CASE PROJECTS

Because BYOD has become widespread in companies, the location of files when a litigation hold has been issued can be complicated. Find an article that discusses processes and policies that can be used to solve this problem.

-Write three-paragraph summary of the article's recommendations?

I Introduction 'The use of employee-owned devices-such as smartphones, tablets. and laptops. for both personal and professional use-has become increasmgl}r common. While there may be some advantages for employers in having a \"bring your own device" (BYOB) policy, such a policy will also raise a host ofpotentially thorny problems, such as issues related to data security, ownership. and preservation; esdiscovery; privacy; safety; and wage and hour compliance. While employers want to protect their proprietary information. employees may view a BYOD policy as invasive of their privacy if the employer momtors their personal data or tracks their location via their own personal mobile device s. This Article addresses the tension created by the BYOD concept and discusses practical tips for implementing a BYOD policy It includes, in Part II, a discussion of the reasons for adopting a BYOD program; in Part III, a description of some ofthe information security issues surrounding BYOD programs; in Part IV, a discussion ofthe legal is sues that may arise with BYOD programs; and, in Part V, a summary ofprovisions that should be addressed in any BYOD policy. II. Why Adopt a BYOD Program? In recent years. employers are more frequently allowmg. oen encouraging and subsidizmg, employee use of their own digital communication devices for work. purposes. Employers are adopting BYOD programs for several reasons. First= some employees want the exibility and freedom to choose devices and means ofaccess to those devices 1 This employee benet can also serve to help recruit new employees, particularly those in the millennial generation who are typically more \\villmg to spend their own funds on the newest technology. in addition, as smartphones become ubiquitous, employees are less willmg to carry two devices (e.g., carrying a work BlackBerry and a personal iPhone). Employees who want to avoid the "two pocket\" syndrome prefer BYOD progams. Indeed. a recent survey found that eighty-four percent of employees use the same smartphone for work and pleasure.2 Fmally= EYOD programs are touted as a way for employers to reduce expenses, on both hardware and operations of systems and services. because employees largely bear the expense. However. the cost savings are not as great as would first appear. Employers that provide employees with employ er-owned devices are typically able to negotiate group discounts on devices and cellular services. Depending on how the employer structures its expense reimbursement for the BYOD program, it could end up paying more because the potential employer savings from a bulk purchase are lost when employees purchase devices and services on their own. In addition, employers can experience an increase in IT-related support costs if employees are using different platforms on different devices} For these reasons. before adopting a BYOD program, an employer must determine the driving force behind its decisron. [fit is making the deCision because it believes it Wlll reduce costs. the employer should research and evaluate the hidden costs associated with a BYOD program. In addition to evaluating the benefits ofa BYOD program, employers must also consider the challenges and risks that arise when employees use personal devices for worksrelated purposes 'The risks of BYOD policies fall into two broad categories information security and legal. III. Information Security Issues The increased prevalence ofBYOD programs raises several security challenges. A. Loss ofDevice The most obvious risk associated with a EYOD program is the loss or theft of the employee's device. The Juniper Networks' Third Annual Mobile Threats Report outlines several areas of risk. A lost or stolen device, especially those without security settings like passwords. can present a signicant risk to mterprises and consumers, mcluding' \"' Data breach. Like a laptop, a lost or stolen mobile device wrth customer or employee information can result in a data breach that may carry significant legal and reputationa] costs. \"' Loss of intellectual property and trade secrets: Mobile devices often hold sensitive information about projects, as well as intellectual property, that when in the wrong hands= could have devastating effects on business. * Loss ofpersonal information: Mobile devices hold signicant amounts ofpersonal information which ifstolen could be used for avariety ofmalicious purposes. including fraud and identity thefr.4 While employers can adopt procedures that enable them to remotely wrpe employer-owned devices inthe event of a loss or the, employers may not have the ability to remotely wipe an W device for several reasons. First. the remote wiping ofa device will delete all information on that device. which would necessarily include the employee's own personal data. Accordmgly. as discussed below, an employer's wiping of data without an employee's consent could lead to a claim under the Computer Fraud and Abuse Actj the Stored Communication