When was the last time your organization reviewed its “acceptable use” policy for technology devices?
In an era of “bring your own device,” it might be time to review and develop new controls around the use of company data on mobile devices, especially for employees compensated on an hourly basis.
“Many companies are realizing their ‘acceptable use’ policies are way out of date,” says Lou Milrad, of Milrad Law, a business and IT lawyer based in Toronto.
He notes many of the policies would have been created before social media tools such as Facebook, LinkedIn, and Twitter became standard apps for users.
“To what extent are employees operating under a BYOD policy allowed to go into LinkedIn, for example?”
A decade or more ago, companies often asked employees to sign standard forms saying they wouldn’t text or call while driving and wouldn’t use laptops for personal use. But times have changed and now, based on preference of technology platform, many employees are using their own devices to access company information and complete tasks after hours.
“I think the concern has certainly been raised, and that employers are (or should be) carefully considering both who should have 24-hour access, and, in the case of overtime-eligible employees, what the rules are regarding use of the devices outside of business hours,” says Jeff Mitchell, partner with the labour and employment practice of Dentons Canada LLP.
As cloud and BYOD adoption continues to accelerate, greater accountability will be required for implementing policies and managing technologies. In its 2014 cyber security forecast, global risk consulting company Kroll said as the development and evolution of cloud services and BYOD has moved at a whirlwind pace, it has left the IT departments scrambling to get out in front of technology and employee usage.
In its report, Kroll’s senior managing director Alan Brill noted IT leaders need to work closely with senior leadership and legal counsel to adapt corporate policies in a way that addresses changing legal risks, while effectively meeting the needs of the organization. He said courts in the U.S. are starting to see matters related to the use of technology by employees come before them.
“Up until now, cloud and BYOD adoption has been like the Wild West — uncharted, unregulated, and few restrictions. However, we’re seeing courts issue rulings that include significant penalties where discovery, disclosure, and other legal obligations aren’t being met because of the use of these technologies,” says Brill.
“While it’s implausible to anticipate every possible risk presented by the use of the cloud and BYOD, companies that have integrated these technologies into their corporate policies, IT security, and risk management plans will be much better prepared to fulfill their legal obligations. Organizations must realize that even if they don’t want to deal with this, they’re not going to have much choice.”
The difficulty, says Mitchell, is there is a real temptation for employers to encourage employees to respond as quickly as possible using mobile devices (even after business hours), but it has to be balanced against the risk that overtime-eligible employees may subsequently make claims for pay for the time spent reviewing and responding to e-mails outside of work.
“The important thing for employers is to have a strategy in place to ensure that the business needs are met while the risk is mitigated,” he says.
One of the big challenges to any organization creating a policy for BYOD is if the right people aren’t consulted first it won’t be effective.
“HR should be part of it because, at the end of the day, if a BYOD policy is implemented you are going to have to train and educate the employees and they’re going to have to sign off on it,” says Milrad, who advises having all heads of business units, HR, and legal signing off on the policy.
In a case he is familiar with, Milrad said remote employees, as part of their job, needed to download a quantity of data from a device and then upload data back to the company system. Employees had signed off on a use policy provided by the company but when an employee was terminated and had been using their own device with all the critical data residing in the memory of the device it created a problem.
“IT wakes up and says ‘we need that’ and the employee is suddenly in a wonderful bargaining position for severance,” says Milrad.