Are Your Employees Protecting Your Clients’ Data? The Importance of a Bring-Your-Own-Device Policy

Permitting employees to use personal mobile devices to fulfill their professional duties was common before the COVID-19 pandemic. Now, more employees than ever are working from home. More employees who did not previously use mobile devices on the job are expected to do so. Put simply, more business is done on mobile devices, and that trend will only continue. Bring-your-own-device policies have never been more important for businesses looking to avoid the cost of supplying mobile devices yet still maintain adequate data security measures for confidential information. 

If employees handle sensitive matters and information for clients on mobile devices, some kind of device policy is a necessity whether it entails company-provided devices or BYOD. Failure to have any kind of policy could subject employers to liablity for data breaches or disclosure of confidential client information by employees. Employers should consider whether their business is best suited for company-supplied devices or a BYOD policy based on considerations such as size of the company, cost, sensitivity of the data being handled, and other factors. Further, many companies with employees who are newly working remotely and using personal devices (e.g. administrative personnel) should consider updating existing policies that may be in place.

What Are the Advantages and Risks of BYOD?

Compared to a company-supplied device policy, a BYOD policy offers cost savings while providing less security and control.

Advantages

  • Cost. With a BYOD policy, employers leverage existing personal mobile devices instead of purchasing new devices for employees.
  • Better care and maintenance. Mobile devices are a necessity in modern society. Employees can be expected to take good care of their personal devices.
  • Staying current. Employees upgrade their own devices as necessary, saving employers recurring expenses of keeping mobile devices up-to-date.

Risks

  • Less security. Especially as companies grow, it becomes harder to monitor and enforce BYOD policies. Unregistered, private devices present a greater security threat from malware, and via threats over unsecured networks. If a company’s client is subject to a data breach and the company lacked sufficient data controls, the employer could be liable for the damages.
  • Attrition. As employees leave, employers may struggle to find the means to ensure that sensitive information has been deleted from employees’ private devices.

Who Should Be Eligible for BYOD?

Once an employer decides to institute/update a BYOD policy, the next question is: who needs to use mobile devices to accomplish job duties. Is an employee client-facing or expected to be available after business hours? That employee is a good candidate to be eligible for a BYOD policy. Conversely, if an employee’s duties are more administrative in nature and is not generally expected to be available outside of business hours, an employer should question whether that employee needs to use a mobile device to accomplish his or her job functions.

As mentioned above, there are risks to instituting a BYOD policy. To mitigate these risks, it stands to reason that an employer shouild carefully consider eligibility for employees whose access to mobile devices might be non-essential to their positions.

Important Considerations in Drafting a BYOD Policy

Proprietary Information

The top priority in creating an effective BYOD policy is to offer clear requirements to employees concerning the handling of confidential and proprietary information. Make sure employees understand that materials received by, sent from, and stored on their personal devices for work purposes are subject to monitoring by the employer. There should be no expectation of privacy with respect to such items, which are owned by the employer. In order to avoid a perceived intrusion on privacy by employees, employers should take care to make sure the policy is well-crafted to delineate between personal and work-related data and materials and the employee’s expectation of privacy with respect to each.

Unsecured Networks

A BYOD policy should remind employees of the dangers of sending sensitive informations via unsecured networks and prohibit such conduct.

Lost or Stolen Devices

Employers should give employees steps to follow in the event that an employee loses his or her mobile device.

Departing Employees

A BYOD policy should set forth the required procedures for departing employees to remove company data from their devices. The more specific, the better.

Existing Policies

A BYOD policy should remind employees that any work-related use of a personal device must conform to other policies in place by the employer. For example, policies addressing such things as harassment and treatment of confidential information.

Cyber Liability Insurance

Finally, any employer who handles information necessitating a device policy–whether BYOD or company-supplied–should consider purchasing a cyber liability insurance policy. If your client’s data is breached, your company can be held liable for that. Cyber liability policies provide coverage and defense for such claims. For those who end up seeking cyber liability insurance, a well-tailored device policy can serve to decrease the premiums associated with such a policy.

By: Jay Hermele

DISCLAIMER: This is for general informational purposes only and not furnished for purposes of offering legal advice. The best source of information for your specific matter is consulting an attorney.

The internal governance of your limited liability company (LLC) is largely going to be established by a contract known as the operating agreement. This is the centerpiece of your business structure and operating rules and must be comprehensive and correct. If you need help with your operating agreement, a Colorado small business lawyer can help. While the exact terms in an operating agreement vary by business, there are some core elements that just about all LLCs need to include.

Equity structure

In this section, you will detail membership interests (often expressed as a percentage); membership classes, if any; the capital account of each member; and the allocation of losses, profits and distributions. Keep in mind that for the capital contributions, you should address whether members will only make capital contributions at the start of joining your business or whether they will be expected to make contributions going forward. Also consider whether contributions are to be made in any other form, such as sweat equity over time or with contribution of intellectual property to the LLC.

Management

An LLC can be managed by its members or a manager. If you’re going to have a manager, this section of the operating agreement addresses who will appoint the manager and other aspects of the manager’s role, including duties and responsibilities. You should also outline the procedures for removing and replacing a manager here.

Voting procedures

The standard rule is that all members will vote in proportion to their percentage interests. However, you can establish a different rule if you wish. You can, for example, withhold the right to vote from a member or an entire member class. Voting rights can also be set based on capital contributions, accounts or commitments. Some managers or members can even be given veto rights or super-majority votes.

Indemnification and liability limits

In this section, you will deal with the manager’s fiduciary duties. Fiduciary duties in the context of LLCs are complex and always evolving.  Be sure to contact a Colorado small business lawyer for help.

Books and records

This is perhaps the most self-explanatory operating agreement section. You will address record-keeping issues here, including the rights of members to inspect the accounting and corporate records of your LLC.

Protections against dilution

These provisions allow members to retain membership interest percentage when the LLC issues interests to new members. Protections may include giving veto rights to members regarding the issuing of new interests; capital call limitations; and pre-emptive rights that allow a member to buy any membership class on offer to retain their current interest.

Transfer restrictions

There are various restrictions on transfer of membership interests that you can include in an operating agreement. These include barring the transfer of management rights when one member is assigning their interest to someone else, requiring membership interest transfer to be approved by other members or by a vote, and what events–such as the death, insolvency, bankruptcy or disability of a member–trigger buyout. The rules and procedures for a buyout should also be spelled out here as well.

Liquidating and dissolving

In this section, you’ll identify what events can trigger the dissolution of the business or who determines when to dissolve your LLC. You’ll also include the procedures for winding down the company and the distribution of company assets in this section.

Depending on your business, goals and the wishes of others involved in your company, you may need more provisions. Since the operating agreement is a “living” document, you will also need to make changes to it as the needs of your business change. Don’t leave anything about the operation of your LLC to chance or question. Contact a Colorado small business lawyer for help drafting an operating agreement for your business or amending your current agreement.