Acho or relevant state statutes} Moreover, even if an employer has included protocols in its BYOD program regarding the remote wiping of data, the employers actual ability to implement those procedures will hinge on several factors outSide ofthe employer's control. such as the employee's knowledge and understanding of the BYOD policy. prompt notication to the employer ofthe loss: and cooperation in allowing the remote wiping of data from the device. These problems were highlighted in a recent survey. which found that: More than half ofthe respondents said their company did not have the ability to wipe data from a phone if it is lost= while 28 percent said they were unsure if the company was able to remotely wipe data. .. A pruiyy; _o_f workers said they were not sure who to contact if they lost their phone, while 15 percent said they would call their service provider. 'I'werttymine percent of workers said they would call their company in the event of losmg their devices These statistics highlight the need for employers to have well-defmed poliCies regarding what is expected ol'employees in the event a device is lost or stolm. including gaining written permission to traclt, locate, lock, and wipe devices remotely under clearly defined circumstances. 1 B. Malware Nirus Protections Even if a device is not lost or stolen. mahcious software (malware) that is downloaded to a device by the employee can compromise the employer's data. The download is typically unintentional; employees think they are downloading harmless applications (apps) when ii_1_ March 2012 through March 2013, mobile malware grew 614%, compared with a 135% increase reported in 2011.9 The risk is greatest for employee-owned devices: "[t]h;opgh 2014. employee- owned devices will be compromised by malware at more than double the rate of employer- owned devices." 10 C. Mobility and Accessibility The mobility and accessibility of devices raise additional security concerns because data are stored and transmitted on devices and networks over which the employer has no control. In the past, employees could only access the employer's data over employerecorilrolled networks. When using their personal devices. employees can access networks that may not be secure. thus increasing the risk of compromising the employefs data. Unintended circumstances can cause compromised or lost data, compounding the risk. lndeed. " [W information on the device may be stored alongside personal videos ofjunior league soccer and Angry Birds. whichthe employee's forum-old daughter plays daily. One mis-swip e. or wrong button hit, and the work data could he corrupted, lost or accidentally transmitted to the entire junior league.'I 11 in addition, programs such as Dropbox and Google Drive allow employees to move data om secure employer networks to the cloud 12 This can raise serious concerns for employers as employees may move information that contains sensitive information such as personal customer data or employer trade secrets. Once in the cloud. an employer will have litde control over what happens to the data. D.EtociaLMedia Social networking heightens the information security risks posed by a BYOD policy Recent studies show that seventyrtwo percent ofworkers access soc1al media on the job at least once per day.l3 a majority access it multiple times. 14- and twenty-eight. percent spend an hour or more of each workday social networkingl The prevalmce of social media is one of the main reasons that the risk for a data breach on mobile devices is so great Whether intentionally or unintentionally, employees can now distribute data to an untold number of people with a few swipes. In addition to the ease with which an employee can disclose the employefs data to an anployee's entire social network. "active social networkers" (those who spend thirty percent or more oftheir workday on social networking sites) seem to be "more vulnerable" to problems such as being pressured to compromise employer standards and experimcing retaliation for reporting misconductld A recent business ethics survey found that f' )LthIEE percent of active social networkers \"share information about work projects once a week or more, and more than one third ofthem share information about managers, coworkers and clients-"customers."1? Most troubling is that the survey revealed, "by almost every measure. active social networkers face greater ethics risks than their less active or non-networking peers." 13 of active social networkers. y percent said they would keep a copy of confidential work documents and forty, 3 six percait would take work so'ware to use on their personal machine 19 However, training can diminish the risks from social networking. Specifically, the study found that "workers who receive training about social networking policies have a better understanding of the risks of social networking and are more likely to respect employer policies."20 IV. Legal Issues The legal contours ofBYOD programs are anything but W- There is very little guidance on these issues from courts or legislators The law is attempting to keep up with a technology world that is movmg at warp speed Even so. there are potential areas of legal concern of which any employer adopting a BYOD program should be aware. A. Privacy