Be Careful With BYOD

The trend toward “bring your own device” policies in organizations around the country is on an upswing and certainly there are benefits for both employees and employers.

But, as credit unions consider whether BYOD might make sense for them and their employees, there are risks to take into account as well. In addition to the security risks most commonly considered, we’ll look at risks related to compensation, reputation and productivity.

Pros and Cons of BYOD

$1.56 billion/164,000-member ORNL Federal Credit Union, with 486 full-time equivalents in Oak Ridge, Tenn., is in the initial stages of developing policies related to BYOD, says CUES member Paul Morris, VP/information technology. At this time, staff are able to use their own mobile phones and tablets, but the policy does not yet extend to laptops or personal computers.

The benefits of BYOD can be significant, Morris explains. “If there’s a need to work from home, whether in the case of a disaster or for some other reason, BYOD enables that.” In addition, he says: “Another benefit is that employees are already familiar with the use of their devices and are able to select devices specific to their personalities and lifestyles.”

Monica Velazquez, a partner and labor/employment specialist with Strasburger & Price, Frisco, Texas, agrees. “The more that employees are familiar with their own devices, the more productive they can be,” she says. There is always some learning time involved when working with a new device; those who can hit the ground running with their own equipment will be more productive sooner.

Still, says Velazquez, the cons of BYOD can outweigh these benefits. These include, first and foremost, security.

Security issues, says Morris, represent one of the reasons that laptop and desktop devices are not yet part of ORNL FCU’s BYOD policy. Eventually they will be, he says, but the credit union is carefully evaluating ways to address security with these devices, which present greater challenges than smartphones or tablets.

“You need to maintain a barrier between the personal data and the business data,” says Morris. “The key is keeping those from mingling.”

In addition to security, he says, another drawback is the impact on IT. While productivity gains may be realized in other areas, and employees’ ability to use the devices of their choice is a benefit for them, that ability can cause nightmares for IT staff. “If you just look at the cell phone market alone, with new ones coming out all of the time, to support that would put a huge strain on your IT staff, so managing that effectively is critical,” he says.

Despite those challenges, Morris says: “The bottom line is that some flavor of BYOD is inevitable and we need to embrace it. If we don’t, employees who are already clever enough to circumvent controls will do so, thereby weakening our security defenses.”

For other credit unions, that means starting now to thoroughly evaluate possibilities and consider policies.

Tom DeSot, chief information officer at Digital Defense, Inc., San Antonio, works with financial institutions and other clients to help them assess and address IT vulnerabilities, and also serves on the board of $492 million/48,400-member Generations Federal Credit Union. One of the issues DeSot sees most often with clients who move into this space is that they fail to do a thorough risk evaluation.

“Usually what happens is someone will go to a conference and learn that somebody else is able to access their email or their calendar on their iPad or on their Android device or whatever. They come back and suddenly the IT manager is told ‘we need to get into this whole BYOD thing.’” That may be a good idea, but too often, says DeSot, it’s done without a thorough risk assessment to help understand what issues might be involved.

“My goal here at ORNL FCU is to create the most efficient and cost effective environment wherein our employees are empowered to use devices with which they are the most comfortable,” says Morris. But, he adds, while, in theory, any employee could use such a policy, in practice there will be HR considerations that drive decisions about which employees can—and which employees may not be able to—take advantage of BYOD.

Morris notes that there are numerous ways for credit unions to ensure that employees who do not have appropriate access are not accessing the network, whether internally or via an external site. Technical security controls allow for this monitoring but, he adds: “In addition to the technical controls, we address via organizational policy.”

HR Risks and Rewards

From an HR perspective, the greatest risks relative to BYOD policies are concerns over wage and hour issues.

Yes, security issues represent the greatest risks for BYOD, says Joseph Shelton, a labor/employment partner with Fisher & Phillips in the Atlanta area. But wage and hour issues can also be problematic.

“Let’s say you’ve got a non-exempt employee that’s checking emails and doing work from home after hours. That’s a real wage and hour concern because it’s compensable work,” Shelton explains.

Velazquez agrees. “That’s a cutting-edge issue for your non-exempt, or hourly, folks.” Key considerations here, she says are: Will you allow employees to use their own devices for business-related reasons during non-work hours? If so, how will you track that time?

“If you don’t track that time, the Department of Labor takes a position that it’s whatever time the employee reports as having worked,” says Velazquez.

So, unless the credit union has some kind of time tracking device, or is able to actually see when the employee was logging in, or answering emails, they’re responsible for whatever hours the employee claims. And, she adds, “if in a particular week they worked more than 40 hours by answering emails after hours, they are going to be entitled to overtime.”

These issues can be viewed similarly to policies relating to company phone usage for personal reasons and, similarly, require managers to be alert to how employees are spending their time when “on the clock.”

In addition, there is some potential that harassment-related issues may emerge when employees are using their own personal devices for both work and non-work-related activities.

Suppose an employee is having some conflict with another employee and in the evening sends that employee a nasty, perhaps obscenity-laden email. Is the credit union at risk?

