Address These Questions in ‘BYOD’ Policies

Adopt policies curtailing employees’ use of personal devices on secure networks.

March 24, 2014

Whether or not it’s against your credit union’s policy, at least some of your employees are using their personal devices at work.

That’s a modern reality, as technology proliferates and becomes intertwined with a person’s everyday activities. This often works to your credit union’s advantage, as connected employees can be more productive and responsive.

Nearly six of 10 employees use personal devices at work, according to a survey by the technology consulting firm Ovum.

CU Directors NewsletterSmartphone use represents 70% of that activity, and one-third of those users either bring their phones to work without the knowledge of their information technology (IT) department or in spite of a company-wide ban. By 2016, 80% of employees will be eligible to use their own equipment with employee data on board, a Gartner CIO survey predicts.

In short, BYOD (bring your own device) is here to stay. So, credit unions must develop BYOD policies that protect the security of their networks.

Any BYOD program should answer these 10 questions, labor and employment attorney Jon Hyman writes in Workforce:

What devices will you permit? Is BlackBerry acceptable but not iPhones or Android devices? What about employee-owned laptops, tablets, or portable memory?

Will you mandate passwords? Staff might bemoan entering a four-digit access code, but financial services institutions should require this security measure on all devices.

What happens when a device is lost or stolen? Policies should instruct employees to first call IT and not their mobile carrier, so IT can remotely wipe corporate data from the device before the carrier shuts it down.

Will you ban jailbreaks, roots, and other hacks? Prohibit actions that void the phone’s warranty and expose your network to infectious malware.

Will you ban third-party apps? Allowing the installation of apps from sources other than the iTunes App Store or Google Play increases risk of infection from viruses, malware, and other malicious code.

How do you handle a departing employee? You need a protocol to reacquire or wipe all the corporate information on the device.

Do employees have an expectation of privacy on their devices? In reality, their privacy is limited or nonexistent. Most companies practice transparency about this. Tell staff what information you will collect, or pledge never to collect.

Do you prohibit nonexempt employees from business-related mobile device use during nonworking hours? If not, you risk exposure to a costly wage-and-hour claim.

Do you forbid employees from using their mobile devices while driving? Even if your state has yet to enact a ban, do the right thing by requiring your employees to drive safely.

How does your policy interact with existing regulations? Cross-reference your BYOD policy against harassment, confidentiality, and trade secrets policies.

This article initially appeared in Credit Union Directors Newsletter, which provides strategic insights for policy makers. Subscribers can choose to receive the print edition or PDF version.