Smartphones are now tiny computers that enable users to access multiple email accounts and systems. Nobody wants to carry two phones wherever they go and many have opted to use their personal devices for everything.


This ability to bring your own device for work, however, comes with big risks to both employees and employers. Here are some of the biggest problems and how companies can try to address them:


1. Litigation Waiting to Happen


The list of potential claims is endless because the devices are incredibly sophisticated. For example, the ability or expectation for hourly employees to access work email can (and has) resulted in large litigation for off the clock or overtime claims under the Fair Labor Standards Act. Or, when employees use the devices to post comments on social media about their jobs it may also create issues with collective bargaining agreements. Litigation is expensive for everyone regardless of the circumstances. Some ways to avoid this risk include:


  • Have clear written policies. Establish expectations for everyone in writing about who can use the devices, when, and how. Make sure they are consistent with other employment policies or handbooks.
  • Establish a texting policy. Texts are complicated pieces of data that are stored in multiple places on devices. Setting strict limits about when employees can text and when they should email for work can go a long way to avoiding expensive complications.
  • Provide training to employees. Cover what the policies are, expectations for protecting data security, and what to do when a device is lost or stolen.
  • Obtain acknowledgements. Employees should sign off on in writing that they have received a copy of the policies and understand the consequences of using their own devices.


2. Easy Targets for Hackers


Smartphones are easy targets for hackers for many reasons. These devices store data in multiple places within the device that are not all equally secure. Personal apps on smartphones can leave the backdoor open to a savvy hacker to access the entire device. Accessing company email on the device can provide access to the company server from the phone. Nothing is perfect, but here are some ways to help improve security:


  • Set minimum technology requirements. Old devices are like handing the keys over to the hacker. Define expectations and make no exceptions.
  • Require passcodes. This establishes at least some protections and will ultimately result in disabling the device after so many incorrect attempts.
  • Encrypt sensitive information. Evaluate potential encryption technology for company email and other systems. Shop carefully and understand that the options are not all the same.
  • Require phone upgrades and system updates. System upgrades are often designed to prevent known security problems. Require or force such upgrades on all devices used for work.


3. Trade Secrets Can Walk Out the Door


Personal devices can make it easy for trade secrets to walk away when they are stolen or the employee leaves. Many companies have written policies preventing disclosure of this information by employees. Enforcement of these policies often requires some expensive litigation. Avoid the complication and expense by leveraging technology. Here are some ways to limit the mobility of such sensitive information:


  • Remote wiping programs. There are many options for companies to wipe devices without access. These range significantly in cost, capacity, and implementation requirements. Shop around for the right fit.
  • Sand-boxing. This technology is evolving, but it attempts to keep personal and company data in separate places on the device. This prevents a remote wipe from removing everything (both company and personal data).
  • Restrict remote access. Truly sensitive information should never be accessed away from the office. Remove all remote access if possible. Alternatively, establish an as needed policy for only those who absolutely require remote access to perform their jobs.


The luxury of carrying only one smartphone comes with high costs. Employees need to understand what those costs may be in order to protect the data (both personal and company). Companies choosing to let people bring their own devices need to implement clear written policies, communicate the policies, and verify that their systems have adequate capacity. This area will only get more complicated and there is no fool proof solution. However, both employees and employers can take steps to build the right foundation as technology continues to rapidly change.