Wrapping IT Up: Write and Maintain a Mobile Device Management Policy

May 20, 2016 | Posted in:

Data Protection, IT Strategy, Managed IT, Technology Trends

Posted by Blair Colby

The time to think about Mobile Device Management (MDM) solutions and policies isn’t after employees start using various personal devices for work. 

At our recent Lunch & Learn, Personal Devices and MillerE_Headshot__C.jpegCorporate Data: The impact of BYOD and MDM in the workplace, Elek Miller of Drummond Woodsum stated, “You need to carefully consider your policies & procedures and document them prior to any employee using a device for work.  It is one of the most important/first things you should do prior to implementing any MDM solution.” 

If an employee is using his/her own device to work, he/she is therefore using an unsecure device which is accessing your organization's critical data.  With a Mobile Device Management solution, you can manage those devices and protect sensitive data while verifying who the user is. 

Miller provided attendees with an overview of the five most common legal issues surrounding BYOD/MDM he witnesses in his practice today. They are as follows.

1. Employee Privacy and Company Security

Employees have vital personal information on their devices and they typically don’t want their current or past employers to have access to it.  However, when employees begin using their personal devices for work, written policy becomes key, especially if you ever need to wipe the device.

Have a plan for what happens in the event an employee leaves.  Even though you have the technology to wipe a device after the employee is terminated, without prior notice, you may not have the right to do so legally. For example, common law damage claims state that if you own something and someone steals it, breaks it, or deletes it, the owner of that property can get reimbursed.  In addition, invasion of privacy claims can be made by former employees whose devices have been accessed. 

If there is a breach or a crime (say a device is lost or stolen), know what your right is in relation to an employee’s device.  It’s not common knowledge that a company’s data/apps on a bring-your-own-device (BYOD) is, therefore, the company’s property.  Your policies need to make this point clear.

In addition, think about any contractual obligations your organization may have with clients and/or partners and how these terms should be incorporated into your policies.

2. Data Breach Response

49 states have data breach laws and each are a bit different.  If you are breached, you have to comply with those specific laws while understanding where and who has your data

3. Compliance With Industry Standards

There are a variety of industry standards (HIPAA, PCI, SOX, GLBA, NCUA, etc.) that many businesses are required to comply with.  Knowing which apply to your business and how to incorporate them within your policy helps you to understand whether or not your organization is meeting compliance regulations. This also mitigates risk to the fullest extent should a breach occur. 

4. Wage and Hour Law 

Mobile devices have made it easier for end-users to work from anywhere and at any time. With the Department of Labor rule change to extend overtime protections to nearly 5 million workers, you will need a policy in place to determine when it is permissible for a non-exempt employee to use his/her phone for work outside normal business hours. The rule, which goes into effect on December 1, 2016, will guarantee overtime pay to most salaried workers earning less than $47,476/year. 

5. Litigation and Discovery

If there happens to be a pending litigation, you are required to preserve any related business data even if it is on employee devices. Consider to what extent you would need to limit the amount of data stored on BYOD devices and have policies in place to clearly define your right to access the employee-owned device.


MDM policies are put into place to protect the organization's data as well as the employee's privacy. Whether you are supplying devices to your employees, or allowing them to use their own, first draft a policy that encompasses end user stipulations, rights, and organizational rules. 

To speak to a Systems Engineering representative about Mobile Device Management, email info@syseng.com, or call 888.624.6737.

Elek Miller is an Attorney at Drummond Woodsum practicing in the areas of intellectual property and technology, labor and employment, and general school law. He is a frequent presenter at conferences and events related to privacy and data security.