Some key logistics might be included in the policy. A lot of companies are offering to subsidize the cost of mobile devices over, say, a couple of years. If you leave the company during that timeframe, and the company has already reimbursed you, then perhaps you might have a financial obligation to the company. That's a new concept.
Also, there might be some descriptive terms with respect to what you can't do on your device. For example, if you're going to use this device for business, then you must comport to company policies and standards for keeping information confidential.
It's a document that both the employee and company sign. So hopefully an employee isn't surprised when litigation or something happens where the company is required to wipe or access the device.
What are some of the mistakes you've seen with BYOD policies?
Not only do you have to draft the policy and make sure it has all the critical elements, people have to be aware of it, train on it, communicate on it. Whatever the consequences of failing to comply, you have to enforce them across the board with respect to employees signed up to the program. If you're not going to do those things, then why have a policy?
In the actual terms and conditions, the biggest red flag is the one-page, isn't-this-policy-great kind of policy that says, "Here are some things to be aware of." But it doesn't get into the obligations and rights for both the company and program participant. You also have to make sure that participants comply with other corporate policies-that they're attached and baked into the BYOD program.
The really big mistake is that employees are shocked, because they weren't aware there was a policy that said a company could do something. It's the critical awareness factor: make sure that they know what the elements of the program are and then train and take them through a discussion, through the literature, through examples of what could go wrong.
What's the potential fallout from these mistakes?
People become surprised and not happy, if they have to turn over devices that contain their personal information. They also might not get their devices back for a while. If employees continue to be shocked and their information subject to search, I certainly can see employees trying to pursue rights maybe through litigation.
I saw a discussion online where somebody said, "If your device is going to get confiscated, just make sure you have the ability to wipe the thing clean." I don't agree with it, I think it's horrible. There are employees who are taking a self-help approach to protect their information on that device. It's a really interesting outgrowth and huge risk of BYOD, isn't it?
Sign up for CIO Asia eNewsletters.