Tips for Creating a BYOD Policy

A company BYOD policy – bring your own device – sets forth procedures, standards and rules of employee conduct, for the use of personally owned devices. Personally owned devices include laptops, flash drives, and smartphones. Many companies permit or require employees to telecommute. When an employee is working at home, or somewhere other than the worksite, it is critical the employee understands what is and is not permitted with respect to the personal devices the employee uses to perform work.

What Should a BYOD Policy Contain?

There is no one-size-fits-all BYOD policy. However, all BYOD policies should contain some basic content. 

Is your organization secure? Download the free cybersecurity eBook to get tips on how to protect your patient information.

This content should include:

  • A statement of the purpose of the BYOD policy. The statement of the purpose of the policy should indicate that the policy is intended to protect the integrity and security of the organization’s IT structure. The statement should also contain general language about whether the organization will grant exceptions to the policy, and when.
  • A statement of the organization’s commitment to employee privacy. This statement should note that employers will respect the privacy of employee personal devices to the extent it is feasible.  Here, the policy should note that the employer may require access to the personal device when needed by IT personnel to implement security controls; or when needed to comply with requests for documents or data as part of a legal proceeding.
    • Here, the employer should draw a line between personal devices, and company-owned devices provided for employee use. With respect to the latter, the policy should state employees neither have a right of privacy nor an expectation of privacy, with respect to the use of this equipment.
  • A statement defining what acceptable business use is of personal devices. A typical definition of “acceptable business use” is “activities that directly or indirectly support the Organization’s business.”
  • A statement defining what “acceptable personal use of personal devices on company time,” should an organization wish to allow that use. A good definition is something to the effect of “reasonable and limited personal communication or recreation, such as reading.” An organization can choose to provide additional detail about how much personal use is permitted; where it is permitted; and under what circumstances it is not permitted.
  • A statement regarding what personal devices CANNOT be used for. This statement should note that personal devices may NEVER be used to:
    • Store or transmit illicit materials.
    • Store or transmit proprietary information.
    • Harass others.
    • Engage in outside business activities.
  • A statement regarding what company resources an employee may use their personal devices to access. Such resources can include:
    • Company email
    • Company calendars; 
    • Company business contacts; and 
    • Company documents.
    • A statement as to what devices (i.e., iPhone, iPad, Android, Mac, Windows) are supported.
  • A statement as to who handles connectivity issues (typically IT), and whom employees should contact for operating system and hardware issues – namely, the carrier for the operating system.
  • A statement that before personal devices can access the network, the devices must be presented to IT for proper job provisioning and configuration of standard apps, such as browsers, office productivity software, and security tools.
  • A statement on security measures that must be taken. This statement should include the following or similar language:
    • “In order to prevent unauthorized access, devices must be password-protected using the features of the device and a strong password is required to access the company network.”
    • “The company’s strong password policy is: Passwords must be at least six characters and a combination of upper- and lower-case letters, numbers, and symbols. Passwords will be rotated every 90 days and the new password can’t be one of 15 previous passwords.”
    • “All devices must be encrypted according to NIST guidelines.”
    • “The device must lock itself with a password or PIN if the device is idle for five minutes.”
    • “Rooted (Android) or jailbroken (iOS) devices are strictly forbidden from accessing the network.”
    • “Laptops, Smartphones, and tablets that are not on the company’s list of supported devices are not allowed to connect to the network.”
    • “Laptops, Smartphones, and tablets belonging to employees, that are for personal use only, are not allowed to connect to the network.”
    • “Employees’ access to company data is limited based on user profiles defined by  IT and automatically enforced.”
    • “The employee’s device may be remotely wiped if:
      • The device is lost or stolen.
      • The employee terminates his or her employment.
      • IT detects a data or policy breach, a virus, or similar threat to the security of the company’s data and technology infrastructure.”
  • A statement about risks, liabilities and disclaimers. This statement can include the following or similar language:
    • “While IT will take every precaution to prevent the employee’s personal data from being lost in the event it must remote wipe a device, it is the employee’s responsibility to take additional precautions, such as backing up email, contacts, etc.”
    • “The company reserves the right to disconnect devices or disable services without notification.”
    • “Lost or stolen devices must be reported to the company within 24 hours. Employees are responsible for notifying their mobile carrier immediately upon loss of a device.”
    • “The employee is expected to use his or her devices in an ethical manner at all times and adhere to the company’s acceptable use policy as outlined above.”
    • “The employee is personally liable for all costs associated with his or her device.”
    • “The employee assumes full liability for risks including, but not limited to, the partial or complete loss of company and personal data due to an operating system crash, errors, bugs, viruses, malware, and/or other software or hardware failures, or programming errors that render the device unusable.”
    • “The Organization reserves the right to take appropriate disciplinary action up to and including termination for noncompliance with this policy.”
  • A statement that employee access to and continued use of the company’s resources is granted, on condition that an employee reads, signs, and agrees to abide by the BYOD policy. This statement should contain a provision along the lines of, “By attesting that I, the named employee, understand this BYOD policy, I agree that I will abide by its business practices and if not will face disciplinary actions.”