Shared publicly  - 

I am struggling with how to draft BYOD policy. Here is part 2 of my drafting exercise.

The clauses I am writing feel draconian -- they give strong powers to the employer to take control of devices that employees use for work. Is there any other, reasonable way to craft a BYOD policy?
Donald Mitchell's profile photoSimon B's profile photoWoozle Hypertwin's profile photoBenjamin Wright's profile photo
Simon B
I'm not a lawyer, nor a pure technician, but I am a manager and a user. I can probably contribute when I get to a PC tomorrow..
Simon B
(a) the Company might not return the Device or Service;

** you can't not return the device. Even if you need to clone it and wipe it, you have to return someone else's device (or compensate them for it). Anything else is theft.

(b) the employee is entitled to no compensation for loss of use, control or possession of the Device or Service;

** See above.

Workplace Technology
(c) the Device or Service could be damaged, the employee could lose data and the employee’s data could be disclosed to others. The Company will not be liable or responsible for such damage, loss or disclosure. Employees are wise to back up data.

** In terms of you definition of service (Facebook, Twitter, Hotmail, etc) you can't "damage" the service. You also couldn't delete any private emails, nor should you copy them (unless they are evidence in a gross-misconduct or criminal claim).

** Related to that, you can't disclose private data (private tweets, emails, etc) to any party without consent of the owner (after all you require this from the employee).

Informing Supervisors

Each employee will keep his or her supervisor reasonably informed and empowered as to:

(a) the employee’s work use of Devices and Services; and

(b) the access control credentials (such as user ID and password) for Devices and Services.

** No. They can unlock the device, but allowing someone else access to the device password is negligent in the extreme. Most IS departments would reject - with good reason - out of hand an executive request to have all network/PC passwords the same and this is no different. If possible the company can setup an administrator profile and if not then the user needs to agree to unlock the device in the event that it is reasonably requested (reasonably should be defined when the empoyer has reasonable suspicion that the device has been misused).

** You need to better define misuse.

Turning Over Control to Employer

Each employee will promptly upon request of the Company turn over to the Company control and possession of any Device or Service.

** See above.

+Simon B Thank you for your thoughtful comments. I'm going to think about them -- and give others the chance to chime in -- before I say anything more.
Simon B
Thanks. I look forward to the feedback. I tried to cut an even line, but I'm sure there's room for movement in either direction.
I want to approach +Simon B 's good comments with multiple replies, rather than one long comment. And I'll start by explaining some premises for the draft language I am publishing.

The first premise is that I am drafting the language from the point of view of the employer. In other words, I am not acting like a labor union that is drafting policy from the perspective of employees and asking the employer to agree to it.

A second premise is that this BYOD fits into the context of a larger relationship between the employer and the employee, where the employee is fairly compensated to work and (possibly) subsidized to use the employee's own device or service in pursuit of that work.

Many employers will be reluctant to get into a contest regarding the value of a device or service if (for whatever reason . . . such as clumsy IT/forensics guys or the convolutions of e-discovery in litigation) the device or service is not promptly returned to the employee.

Also, just because a policy says the employer may not return something does not mean that in practice the employer will usually refrain from returning it.

A friend recently showed me a policy like this from his employer. My friend decided he could not live with the policy; therefore, he decided he will perform work only with the employer's equipment and services. That's not necessarily a bad outcome.
Simon B
+Benjamin Wright - I was aware of the perspective you were writing from. As I said, I tried to be fair. And legal (though your legal knowledge far outstrips mine). BYOD has numerous benefits for employers - no device cost, lower support costs, happier (and therefore more productive employees), more connected employees (I mightn't look at a company phone on the weekends, I certainly would mine, etc.). However, all that goes hell in a handbasket if you craft a policy that is so draconian that the user/employee is a) unhappy and b) stands to lose a device with no recompensation merely on the employers whim/say-so. So safe guards have to be built in. Not only for the employees benefit, but also for the employers.

Losing the device (which may have sensitive medical information on it, personal banking information, etc) opens the Employer up to a mine-field of litigation, whilst not really offering the safety and security that such a desire to impound the device would achieve. For the company to reap the benefits above they have to entertain a certain level of risk (as one does with all contracts) and to attempt otherwise is a path to failure (in my opinion).

