We’ve been helping a client - a small professional service firm - with the termination of a mid-level employee. As always, the client has had lots to think about: first, deciding to terminate the employee, and second, planning to implement its decision. Some of the stickiest issues we’ve had to work through relate to technology. This particular termination has been delayed several times while the employer scrambles to figure out how to protect its data and clients without increasing its risk of a dispute with the terminating employee.
The employee has been allowed access to the firm’s computer systems and data on a personal computer and a smartphone. That’s not unusual these days, and the arrangement has worked well for the employer, its clients, and the employee. But access to the employer’s systems and data has meant access to all sorts of confidential internal information and forms. In addition, because of the nature of the work the employer does, it has also provided the employee with access to confidential financial information and other proprietary business information belonging to the employer’s clients.
Now the employee is leaving, and will probably be leaving unhappy. He is not expected to be cooperative. Will he turn over his computer and smartphone to the firm so all that client and employer information can be removed? Well, we hope so, but the employer is very worried that he won’t. Getting access to the employee’s devices may become a major flashpoint, and the employer may end up having to negotiate about it.
This employer is pretty sophisticated, but until now it hasn’t felt the need to have a “Bring Your Own Device” or “BYOD” policy. A good BYOD policy makes employees’ use of their personal devices to access employer or client data conditional on compliance with appropriate security measures. It also requires that when the employee leaves, personal devices must be made available so that employer data can be removed. Some employers add provisions to their BYOD policies stating that the employee agrees to a “remote wipe” of the personal device if the device isn’t made available for data removal, and that the employee understands that a remote wipe could result in the inadvertent destruction of personal information. BYOD policies should be acknowledged in writing by each employee, and a signed or initialed copy of the policy should be kept with each employee’s personnel records.
As you can imagine, the employer we’re working with fervently wishes it had a BYOD policy in place. Because it doesn’t, the employer is spending time and energy trying to figure out what data is at risk and how best to protect it. Terminations are never easy, but they needn’t be complicated by worries about protecting the security of your business or, worse, the security of your customers or clients. If you allow your employees to access your data on personal devices, you need a BYOD policy, period.
Posted by Judy Langevin