Bring Your Own Device Policy - Part 2

This is the second installment in a series on how to write enterprise policy to cover devices or services -- which belong to employees but which employees use to conduct official business.  Please refer to the first part of the series for the definitions of "Device" and "Service" and for the notion that the Company (the employer) could take control or possession of them.

[BEGIN DRAFT]


Loss or Damage

Employees are informed, and employees agree, as follows:  If the Company takes control or possession of a Device or Service, then:

(a) the Company might not return the Device or Service;

(b) the employee is entitled to no compensation for loss of use, control or possession of the Device or Service;

(c) the Device or Service could be damaged, the employee could lose data and the employee’s data could be disclosed to others.  The Company will not be liable or responsible for such damage, loss or disclosure.  Employees are wise to back up data.


Informing Supervisors

Each employee will keep his or her supervisor reasonably informed and empowered as to:

(a) the employee’s work use of Devices and Services; and

(b) the access control credentials (such as user ID and password) for Devices and Services.


Turning Over Control to Employer

Each employee will promptly upon request of the Company turn over to the Company control and possession of any Device or Service.

[END DRAFT]

Please understand that what I publish here is just draft language for the purpose of getting some comments from you, dear readers.

Update:  This post sparked a substantive thread of discussion on my Google Plus page.

--

Related: BYOD policy part 3

[Again: Nothing I publish in public is legal advice for any particular situation. Use what I publish at your own risk. If you need legal advice, you should consult your lawyer.]

2 comments:

  1. Ben,

    Typically I have seen policies that require that the device have to be one that is on a "remote wipe" capable list in case it gets lost or stolen, and in that, the user has to agree that if they leave they have to wipe the device (which then can generally be re-loaded via sync/backup with their personal data only) to ensure all corp data is cleaned. Also, the company does make the user sign a waiver that they can "audit the device" to ensure it is in compliance with security and data controls at any time - passwords, data, encryption, etc. Those are key elements from what I have seen. - Ruth

    ReplyDelete