I wonder what +Donald Mitchell or +Woozle Hypertwin would say/contribute.
Here's my first-cut reaction:

What I'm wondering is (a) why the company should have any right at all to an employee's devices, and (b) presuming such a right is reasonable, exactly what types of usage would constitute "business purposes" "use for work"? I see a very grey area there.
+Woozle Hypertwin I appreciate you taking the time to comment. I agree with you that there are some dangerous grey areas! I have undertaken this exercise to draft a BYOD policy not necessarily because I believe employers should require or encourage BYOD. Rather, I've undertaken this exercise because BYOD is popular, and I get questions on what the policy should be.

Let me posit one scenario (out of thousands of possible scenarios): CEO gets paid $2 million salary per year by an employer. CEO agrees upfront to policy as I have drafted it. CEO then uses her own computer, smartphone or webmail service to send a message to a vendor that says, "Yes. My company agrees to pay $300K for the widget." Hence, the CEO is using her own stuff "for work" or "for a business purpose" (whatever you want to call it). The CEO is creating records that the employer needs for legal, tax and internal control purposes. The employer needs those records even after the CEO has departed the employment of the employer.

I can understand that the CEO (maybe ex-CEO) could feel that her privacy and/or property rights are compromised if the employer seizes her stuff. But the employer's perspective is: "Hey, we are (were) paying you $2 million a year, and we need the records you create when you act as our agent. We also cannot afford to get into litigation with you over the value of your phone or service if one of our goofy IT guys (who gets paid a mere fraction of what you get paid) screws something up while extracting data from your phone or service. You are a big girl. We warned you to back up your data. We notified you that there are methods for you to keep your business and personal lives separate."

. . . Still, I acknowledge I don't know everything and I learn from this friendly conversation. --Ben
The employer makes a choice to have a BYOD policy instead of issuing employer-owned devices to employees. Presumably, that choice is based in part on the employer's desire to shift responsibility/cost (of maintenance, etc.) to the employees. The employer gets to write a check to the employee and that's it. I think that choice precludes the employer from asserting any sort of contract-based control over those devices in the future. The employer wants to have zero responsibility for the device until, of course, the employer decides it wants to know what's on that device.

Of course, my view is likely slanted by the fact that I'm an employee and not an employer.
Instead of addressing ownership of the device used to conduct business, how about simply demanding ownership of any business-related data (correspondence, documents, etc.) that pass through the device -- from which the right to "detain the device for questioning" (offload data) would naturally emerge?

Also, employers could require that employees using their devices in such a way must set up automatic bcc:s to an official company email account, so that there is a record of emails that is outside of the employee's control (even if they don't surrender the device, or attempt to delete items from it)...

Or they could require employees to periodically sync their devices to a company machine.

Consider what would happen if the employee "lost" (or accidentally destroyed) their device just before they were supposed to turn it in? Ownership of the device itself does the company absolutely no good there.

In short: Actual ownership of the device seems like a bridge too far and not even as reliable at retaining data. Perhaps your policy should state that device retention should only occur in the event that alternatives are unworkable?

(edited to make an additional point)
+Donald Mitchell Thank you for your comment; all of these comments are helpful to me. I don't want to be too dogmatic in defending the policy as I have drafted it, because this is for me just an exercise of drafting and self-education. As I think about these good comments, I am likely to change the draft policy.

Still, you argue, "The employer makes a choice to have a BYOD policy instead of issuing employer-owned devices to employees." As I have drafted the policy, it covers all devices the employee may use within the scope of employment. Thus, this policy covers all the stuff the employee may chose to use, even after the employer has supplied numerous and ample computers, phones, tablets and services. So, this language does not necessarily apply only when an employer is stingy. It applies anytime the employee elects to use devices or services beyond those supplied by the employer. It is easy for an employee to make that election, even when a generous employer has supplied the employee lots of goodies.
+Woozle Hypertwin You make worthy comments. Employee ownership of a device or service is not always the threshold for application of a policy like this. An employee could be doing work, within the scope of employment, using a device or service owned by a friend. You are causing me to think about making a more general policy that focuses on data copying and control. The general policy could be supplemented by examples, such as when the employee uses a device that she owns to transact business. Thank you
+Simon B left some excellent comments above (April 5) that I have not yet addressed. I now wish to dig into one of them that gives me heartburn. (It is not Simon who gives me heartburn; it is the topic. What I'm about to say here is not an attack on Simon.)

Simon proposed: "[Employer] can't disclose private data (private tweets, emails, etc) to any party without consent of the owner (after all you require this from the employee)." I understand why someone who is looking out for the interests of employees would expect the employer to take on the obligation not to disclose.

