Thousands of finance employees suddenly found themselves working from home during the pandemic. In some cases, this meant turning to personal devices to access their work email, handle documents, and perform other tasks. Even before COVID, more and more financial institutions were allowing employees to use their own phones and tablets for work purposes.
By now, many institutions have established firm bring-your-own-device (BYOD) policies. Others have allowed their policies to evolve with minimal documentation. Whichever camp your institution falls into, it’s a good idea to regularly review and, if necessary, formalize your BYOD policy.
A comprehensive BYOD policy needs to anticipate a multitude of situations. What if a voluntary or involuntary termination occurs? What if a device is lost, shared, or recycled? What if it’s infected by a virus or malware? How about if a device is synced on an employee’s home cloud? Other key questions to address include:
Who pays the bill? Payment policies vary widely. For example, an employer might pay for an unlimited data plan for employees. Any charges above that amount are the employee’s responsibility.
Who owns an employee’s cell phone number? This is a big deal for some employees. Especially if they leave to work for a competitor. Customers may continue to call the employee’s cell phone, potentially leading to lost business for your institution.
Are employees properly password-protecting their devices? A policy should require employees to utilize password protection and implement two-factor authentication if feasible. In addition, users need to set up their devices to lock if left idle for more than a few minutes.
A BYOD policy needs to address that using a personal device for work opens the door for an employer to access personal information. state your institution will never intentionally view protected items on a device. This information may include attorney communication, health information, or employer complaints permitted under the National Labor Relations Act.
In case your institution becomes involved in a lawsuit, your policies should address access to data stored on mobile devices. Keep in mind, Rule 34 of the Federal Rules of Civil Procedure covers all devices, including personal ones that access a company’s network.
Formalizing your BYOD policy should involve spelling it out in a written user’s agreement that all participants must sign. Consult a qualified attorney in drafting such an agreement. Contact us for help assessing the tax and financial impact of allowing employees to use personal devices.