Matt Karlyn, Cooley LLP
It's fascinating, because people are using all of these components on smart devices for both business and personal purposes, such as photography and who knows what else. Suddenly, you can't wipe only the obvious business-related things like email.
The lines have become more blurred, as these devices become more sophisticated. This has given rise to the need for companies that implement BYOD programs to have a lot of flexibility, in order to ensure that they can access information that belongs to the company.
Do BYOD policies give companies this flexibility?
From a corporate perspective, if you're going to implement a BYOD program, it's simply imperative that you have a well-drafted and precise policy to govern both the company's rights and employee's rights. The message to employees is, read every policy carefully and make sure you understand it.
Before BYOD, you were issued a bunch of devices owned by the business. The company would have an IT policy that says you have no expectation of privacy with respect to these devices. Not only are you not supposed to use them for personal use, it's prohibited. You can suffer consequences, including termination. I used to do IT polices where even the phone wasn't for personal use.
Fast forward several years, and we're flipping the whole thing on its head. Now you can go buy your own device and use it for whatever you want-it's your family iPad-and for work. Companies are getting themselves into a little bit of hot water when putting these programs in place.
It becomes a challenge in cases such as litigation or when a device is lost or stolen and needs to be wiped. If a policy doesn't spell out the process and procedures when these events happen, and we know they're going to happen frequently, then it's a huge disservice both to the company and employee.
People complain that BYOD policies heavily favor the company and give employee rights short shrift. What do you think?
I think that's true. Companies are drafting the policies. As a natural outgrowth, they're heavy on the company's rights to accessing devices. As I said earlier, I think there should be a balance between company rights and employee rights. It's something that these policies can do a bit better at.
Sounds like BYOD policies can get large and complex. What does a good BYOD policy look like?
They're not generally large documents. In fact, I'm sitting here with a couple of them in front of me. One is three pages, the other nine pages.
A BYOD policy goes through general rules about personal mobile device usage.
It clearly articulates what the company's rights are with respect to monitoring, accessing and reviewing all the data stored on, processed or used by the particular device. It goes through the employee's obligations with respect to keeping the device secure, password requirements, all the things you'd expect to see in a general IT policy. It talks about what happens if you're terminated or decide to leave the company.
Sign up for CIO Asia eNewsletters.