For the uninitiated, the acronym “BYOD” looks like a typo. But in the telecommunications context—and in the employment context, it stands for “bring your own device,” and it’s what’s happening all over as individuals opt to use their own devices rather than company-provided mobile phones or tablets. The number of issues created when individuals bring their own devices into the enterprise is significant, particularly when the devices have at least two distinct uses/purposes/personalities—business and personal. How should the enterprise reconcile these very different roles played by a single device? Very, very carefully.
From the enterprise side, there are a number of concerns that need to be addressed whether the deployed devices are employer or employee owned. How is it possible to keep what is corporate corporate and what is personal personal on a single device? Is it reasonable to ask an employee to use his/her employee-provided device to perform work? Is it reasonable to ask an employee to NOT use his employer-provided device for personal business/fun/Words with Friends? Is it reasonable to ask an employee to carry around two devices so that business and personal use remain totally separate? And even if the employer makes this request, is it reasonable to think that it can really be done? This column will raise more questions than it answers, but it has been designed to highlight those issues that are most critical when embarking on the creation of a wireless device or mobility policy. As a side note, whatever policy is created, an employer who is not willing to enforce the policy has wasted a great deal of time drafting it and securing employee buy-in. Absent meaningful enforcement, the policy isn’t worth the paper it’s printed on.
With these challenges in mind, whichever operating model an enterprise chooses, there are two primary topics that should be considered before either handing an employee a device, or asking an employee to use his/her own device for work purposes, namely data security and access protection.
All publicly traded companies are well aware of obligations under Sarbanes-Oxley (SOX), particularly with respect to maintaining the sanctity and security of corporate data, particularly financial data. With the proliferation of wireless devices, not all of which are employer-owned, how will the publicly-traded enterprise meet the strict obligations that SOX imposes. For those entities that are not subject to SOX, these issues remain. Is the entity sufficiently sophisticated—and are the employees willing to put up with the hassle of one of the mobility firewalls that exist--to try to preserve corporate data when people take it home at night, even for the most laudable of reasons?
Not only must corporate data be kept protected to keep the employer with SOX, but as a general rule, entities, be they corporate or otherwise, like to know that the confidential information that they have and use will remain corporate confidential. It’s not impossible, but certainly an additional challenge, to maintain what’s corporately private private when people are either taking the information home or are accessing and manipulating it on devices that they own personally. As such, the issue of keeping corporate data safe and secure is an issue that is right at the top of the list of items to be considered when drafting a policy.
Closely related to this issue is the challenge of managing credentials of those who can access the data that the enterprise has. Management of credentials for those who access enterprise files is another issue that must be managed. How will credentials be given? How will they be managed? How will they be terminated once an employee leaves the company? How the enterprise maintains the balance it needs between corporate security and allowing employees necessary access to confidential information is a significant challenge in and of itself.
The final issue to be determined is how and to what extent employees will receive compensation for using their own devices for business purposes. There have been some relatively recent (past two years) decisions regarding whether additional stipends granted to employees who choose to BYOD (bring your own device) qualify as income, and the most recent determination from the IRS indicate that such reimbursements are no longer a taxable employment benefit so long as the device is necessary for the employee to perform his/her work and that there exist “substantial business reasons” other than strictly additional compensation, to warrant the enterprise’s provision of the device to the employee. Previously, onerous recordkeeping was required, but with this 2011 revision, these highly detailed records are no longer required.
The IRS has defined the phrase “substantial business reasons” to include:
Finally, order for the IRS to allow such additional payments to be non-taxable as an employee benefit, the employee must maintain cell phone coverage that is reasonably related to the needs of employer’s business, reimbursement must be “reasonably calculated” so as not to exceed actual expenses incurred, and reimbursement must not be a substitute for a portion of the employee’s wages.
Mobility management has become a thorny but critical issues for all enterprises that either provide wireless devices to employees or that allow employees to access enterprise information from devices that the enterprise does not own. Careful consideration and planning are required to keep these policies as successful tools for both managing access and mitigating risk.