The main legal issue underlying any BYOD program is privacy. Employees use their devices for both work and personal matters. which causes difficulty in determining privacy expectations. Generally. employees do not have a reasonable expectation of privacy in the communications and content on their employer-owned devices. The same may not be said when employees use their ovm devices. When employees own their devices, there are limits on an employers ability lawilly to access-or delete, ifnecessary-the employer's data stored on the device. As oen happens, technology is outpacing the law and the existing framework of privacy laws does not exactly t the BYOD context because there are no laws draed specically for BYOD programs {nor were EYOD issues anticipated at the time these laws were enacted). Nevertheless. many laws are potentially implicated by EYOD privacy issues. 1. Computer Fraud and Abuse Act and the Stored Communications Act One statute that is particularly troubling for an employer that wants to monitor, access. or wipe an employee-mined deVice is the Computer Fraud and Abuse Act (CFAA).21 The CFAA makes it a crime to gain unauthorized access to a computer and permits the recovery of civil damages when the unauthorized access results in damages exceeding 55.00022 The CFAA (and its state counterparts] can be troublesome ifthe employer is taking action, such as wiping the device. Without employee consent. Furthermore. the CFAA's prohibition on unauthorized access includes accessing a device in a manner that exceeds authorization.23 For example. employees may authorize their employer to track the location ofa device in the event ofa loss or theft. but a CFAA violation occurs if the employer instead uses that mformation to track an employee's location on a periodic basis. All y states have adopted comparable computer trespass 1aws.24 Similarly. the Stored Communications Act (SCA)25 prohibits unauthorized access to email stored at an email service provider 26 Like the CFAA. the SCA is a criminal statute with civil remedies The CFAA and SCA may also come into play when an employer attempts to access, without authorization, information that an employee has saved to a cloud-based storage app, such as Dropbox or Google Drivel? 2. The Health Insurance Portability and Accountability Act and the Genetic Information Nondiscrimination Act The Health Insurance Portability and Accountability Act CHEAP-D28 requires employers to develop and follow procedures that ensure the confidentiality and security of protected health information 29 In that re gard, HIPAA requires that employers at least consider mcrypring personal health informationj In the BYOD context, employers have a much more difcult time complying with HEPAA when employees have access to personal health information on their devices. Some employers have had to learn the hard way For example, one healthcare contractor spent $283,000 managing the fallout ofa stolen laptop containing unencrypted patient information.31 In an ett'ort to avert future issues, the contractor destroyed all patient data on mobile devices and mandated the encryption of patient data.32 The Genetic Information Nondiscrimination Act (GENAE prohibits employers from requesting, requiring= purchasing= or disclosing " genetic information" of the employee or the employee's family members.3-t- The following example illustrates the potential legal issues that could arise under GINA: Jane has diabetes and downloads an app that allows her to track her blood glucose levels. While placing some updates on Jane's phone= her employer sees the data contained in the diabetes app. In this situation, the employer has potentially violated GNA These types of situations will increase as web developers create more health and fimess apps. 3. Fair Credit Reporting Act The Fair Credit Reporting Act (FCRA)35 requires secure disposal of certain consumer credit report informatioan Many states have similar laws requinng the secure disposal of certain sensitive information?\" When this type ofconfidential information is on an employee's personal device, FCRA issues could arise for the employer in ensuring secure disposal. This problem is exacerbated if employees have moved data to the cloud or elsewhere. 4. State Laws In addition to federal law, employers must be mindful of the patchwork of state privacy laws. California ____ been quite progressive in the development ofprivacy laws. For example= C have a constitutional right to privacy from both public and private entitiesjE and a state statute requires businesses to notify affected parties when a security breach occurs.39 In addition to laws aimed at protecting traditional privacy concerns, seventeen states have recently enacted laws that prohibit employers from requiring employees or applicants to turn over passwords needed to access private websites, including those used for social media 40 Employers should consult the specic laws of the states in which they have operations to ensure they are in compliance with any state-specific privacy laws. 5. International Laws Employers with cross-border operations and employees who travel internationally face unique challenges. For example, under the European Union Data anacy Protection Directive, individuals must give