Issues abound with allowing employees to use their personal electronic devices to access the employer network and perform work including:
Who owns the intellectual property that is created on the employee’s device? Surprisingly, the default answer is not always the employer in these situations.
Both the employer and company have privacy issues in play. If employees have sensitive corporate data stored on their personal devices, is the data safe from hackers? What if the device is lost or stolen? If the employer needs to access the personal device (think termination of the employee, investigations into employee misconduct, need to preserve data under electronic discover obligations, etc.) how is that accomplished without violating the privacy of the employee as to the other personal data on the device?
Wage & Hour
Are hourly employees allowed to use personal devices for work? If so, does that expose the company to off-the-clock claims (lawsuits where the employee claims he or she worked but did not record the time and thus was not paid overtime)?
Does the employer have access to wipe the device remotely if needed if it is lost or stolen (or if the employee is terminated)? If so, what about the employee’s personal data stored on the device (contacts, photos, etc.)? What if the employees personal device leads to a security breach, virus or attack by a cyber terrorist?
The best policy may be to prohibit employees from BYOD and, instead, invest in company-paid electronic devices. . If the employer wants to allow BYOD, it should limit such activities to non-hourly workers and, quite clearly, must implement a BYOD policy to address the issues discussed above. Any such policy should specifically identify the devices to which it applies, should require proper security protocol to protect company data (software, virus detection, password requirements, etc.), should provide procedures to follow within specific time frames if the device is lost or stolen, should specifically address employer ownership of intellectual property, and must eliminate any expectation of privacy with regard to the personally-owned device that is being used to access the company network.