Today, 87% of companies depend on their employees’ ability to access business software and data from their personal devices. And that’s likely to grow, as 36.2 million Americans are expected to work remotely by the year 2025, nearly double pre-pandemic levels. With these trends comes new policy and litigation considerations—particularly on how employees can access a company’s data from their own devices.

These procedures are often called “Bring Your Own Device” (BYOD) policies. They can reduce expenses and boost productivity. But without a sound BYOD policy, employers can leave themselves exposed to the growing number of “off the clock” suits, data ownership issues, and cyber security risks that increased remote access has brought about.

Technology can (and often does) outpace the law and employer policies. Still, as we navigate our increasing reliance on remote work and access, these 10 tips can guide your business, whether it’s auditing its BYOD policy or considering one for the first time.

  1. Understand the landscape of your device population: To start, you need to consider what devices your organization will support and what devices can access your data. Will your company allow only laptops? Tablets? Apple and Windows products? Also, get a general understanding of what types of mobile devices and smartphones your employees have, as this will impact some of the technical specifications your company is able to roll out.
  2. Establish a mandatory authorization process: If someone wants to access your network, your organization needs to know about it. Require and plainly state that employees must get permission from IT to obtain remote access to the company’s data.
  3. Require encryption or password protection: Require passwords or encryption protection for employees to be able to access company data remotely. If you let employees have remote access to data, this means that other people could potentially get access to the data. From a technical perspective, these protections can look like a password for the entire device, an authentication process for logging into a certain app (likely an email app), or some combination of these factors.
  4. Clarify data ownership:  An effective policy will identify who owns the data and expressly explain this. This is particularly important in BYOD policies, in which employees are using their own devices, meaning they will likely have personal information on their devices as well as data relating to work. The company must regulate who owns what. If you get into any type of lawsuit where you are collecting data—or even if you have an obligation to preserve that data—the company will only have a right to what is under its “possession, custody or control.” On the other hand, too much data can lead to more pressures and litigation costs for the company. Consider how much data the company truly wants to hold on to and what might be worth divesting.
  5. Limit or explain employees’ expectations of privacy:  To avoid invasion of privacy claims down the road, include a clause in your policy that explains employees’ expectation of privacy in the workplace and a stated right that the company can monitor and intercept data and erase it. You should also be mindful of employees’ privacy rights and ensure that you are not infringing on those rights by improperly encroaching into the employees’ personal data on the same device. A BYOD policy should not give an organization carte blanche to access an employee’s personal photos, messages and similar information.
  6. Address limits on device use outside of working hours:  Make sure you have a clause expressly prohibiting non-exempt employees from performing work while off the clock (e.g., reviewing or answering work emails from home). Work outside these hours can trigger certain payment obligations. Organizations should state in their policy that “off the clock” work is not permitted, condoned or expected—and then ensure that managers are trained on this matter. While it might not seem important, these issues are coming up more and more in recent lawsuits related to remote work and can quickly mobilize from one employee into an entire class of similarly situated employees.
  7. Address business-specific privacy issues and compliance with existing policies: Consult with any other existing vendors and customers with confidentiality agreements. Ensure that your company’s BYOD policy is consistent with these agreements and would not jeopardize any relationships.
  8. Clearly identify procedure in the event of loss or theft: It’s a great practice to be able to wipe a device in the event of loss or theft to protect your organization from security concerns. However, if you intend to do this, be sure that your organization lets employees know in advance and establishes the proper technological requirements.
  9. Obtain employee consent to policy terms: Employers should get employees’ consent to any and all BYOD policy terms. Ask employees to sign and acknowledge the agreement, so that your organization can have a document it can point to if there’s a dispute or later incident.
  10. Draft a written policy separate from the employee handbook: If you choose to have a written BYOD policy, consider separating it from your employee handbook. While not a hard and fast rule, it will allow your organization to update the policy more readily without having to reissue an entire handbook, as technology changes more frequently than most handbook provisions.