explicit and fully informed consent for any organization to access and process their personal data-11 Ifthe employee does not give consent, or ifthe employee is not made fully aware of the implications (e.g., that the employer may wipe the employee's personal data ifthe employee loses the device or aiters the PH': incorrectly too many times), the employer '5 is likely to be in breach of data privacy regulations and risks a lawsuit. Further, international travelers may be subject to search, and condential information is not necessarily exempted from review-12 Employas with cross-border operations should consult with counsel to ensure that they are complying with all international privacy regulations. B. Confidentiality and Trade Secret Protection While privacy is likely the number one concern for employees using their own devices for work purposes, protection of trade secrets and condential information is the number one concern for employers. Over the years= it has become eaSier for departing employees to take en'iployers' condential information (e.g., by downloading information to a ash drive). The trend toward use of BYOD programs has only increased the risk to employers that employees \\vill misappropriate confidential information. According to a fall 2012 survey, halfofemployees who le or lost their jobs in the preceding twelve months retained condential corporate data, and forty percent planned to use it intheir newJobs.43 Furthermore= "[m]g,t employees do not believe that transferring corporate data to their personal computers, tablets, smartphones, and cloud filesharing apps is wrong."44 Indeed= over half of those surveyed did not believe that it was a crime to use competitive data taken from a prior employer.4i The survey underscores the belief held by many workers that ownership belongs to the person who created the intellectual property. The followmg example is illustrative: When given the scenario of a software developer who re-uses source code that he or she created for another company. 42 percent do not believe it is wrong and that the a [sic] person should have [an] ownership stake in his or her work and inventions. They believe that the developer has the right to re-use the code even when that developer does not have perrnissmn from the company.4d The study's findings are more trouble some when layered on a BYOD program because, in that scenario, the condential information is stored on the employee's own device. Employers can bring statutory and common law claims to address employee misappropriation; however, it Will be increasingly difcult and expensive for employers to pursue such actions in a BYOD environment. For example, the Uniform Trade Secrets Act (UTSAH-T imposes liability for "misappropriation" oftrade secrets.48 Under the UTSA, a trade secret includes any "information. including a formula, pattern, compilation. program, device. method, [or] technique," the secrecy ofwhich the employer has taken reasonable measures to protect.49 A misappropriation requires the use or disclosure of the trade secret information or the acquisition by improper means ofthe trade secretj It is Signicantly more challenging for an employer to prove misappropriation in a BYOD environment if it allowed the employee to store the employer's trade secrets on the employee's own device. Accordmgly= inthese Situations, employers will focus more on the improper use or disclosure ofthe alleged trade secret. In addition to the misappropriation of traditional data (e.g.. customer lists, designs, etc), employers must also consid how they will determine ownership of data such as social networking proles and content created by employees but used for professional, as well as 6 personal, purposes For example, while employed by ABC Corp, a salesman creates a social networking account. He uses his ABC Corp. customer list to grow his list of followers. What happms to that prole when the employee moves to a different employer? Does the employer have an ownership interest in the account because it was created during the employee's tenure and used for work purpo ses Does the employee violate his non-solicitation agreement when he updates his prole and thereby noties a his followers that he has moved to a different employer? The answers to most ofthese q ons remain uncertain. Indeed the ownership of these types of social nerworkmg proles will likely turn on whether the employee and employer had a prior agreement about account ownership, whether the account was initially created for business or personal use, or the provider's terms of service. C. Wage and Hour Attorneys' BYOD advice to employers must also address a host of wage and hour issues, such as off-the-clock allegations and claims for expense reimbursements. In addition, employers must consider issues related to joint employers, independent contractors. contingent workers, and third-party vmdors. Pursuant to the Fair Labor Standards Act (FLSA)51 and applicable state laws, employers must pay nonexempt employees for all time worked, including ovm'tImeSE The BYOD trald is particularly problematic when it comes to nonexempt employees who are now able to access work-related content during nonworking hours. in the past, employers did not is sue devices, such as smartphones, to