. In July 2012, the National Institute of Standards and Technology, part of the Commerce Department, issued draft guidelines for federal agencies on securing smartphones and tablets used by government employees. The standards apply to government workers, but the private sector will look to them for guidance. Whatever you do, involve your IT department and experienced attorneys in tackling these issues.