Despite a growing number of employees who use their personal electronic devices for work, 60 percent of U.S. companies do not have a bring-your-own-device policy in place, according to a recent survey.
And nearly 80 percent of U.S. organizations haven't educated employees on BYOD privacy risks, according to the study, which was done by Acronis, a provider of backup solutions, and the Ponemon Institute, an independent research and consulting group.
Without a policy in place you could be putting your data at risk, say experts.
"I think many companies haven't recognized the potential damage that can occur when proper policies and protocols are not implemented," says Kimberly Malerba, chair of the employment law practice group at Ruskin Moscou Faltischek in Uniondale. Sometimes they don't recognize it until it's too late, she notes.
While there's no one-size-fits-all policy, there are certain core elements any policy should cover, says Malerba.
Privacy and security issues: For starters, it should explain that employees should have no expectation of privacy on their device, she says. Make clear the company owns any business information stored or created.
Be sure to specify any security requirements you expect to be maintained, such as password protection, says Malerba. Just 31 percent of companies mandate a device password or key lock on personal devices, according to the Acronis/ Ponemon survey.
Company procedures. Since employees are often working on their mobile devices outside the office, make it clear they must maintain proper time-keeping protocols.
Also, specify the company's rights with respect to the device when the employee leaves the organization, such as perhaps being able to remotely wipe their device, says Matt Karlyn, a partner in the technology transactions practice group at Cooley LLP in Boston.
Clearly state the rights and obligations of the company and employee, including the company's right to monitor, access, review and disclose any company data stored or used on the device, and any other data stored or used on the device, he explains. This can include email, documents and photos.
Guidance. Make sure employees go into a BYOD program "with their eyes wide open," says Karlyn. Give them a chance to review the policy and ask questions, he advises.
It's not a one-time education process. Employees need to be periodically reminded of their responsibility to protect company information, says Jason Aptekar, chief executive of Westbury-based Mithril Technology, a business and technology consulting service. He has a BYOD policy and helps companies understand and implement their own policies.
He says his company's policy goes hand in hand with its security policy, which identifies each user's responsibility for maintaining the confidentiality and security of the information they have access to. Mithril has employees sign an agreement that defines their responsibility with company data.
Data at risk. Companies can't ignore the fact that data is increasingly mobile, and whether they have a policy or not, their data is at risk.
"Recognize that your employees are using their devices to get their jobs done today," says Anders Lofgren, vice president of product management for Woburn, Mass.-based Acronis. "That's the reality."
Leaving employees on their own to decipher how to handle company data can be dangerous.
And be sure the policy covers all employees, Lofgren says, noting that among companies with policies, 24 percent make exceptions for executives.
"Have a consistent policy across your organization," he notes.