nonexempt employees. But with BYOD programs, nonexempt employees are using their own devices. This may lead to employees performing work on personal time (e.g., reviewing and responding to work emails or making telephone calls) These types ofacts create a potential claim for off-the-clock work and may be asserted as a proposed collective actionji The U.S Department of Labor has even developed a timesheet app that helps employees track hours worked and determine wages owed.54 In addition to off-the-clock claims, some states have day-ofrest rules and others require uninterrupted meal and rest periodsji Employees can bring claims for Violations of these laws (e.g., an employee who reads or responds to emails while eating lunch may have a claim). Employers can attempt to combat the connectivity problem by ensuring BYOD policies clearly state that employees should not be accessing work email outside of working hours. A blanket prohibition, however, can be problematic and difcult to enforce. As a result, employers should include in their BYOB policies a requiranent that employees record and promptly report all aerrhouts work so that the employee can be properly compensated. Reimbursement for expenses related to the use of an employee's own device is another issue that employers must consider when adopting a BYOD program. In California, for example, anployas are obligated to reimburse necessary busmess expensesi The question becomes, if an employer has implemented a BYOD program, does it then have to pay for the employee's personal device\" The answer likely depends on howthe employer implements the EYOD plan For voluntary programs, in which employees may choose to use their own devices or an employer-provided device, the employer may have an argument that reimbursement is not necessary. On the other hand, employers who require employees to use their own devices will 7 likely need to reimburse employees Accordingly, the many;er in which the employer adopts the plan is important. When reimbursement is required, the employer must then deterrmne the amount of the reimbursement. While it would be easy for an employer to pay the full cost of the employee's device and monthly bill, this would likely result iry an overpayment to the employee. Because the device is used for work and pleasure, the employer is not obligated to reimburse 100% ofthe costs. There may also be tax implications for the employee (is, to be an excludable fringe benet the employer must provide the device primarily for Wbusmess purposes) 57 The actual expense method is the most accurate optioy1_ although it is usually not an option for reimhursanenr for smartphone or tablet usage. Under this method, an employer reimburses only the actual expense ofusing the employee's device for work-related purpose s. In the past, this method was easy to use because a cellular telephone bill showed every call made and it was easy to apportion the bill between work and personal usage. This method is increasmgly less viable because employees have at fee or unlimited data plans, making it impossible to calculate with any accuracy the amount ofusage devoted to work. Finally, the employer can use the existence of a BYOD ptograrn to establish that certain workers are not employees. Because the independent contractor test considers who supplies work equipment, worketrprovided equipment makes it more likely for an individual to be deemed a contractor rather than an employee However, an employer that allows contactors and temporary workers to use their own devices must be cognizant of issues such as security of data and ability to access the contractor's devices when negotiating contractor and contingent worker agreements. D. E-Discovery During litigation, employers must produce all nonprivileged, relevant information responSive to discovery requestsj Generally, courts will hold employers respon51ble for recovermg discoverable information even ifthe material resides on employeescontrolled devices59 This is problematic because it is notyust the information on the device that is discoverable, but also the data that were accessed. For employers with BYOD programs, litigation holds become much more challenging. Indeed, it may even be impossible for the employer to gain access to the device even to assess whether there is discoverable information present (e.g., an employee refuses to give consent to the employer to access the device). Even where employers obtain consent, they may have to overcome technical hurdles to effectuate a hold. Oen, the most signith challenge is that the work-related data on employee-owned devices may completely avoid synchroruaatiori or backup on we servers, thereby limiting the employer's independent ability to preserve and access this information. At a minimum, litigation hold notices should clearly list that the hold covers employee-owned devices and emphasize the importance of preserving relevant material on personal devices and in mixed-use cloud environments. These discovery issues raise the question of whether an employer can argue that it does not have possession, custody, or control of information stored on an employee's personal device The circuits are split on this issue, with some holding that a party must produce information that