Non-Disclosure is Really Hard

However, as counsel to enterprises, I always, vigorously resist letting my clients take on non-disclosure obligations and data security obligations. The reason is that those obligations are much harder (and much more expensive) to fulfill than conventional wisdom acknowledges. One can see from just reading newspapers that ALL ENTERPRISES -- including US Department of Defense, IT security stalwarts like RSA, "secure" institutions like certification authorities . . . not to mention mere hospitals, police departments, banks, Fortune 500 companies, yada, yada, yada -- cannot prevent data from being disclosed. Period. The problems with data protection are legion: hackers, malware, subpoenas, stupidity, whistleblowers, disgruntled employees, insecure operating systems and innumerable other leaks and pitfalls.

When clients come to me and seek advice on "non-disclosure agreements," I counsel them that these agreements should not be taken lightly. A non-disclosure agreement implies that the party who agrees not to disclose must institute very challenging, imperfect, expensive, on-going controls to prevent the disclosure of data. So after I have so counseled a client about this risk, the client may decide that it "must" enter a non-disclosure agreement to do business. Fine, enterprises have to take certain risks.

Warning to Employees

But my aversion to taking these risks leads me, as enterprise counsel, to resist any statement in employee policy that the employer will refrain from disclosing employee data. In fact, in the draft policy I wrote: " the employee’s data could be disclosed to others. The Company will not be liable or responsible for such . . . disclosure." In other words, employees are forewarned.

Message to employees (when I'm the guy writing the policy on behalf of the employer): If you want non-disclosure and data security, you cannot expect your employer to provide those services. Your employer is not Fort Knox (oh, BTW even Fort Knox is pathetically insecure). If you really want non-disclosure and data security, you are wise to strictly segregate your business life from your personal life. That does not mean that your employer harbors a malicious plan to disclose your private tweets to the world; your employer does not have such a plan. If this message causes you to decide to religiously avoid using your own devices or services for work within the scope of your employment, then so be it.
It seems to me that any employee using a device for business purposes should have some expectation that any other purposes for which they use the device are going to become inextricably entangled with the official business. long as it's clear what causes a device to be reclassified as "for business purposes", and as long as employees are adequately informed of this.
+Woozle Hypertwin said, "as long as it's clear what causes a device to be reclassified as 'for business purposes.'" I agree with the need for clarity. The language I used is "to conduct business within the scope of employment." The phrase "within the scope of employment" has long been used in American courts to distinguish between a person's actions for which the employer is responsible and all other actions by the person.
Simon B
I was talking about deliberate and consequential disclosure to be sure. I'd expect a lawyer to write the clause to the effect that reasonable efforts be taken against accidental disclosure (but I'm aware how much lawyers hate "reasonable" in contracts. However, there's a distinction between my private information on the device being stolen/hacked, negligently misplaced/lost and deliberately revealed. That last should be an absolute no-no, the first should be considered Force Majeur and the negligence can be somewhere in the middle to the satisfaction of both parties (but in my experience more to the satisfaction of the drafter).
I'm seeing a need for some specific examples of what constitutes "within the scope of employment".

Let's say an employee has an IMAP email account at work, which she can also access from outside the workplace. Normally she uses her work-provided laptop to handle emails, but she also checks it via mobile while stuck in traffic during her daily commute, away from the house, etc. in case something urgent has come up.

Does that usage of her mobile (reading email but not responding to it) constitute business use? If so, would use of her personal mobile phone to call into work -- or to call a client of the business -- to deal with a business issue also constitute business use? If using her mobile phone for either of these purposes is business use, then what about using her home phone for the same purpose? If none of these are "business uses", then would emailing a response (either to her employer or to a business client) from her mobile constitute "business use"?

Unless I'm way off the mark here, I'm seeing some pretty fuzzy lines here -- which, to my mind, calls for some kind of guiding principle to be spelled out, as well as a list of common/expected circumstances and how the rule would apply in each case.

For example, perhaps the principle should be "if there are records which can be retained (e.g. emails), the employer has the right to copy that data if it relates to business work -- but otherwise does not have any right to the device."

If that were the rule, then in the case of an IMAP account, where nothing is kept locally on the device, the employer already has all the data and therefore has no need for further access to the device. If there is not any data which can be retained -- as in the case of a phone call -- then the employer has no reason to demand access to the device or its data for that purpose.

I hope this is still making sense; I'm more familiar with the technical details than with current business practices.
Add a comment...