Do you allow employees access to your company’s secure computer servers by using their personal electronic devices? If the answer is yes keep reading. Allowing this practice can have a number of unintended consequences.
With today’s virtual work place, it is more than likely employees are constantly accessing company data, e-mails or contacts on their own electronic devices, whether smart phone, tablet or computer. In today’s professional environment, where there is a need to be immediately accessible and responsive to both internal and external clients, access to company servers is taking place at all hours of the day and night. In addition, it is very likely that employees who utilize their personal devices for business purposes have co-mingled personal information, and business information on the same device.
Develop a Policy
If the company doesn’t have a policy that addresses employee use of personal devices for business purposes, it should. Some areas that need to be addressed in such a policy include: definitions of who owns what information; whether the company requires or has specific security measures in the event the device is lost or stolen, such as the ability to remotely wipe the device ; whether the employee must passcode their devices and provide that passcode to the company; whether employees can use personal drop programs (i.e. Dropbox or Google Drive) to secure company data when the company does not have access to the cloud; whether the company has the right to demand the employee’s device be surrendered so the company can determine if the employee (or former employee) inappropriately accessed or used confidential information or trade secrets; and whether non-exempt employees can, and under what circumstances, access business information after office hours and how do they account for their time for the purposes of wages.
It is easy to forget that the convenience of employees having access to the company servers on their own devices must be balanced with the company’s interest in protecting its resources and information. An analysis should be completed to determine whether it is in a company’s best interest to allow this access, or control the access by requiring that only company-provided devices be used for business purposes.
Include This in Your Policy
Some areas that need to be addressed in such a policy include:
- Definitions of who owns what information.
- Whether the company requires or has specific security measures in the event the device is lost or stolen, such as the ability to remotely wipe the device.
- Whether the employee must passcode their devices and provide that passcode to the company.
- Whether employees can use personal drop programs (i.e. Dropbox or Google Drive) to secure company data when the company does not have access to the cloud.
- Whether the company has the right to demand the employee’s device be surrendered so the company can determine if the employee (or former employee) inappropriately accessed or used confidential information or trade secrets.
- Whether non-exempt employees can, and under what circumstances, access business information after office hours and how do they account for their time for the purposes of wages.
-Shannon Hamilton is member at Stites & Harbison in Louisville, Ky.