Adapting to BYOD and COPE
Our job, as the consulting team at Vox Mobile and a member of the GEMA global consulting network, is to help organizations sort through the increasingly complex world of mobility. Clients reach out to us with a variety of issues including: governance, cost, operations, strategy, infrastructure, policy, and transformation. This blog is intended to highlight some of the lessons we’ve learned that fall within the ‘policy’ category.
In recent years, organizations have been shifting their mobile device policies from Corporate-Owned Business-Only (COBO) environments to mixed personal/corporate use environments. This mixed environment usually involves Bring Your Own Device (BYOD) or Corporate-Owned Personally Enabled (COPE) or a combination of both. However, for the purposes of this discussion, it doesn’t really matter which policy approach has been taken.
The focus that most organizations have had during this shift has been on the technology, typically infrastructure, such as the Enterprise Mobility Management (EMM) solution, and the devices themselves, such as iPhones. Some clients have also tackled the increasing operational challenges such as support and acquisition complexities, usually after the fact. However, most organizations have focused very little on their written end-user policy. Not only did the shift away from BlackBerry significantly decrease the ability of organizations to enforce policy, but increasing personal use has created new challenges that didn’t exist in the past.
Vox Mobile has developed a Policy Inventory Workbook which is the central tool for this popular consulting offering. With over 90 policy topics, it is comprehensive, and is continuously updated to account for the ever-changing environment. Through our many consulting engagements, we’ve identified five of the most overlooked, thought-provoking, and most concerning topics for our clients.
First a caveat: We are not lawyers and we are not accountants. The commentary below is not intended as legal or tax advice. Clients must always check with their own legal, HR, and accounting department on any policy-related matters.
1. Legal discovery of personally owned devices
With most BYOD programs, this topic is usually not overlooked by clients. However, the implications are rarely thought through. Many organizations default to a stance where they have the right to seize an employee’s personal smartphone, or tablet, in the event of a legal matter. While this may be technically true (again, not a lawyer), it’s important to think through the resulting impacts.
First, is it consistent? What about an employee that uses Outlook Web Access from a home computer? They can save attachments to their home computer. Does the organization have the right to seize their home computer? Isn’t this the same situation as a personal smartphone connecting to corporate email?
Secondly, is it necessary? A majority of corporate data on a smartphone would have gone through corporate servers with evidence of that communication stored there. Technical measures can be put in place to ensure that corporate data stays in the corporate container of a smartphone. If absolutely necessary, technology can even be deployed to backup other forms of communication, such as text messages.
Finally, is it counter-productive? It is in the best interest of an organization to encourage BYOD adoption amongst employees that currently do not have corporate-issued smartphones. For more details on this matter, I suggest our whitepaper “The 5 Best Reasons for Adoption of BYOD” (Click Here) Overly harsh policy measures will blunt adoption of a BYOD program.
2. Taxable benefit of reimbursements
A vast majority of organizations that explore BYOD must also explore the matter of reimbursement, stipends, or allowances. This will often necessitate some degree of financial modeling. If an organization decides to provide a flat reimbursement to BYOD-enabled employees on a monthly basis, let’s say $40, it’s important to determine if this is a taxable benefit. If it is deemed a taxable benefit and a $40 gross payment is maintained, the benefit to the employee is substantially reduced and adoption will be negatively impacted. If it is deemed a taxable benefit and a $40 net payment is maintained, the corporate cost of the program would be significantly higher than anticipated. Unfortunately, there isn’t a clear answer on this matter and our clients take varying stances based on direction provided by their corporate accounting team. However, the following notice from the IRS from 2011 should shed some light on the matter for your accounting department: http://www.irs.gov/uac/IRS-Issues-Guidance-on-Tax-Treatment-of-Cell-Phones;-Provides-Small-Business-Recordkeeping-Relief.
Just remember, if the corporate objective of a BYOD program is a net reduction in mobility spending, getting this matter wrong could shatter your plans.
3. Overtime implications
Caution and due diligence is absolutely required when enabling smartphones to employees that are overtime eligible. What constitutes overtime eligibility can vary significantly state by state in the United States. In some cases, explicit approval from the manager would be required in order to qualify for overtime. However, in other cases, an implicit approval may be construed by the context of the situation. For example, let’s assume a manager is accustomed to sending emails to his/her staff in the evening expecting action to be taken during business hours the following morning. Little does this manager realize that a BYOD program has been put in place and the staff now receives those emails in the evening. If the staff takes action on those emails immediately, are they eligible for overtime?
This situation is not hypothetical. In Allen v. City of Chicago, members of the Chicago Police are suing for overtime due to their use of BlackBerry: Lawsuit Against Chicago Police for Blackberry Overtime.
4. Privacy expectations in various use cases
Concerns around employee privacy are increasingly important and complex, with or without BYOD. Most organizations have, formally or informally, permitted personal use of corporate devices for a very long time (COPE). While organizations would prefer to indicate that there should be no expectation of privacy, it’s usually not that simple and certainly not realistic. Even if an organization did want to observe non-corporate communication, such as a personal email account, it wouldn’t normally be possible unless you seized the device (see above). Due diligence by your legal department will be required here.
Remember, from a productivity perspective, you want to encourage adoption of BYOD or the use of a single device by employees. Therefore a realistic, and perhaps softer policy, should be put in place.
Regardless of the policy that is put in place, the greater challenge is communication to the employees and the identification of what constitutes private or not. For example, if an employee expects that browsing on their personal tablet is private, they would be mistaken if that tablet was attached to the corporate WLAN environment. Map out the various scenarios and take a thoughtful approach.
5. Personal information recovery upon exit
This particular policy topic is actually only applicable in the case of corporate-owned devices. As mentioned several times already, many organizations have enabled Corporate-Owned Personally-Enabled (COPE) policies, either formally or informally. It’s very likely that your employees are using corporate equipment for personal activities such as taking photos and videos. If the employee is asked to leave the organization, and the smartphone is confiscated, what do you do if they want their personal information back? I typically ask organizations what they do today in case an employee needs to recover personal information from corporate computers. Most don’t have a set policy but will make exceptions. Chances are that this would be a far more pressing matter with mobility, as employees will use their corporate smartphones much more for personal activities. Many organizations will instinctively indicate that a corporate-supplied device should not be used for personal matters but that is no longer realistic. Some type of policy and exit procedures should be put in place to accommodate the out-going employee’s request.
An Enterprise Mobility Management (EMM) solution can actually help here. Nearly all EMM solutions have a feature that will allow the corporate data to be wiped from a smartphone but leave the personal information intact. The most common use of such a feature is in the case of an employee exiting with personally-owned equipment. However, it would also be very helpful in this case of corporate-owned devices. Even though the device is corporate-owned, this feature could be used to wipe only corporate data before giving the employee a certain amount of unsupervised time to recover their personal information. The device can then be taken and the remaining content wiped. It’s a more straight-forward and less cumbersome process than, for example, having someone from security watching them.
The above represents only five of the many policy topics that organizations must explore or re-explore. While there are some traditional policy topics that are no longer relevant, the net direction is towards increased complexity. What makes policy even more challenging for an organization is that the preparation of a robust document is only part of the battle. Every organization must also address the lifecycle management of the policy. How is it being presented to end-users? How is their acceptance being captured? Is there a plan to keep the policy up to date? We’ll save that discussion for another day.
While the benefits of mobility are extraordinary and transformational, managing enterprise mobility has become difficult and that difficulty is accelerating, especially for those that choose to do it themselves. If you think you could use help, give us a call.