it has the legal right to obtain on demand,61 while others have held that a party must produce information that it has the legal right to demand, as well as the "right, authority or pracncal ability" to obtain from a nonpartyl Based on these standards, discovery from employee devices may depmd on the nature ofthe employer's policy regarding access to work information on the personal device. The issue of preserving information held by third parties or former employees is even trickier. Courts can find that employers have control of information even when the employer lacks actual possession of, or direct access to, the information, With third parties, a court's finding of a direct relationship between the employer and the Mags; provider (as established by the terms of the service agreement or payment arrangements, for example) oen inuences the determination that the employer controlledthe information.63 Likewise, courts vary on whether an employer must obtain its work-product from a former employeed4 For example, ifthe employer issued a severance package to a former employee: and therefore is still paying the employee, that may be evidence sufcient for post-termination control over the employee to subject the former employee to the production demands of Rule 34.63 Even where an employer lacks the requisite control over a former employee, a court may still require the employer to ask the former employee to search for and produce relevant information before the miployer can state that it does not control the information under Rule 34.65 E. Workplace Safety Today's technological age means people can work anywhere and anytime, but this convenience comes at a price for employers, including increased risk of workers' compensation and Occupational Safety and Health Actoi claims for work-related insuries, as well as tort and negligence claims for accidents caused by employees who are driving while testing or otherwise distracted by mobile devices. Before the advent of cell phones, courts applying the common law typically held that an employee driving to and from work was not acting in the course and scope ofemploymentS As such, courts could not hold the employer liable for injuries to the employee under state workers' compensation regime s. or liable to third parties under the doctrine ofgespgegegt superior for accidents caused by the employee.69 But the law is changing and the lines between work and nonwork time are becoming so blurred that courts, in some instance 5. may now hold employers liable for injuries that occur during nonworking hoursJO For example, an employee is engaged m a conference call while driving to work and is involved in a car accident. The employee may le a workers' compensation claim arguing the accident occurred in the course and scope of employment and the other driver may sue the employer under the doctrine of W supaior. The other driver may also sue the employer under a negligence theory, arguing the employer knew or should have knovm that the employee was using the device for work-related purposes while driving. In addition to workers' compensation and tort liability claims, employers may face an investigation from the Occupational Safety and Health Administration (0 SHA).71 For example, in response to the problems related to distracted driving, OSHA and the Department of Transportation partnered to combat distracted driving on thejob T2 As part ofthe initiative, OSHA wrll investigate and issue citations and penalties in cases in which it receives a credible Ct complaint that an employer requires texting while drivmg or organizes work so that testing is a practical necessnyi F. Antidiscrimination Policies Under federal and state antidis crimination laws, employees are protected from harassment, discrimination, and retaliation based on protected characteristics such as race, sex, or disabilityjl'4 An employer's equal employment opportunity and BYOD policies will typically intersect in two areas. hostile work environment and failure to accommodate claims. In the harassment context, an employee may not understand that policies relating to what is permissible conduct at work apply even if it occurs on a personal device. For example= employees who use their own devices to view sexually explicit photos or videos with others while at work can be creating a hostile work environment. Additionally= an employer might be held liable for harassing comments made on Internet mes sage boards or blog s, even though the employer did not control the message boards. Employees with disabilities can also raise reasonable accommodation claims arguing that the employer is required to provide additional technology to enable them to perform the essential rnctions of their positions (eg, a Wages; employee may request special assistive software to use with a mobile device). Finally. it: is notable that active social network users (those who spend thirty percent or more of their workday on social networking sites)75 are signicantly more likely to witness misconduct at work than their less active counterparts: fifty-six percent of active social networkers reported experiencing retaliation (compared with eighteen percent of other workers); seventy-one percent reported harassment online (compared With twenty-two