Not in that scenario, says Shelton. “If an employee, on their own personal device, sends a nasty email to their buddy at 9:00 at night, when they’re not at work, that’s not a violation of anything, morality aside—off-duty it doesn’t matter.”

Arguably, says Shelton, this would still be the case if one of the two employees’ work email account was used.

However, he adds, if the facts are changed a bit and that same email was sent at the same time, in the same manner, using the company email address and “you know about it, because you’re tracking company emails and you’ve told them that, that can be problematic; that’s something you can act upon.”

An important element here is whether the email was from their personal email and what the employer’s policy and practice is relative to monitoring company email usage.

What’s important for employers to recognize, Shelton says, “is that you, the company, don’t have as much control over the device and the content as you might otherwise have when it’s owned by you.”   

DeSot agrees and points to other risks. “You’ve got the potential for malicious applications on the device that might somehow break the barriers of particular applications and allow access to corporate data.

“You might have people storing hate speech or illicit material, or anything of that nature, on their device—because, remember, it’s their device,” he adds. That kind of information could come to light, DeSot says, if the device is ever lost or stolen. “If someone loses their iPhone and they’ve got hate speech on it and somebody sees that and also sees that it’s got credit union information on it, does the institution have to be held accountable for what their employee was doing?”

As Shelton noted, it depends. But, DeSot stresses, “the content of what’s actually on the device matters just as much as the security of the data that is residing on it.”

Velazquez also brings up a safety issue that many may have not considered: the risk related to texting or using the phone while driving. “Whatever your policy is, you must have something that prohibits employees from answering calls or texting on any kind of device while driving,” she says. “That’s just a safety issue and something I think a lot of people overlook when they’re trying to put their BYOD policy together.”

Policy Considerations

Credit unions that decide to allow employees to use their own devices for credit union work should have a carefully crafted and well-written policy, perhaps even a signed agreement between the employee and credit union, says Shelton.

The policy should be reviewed and revised as necessary, regularly, he adds. “This is truly an ever-changing and fast-paced area. You’ve got to be mindful of changes in technology and how that will impact your policy.”

Some important points to consider, says Shelton, are which employees are eligible for BYOD and which may not be, and what to do in the event the device is lost or stolen.

Especially when sensitive information might be at risk (e.g. member financial information), the ability to immediately scrub or wipe the content from the device remotely is critical.

Velazquez recommends both a written BYOD policy and a COPE policy, which stands for company owned personally engaged devices. A COPE policy is applicable in situations where the company issues the device but allows the employee to use it for personal reasons. She points to five key elements a BYOD policy should address:

Security. What measures will you take, on the device, to secure your information?

Cost. Who is going to pay for the device? Will you reimburse employees at the end of each month for their data plan, or will you ask them to submit expenses?

Confidentiality. Ensure employees understand not only the preservation of confidential information on their phones, but also that they don’t have a right to absolute privacy of their own confidential information.

“So, if I keep my children’s pictures on my iPhone and it’s the company phone for purposes of BYOD, then those pictures become vulnerable. The company can come in and inspect them, or wipe them out, if there’s a security breach,” Velazquez points out.

IT resources. What type of support is your IT staff prepared to provide? “There are thousands of devices out there, but if your IT folks only know how to work within the Android system or within an iPad/iPhone system, employees need to understand that they’re limited in choice,” says Velazquez.

The return of information when the employee leaves. Related to this is the issue of what happens if the device is lost or stolen.

What’s in the policy will impact to what extent BYOD is adopted, DeSot notes. This can be challenging, he says, because “the institution is always going to err on the side of protecting the institution and the user is always, typically, going to err on the side of usability of the device.” If employees feel the policy is too restrictive, he says, they’re not likely to jump on board.

That can also be problematic, says DeSot. An area where he has seen HR become involved in BYOD issues is when there is a conflict between the organization and the employee’s feelings about what can, and can’t be done with, or stored on, the device.

“Where this gets really kind of interesting, and where we’ve seen some challenges, is where institutions have employees who do not want to remove things from their devices, but due to their job roles they have to have access to corporate resources.” Then, he says, “it becomes an HR issue.

“Usually HR gets brought in and has to dictate to the employee ‘this is your job description, these are the requirements of the job, so you’re going to have to choose. Is what’s on your device more important than your job? If so, perhaps we’re just not the place for you to be employed.”

For those who may be considering such a move, Shelton advises: “Research, research, research,” and recommends reaching out to other credit unions to learn what they may, or may not be doing, and what they have learned through their own research.

For ORNL FCU, says Morris, “the trick is figuring out the formula for bringing order to the chaos that has historically been the BYOD environment, while remaining in alignment with our long-term business and strategic goals—and doing so in a framework of uncompromising member and data security.”

Whether the pros of BYOD outweigh the potential cons is something only you can determine—with assistance from legal counsel.

Taking a proactive approach to address this issue head on is a wise move in an era where technology has become mainstream and employees interact seamlessly with both personal and professional contacts virtually 24/7.

Lin Grensing-Pophal, SPHR, is a freelance writer and human resource management and marketing communication consultant in Chippewa Falls, Wis. She is the author of The Everything Guide to Customer Engagement (Adams Media, 2014) and Human Resource Essentials (SHRM, 2010).