Because mobile devices permeate the workplace, it is inevitable that employees access and receive trade secrets or confidential information through mobile devices. Given this regular exchange of sensitive information, it is more critical than ever that employers take steps to secure and protect their company’s information. One area for employers to do so is in policies that govern employee use of mobile devices.
Companies generally fall into two categories with respect to policies governing the use of electronic devices for work-related purposes: BYOD and COPE.
Under a BYOD, or “Bring Your Own Device,” approach, employers allow employees to use devices employees personally own for work purposes. A BYOD policy gives employees the widest latitude in choosing a mobile device. BYOD can improve employee morale and attract employees who prioritize having cutting-edge smartphones. However, this approach requires the employer’s IT department to support a wide variety of devices and manage data across multiple platforms. Thus, BYOD can be more costly.
In the BYOD scenario, employers should implement policies for how company information may be used and stored on the devices. Policies should also address how the employer will secure company information on a device when the employee leaves the company. For example, policies should inform employees that any company information residing on their personal devices at the end of employment belongs to the company and must be returned. Policies may expressly include a protocol for how BYOD devices are scrubbed of company information at the conclusion of employment.
Employers with a BYOD policy may also wish to require employees to create a secure area on the employee’s personal device that is used solely for work-related data and activity. This allows the employer to secure data and information when an employee departs the company.
A BYOD policy should also require employees to report lost or stolen devices to the company immediately. Employers may also wish to reserve the right to remotely wipe the device, or portions of the device, when a device is lost or stolen.
Under the COPE, or “Company-Owned, Personally Enabled,” approach, it is significantly easier for an employer to maintain control over company information stored on the employee’s device.
The COPE approach allows the employer to dictate which devices and platforms are supported. Employees may not like the COPE approach unless the employer offers a variety of devices. Employees may also not like this approach because they will want to use their devices for personal activities in addition to business activities.
Given these competing interests, companies that use the COPE approach may wish to develop a policy which allows employees to install personal applications, download music or take personal photos using the device. Employers that allow personal activity on COPE devices should consider how to allow personal activity without compromising the security of company information, as well as how to deal with the employee’s personal data and applications when the employee leaves. A COPE policy should also address the possibility that an employee’s device may become subject to a litigation hold. As in the BYOD approach, a COPE policy should authorize the company to wipe a device remotely if it is lost or stolen, notwithstanding that the device may contain personal data.
Selecting and implementing a mobile device policy involves many considerations. Employers should carefully consider how their policy may impact the company’s ability to protect its trade secrets and confidential information. Employers that develop policies with these issues in mind will best position themselves to protect proprietary data and information, particularly when an employee leaves the company. Failure to proactively draft policies for the protection of trade secrets and confidential information could result in sensitive information being shared with a competitor or used for other improper purposes. Benjamin Fink Neal Weinrich