percent of other workers); and seventy- one percent reported a supervisor or someone else in management verbally abused them (compared with fty-eight percent of other workers).?6 It Will be interesting to see how these statistics change as technology evolves in the coming years and more workers become connected more oen. G. National Labor Relations Act Neither the National Labor Relations Board (NLRB) nor the courts have issued any ruling interpreting the National Labor Relations Act's (NLRANI application to BYOD programs. Nevertheless, regardless of whether the employer's workforce is unionized, there is potential Liability for all employers under the NLRAJS All employers-wheier urnonized or not-should take care when dr'aing therr BYOD policy and be mindful ofthe fact that a dualsuse device may be used as an organizing tool; any policy must be narrowly tailored The NLRB's recent crackdown on overly broad social media poliCies serves as a sobering lesson on how strictly the agency is W employer policies.?9 For that reason, employers must carefully and thoughtfully word all BYOD policies so as not to run afoul of an employee's section 7' rights 80 Any employer that seeks to monitor employees' usage must make sure that the monitoring does not infringe on employees' rights under section I to engage in organizmg activity or other protected concerted activity.Sl In addition, when there is a grievance or investigation, employers must remember that the union will typically have the right to view or obtain a copy of any data the employer has gathered. Ifthe workforce is unionized= an employer should review the applicable collective bargaining agreement prior to adopting any policy to determine whether such a policy is ainandatory subject ofbargaining. V. BYOD Policies Any employer that adopts a BYOD program should consider having a comprehaisive, written BYOD policy. The specific terms of any BYOD policy will vary depending on the employer's goals. At aminimum, any effective policy must define the scope of covered devices, appropriate use, cost, and support issues, implement security protocols; outline the consequences for violations, contain a mechanism for monitoring employee access and appropriate use; and require employee training. tn that regard, when draing a BYOD policy, an employer should consider the following: Scope: '* Will the policy apply to the entire workforce or just a segment (cg, only exempt employees or only on-call employees)? * What devices does the policy cova (eg , smanphones and tablets, or all electronic devices)\" * Are there restrictions on the brand or age of devices that employees may use? * Define who owns what information (e.g., the employer owns the information that the employee is accessing from the employer's servers]. Appropriate Use: * What savers and applications will the employer make accessible? '* What restrictions does the policy place on access\" Cost and Support Issues * Identify what expenses are reimbursable. '* Will the employer provide IT support to fix personal devices? Implement Security Protocols * ConSider whether to implement a mobile dev1ce management platform to help with: * m all data stored onthe device; * w wiping data; I I * w complex passwords, and forcing a Wipe after a set number of unsuccessful password attempts; * Mug lost or stolen devices; and * m apps with malware. * Outline what an employee should do ifthere is a security breach (e.g., the device is lost or infected with malware). This should include information on whom the employee should contact in the event ofa loss or the * Outline the procedures an mployee should follow upon separation from employment (e g., allowing the employer to wipe data from the device). * Outline the process for employer inspection ofthe device ifnecessary for an investigation or litigation Monitoring and Consequences for Violations * Will the employer monitor to ensure appropriate access and use (e.g., are employees using approved soware and passwords)'.J * What are the consequences for violations ofthe policy? Training * Any policy must not only be distributed to employees, but it is advisable to include traming on the y so employees are frilly aware oftheir obligations under the policy. Vt. Conclusmn Given the many technical and legal issues that BYOD programs implicate, any employer considering adopting aBYOD policy should talte its time and proceed in a methodical fashion to address the numerous compleXities that can arise. Employers must give careil co ' ' confidentiality and security issues andthe manner in which they intersect with pri ac} concerns. In addition to the legal and security issues, employers must also be cognizant of ensuring that their EYOD policy is consistent with other corporate policres. This can be a difficult task that ultimately requires the editing of a myriad of other policies, including acceptable use of computer resources, compliance and ethics, security policies, document retention policies, social media, harassment and discrimination, policies related to Litigation holds, and employee privacy policies Finally, once an employer is operating in a BYOD world, it will want to be sure it applies its policy consistendy because failure to do so could give rise to clanris ofdiscrirniriation