How to Implement a Device Policy for Your Law Firm

Graphic shows device policy in place on a lawyer's mobile phone

When it comes to enabling your law firm and staff with technology, it’s best to get a device policy in place sooner than later. Without one, it becomes an arduous task managing whose device has access to what firm information, and what to do if one gets lost.

There are a number of options when it comes to device policies, but by far, the two most viable options for law firms are Bring Your Own Device Policies (BYOD) and Corporate Owned, Personally Enabled (COPE). In this post, we’ll have a look at the advantages and disadvantages to each device policy, so that you can get started on implementing one for your firm sooner than later.

We all have device preferences

Most skilled professionals develop an affection, or even a cult-like obsession, with the tools of their trade. A surgeon might prefer a certain type of scalpel, scrub cap, or brand of suture. A carpenter likely prefers a certain line or brand of tools.

For lawyers, considering how much time we spend on our laptops and smartphones, we likely have a preference (or demand) for tech goodies as well. Me? Not an Apple person. And though I tolerate iOS on a corporate device, my personal phone runs Google’s Android OS. Every other smartphone I’ve tried has fallen short. Talk to any group of lawyers at a conference, or even a social media group, and most will agree: they probably have a laptop, tablet, or smartphone they cannot live without.

So what’s a law firm to do when evaluating device policies for their staff? There are really only two options: COPE with their preferences or invite them to BYOD.

We need our devices, and policies to go with them

Think this whole device discussion is no big deal? Think again. Smartphones are so ubiquitous that a recent survey by Pew Global found that 81% of U.S. respondents reported owning a smartphone. In the same survey results, Canadians are a little less crazy about their devices, but only by a little at 66% report owning a smartphone.

It’s not just that we own these devices either—recent research shows that we spend more than four hours per day on our smartphones. With that level of dedication, it’s no wonder that employees will have a strong preference for which device they’ll use at work. These preferences can, and should affect what type of device policy you adopt at your firm.

COPE means more shopping

What does COPE stand for? Corporate-owned, personally-enabled. In the world of law firms, this means the firm provides a laptop and smartphone to the employee, who is then free to use said devices as he or she sees fit. This is how many companies and firms have always operated.

For today’s firms, COPE is still a great policy, but there’s still the question of how to account for employee preferences when it comes to the type of devices they get. Many firms end up offering a menu of device options.

The obvious downside to a COPE device policy is cost. And though firms have traditionally shouldered the cost, they may think twice in light of today’s trend toward allowing employees to use their personal devices for work matters.

BYOD means work’s never stopping

A rising trend among employers is to implement a Bring Your Own Device (BYOD) policy—rather than expect staff to rely on a company-issued laptop or smartphone they may hate. There are a lot of upsides to BYOD programs: cost (free, though increased IT support is often necessary), employee happiness, and increased productivity due to employees’ familiarity with the tools.

Of course, if you’re like me, your mind is immediately swimming with catastrophes: personal devices are inherently less secure. Do you, for example, want employees bringing viruses to the company network? And what about lost devices—would the responsibility fall on the company or the individual to replace the device, and at what cost?

The fact is that there are countless legal issues that can arise. If the employee is non-exempt, they are more likely to access work after hours if emails are pinging them on a personal device that stays glued to their hand. Without a policy in place, this could put you on the hook for overtime or exposed to wage claims.

Get employee feedback before drafting your policies

Whether you provide a device, or an employee brings their own, your firm’s data will reside on it. And that means big concerns with regards to security and protecting client data. The good news is that countless law firms and businesses manage to handle these same issues—and so can you.

Before implementing a device policy, start by discussing key staff members. If your firm is large, these key members might be senior attorneys, paralegals, and the IT staff. Get their input on whether they’d prefer a COPE or BYOD plan. Discuss openly the concerns about security, staff members’ needs for software, and any limitations you may want to apply to devices—such as the inability to access certain sites while on the firm’s network.

Draft a realistic, living device policy

Once you have the input of your employees, it is time to take your needs and budget into consideration. Depending on your budget, you may not be able to provide the sort of devices employees demand—especially those who need the latest technology. If employees need the newest devices, BYOD might be your answer. On the other hand, employees might prefer to keep their work and personal lives separate, in which case a COPE device policy is a better strategy.

BYOD or COPE, draft a plan that you can live with and that employees will follow. You can’t, for instance, block every website except Fastcase. Your device policy should set clear rules on what is prohibited, what data on the devices your company may access, and what will happen if a device is lost or stolen—or if an employee leaves the company. (Answer: You’ll likely want to wipe the device, which simply requires mobile device management software.)

Put the policy in writing and make sure employees understand it before signing. Then, as issues arise and technology changes, remember to revisit the policy for changes, as needed.

What to include in a BYOD or COPE device policy

Obviously, you’ll want to restrict some apps and websites, especially on COPE devices. BYOD demands a little more leeway.

But it isn’t just about what apps and sites they visit: it is also about how they connect. For any access to private data, staff should be trained to use a VPN or a trusted WiFi network. If your employees aren’t careful, client data is what will get compromised.

Your device policy should also disclose what data you’ll be monitoring, if any. At a minimum, your IT staff will likely want to install mobile device management (MDM) software on the users’ devices so that the devices can be wiped in part, or in whole, if an employee leaves, or if they simply lose the device. MDM software can be used to see what users are doing on their devices, so it is important to be clear with your employees how far the software is set up to probe.

Another interesting point, brought up at the National Law Review, is discovery pursuant to litigation. This gets especially tricky if your firm employs a BYOD policy: It is absolutely the case that a court can order your employees to turn over personal devices, if those devices are likely to contain company information relevant to the litigation. Given how much personal data is on our phones, that is a concern for both you and the employee. Consider addressing this possibility in your BYOD or COPE policy and in discussions with employees when brainstorming your policy.

Finally, what about the bill? I’m not talking about paying for the device, but the service. For BYOD policies, the employee is likely providing the device and has a cell service plan in place as well. Should you cover part, or all, of the employee’s data plan? This will likely come down to your budget and the nature of the employment market you operate within—it might be worthwhile to pay for a few perks if it means keeping your staff around.

Some other things to consider addressing in you device policy:

  • Phone and laptop encryption, a strong password policy, and two-factor authentication wherever possible
  • Back-up data to Clio, OneDrive, or another cloud-computing solution—and preferably on a secure, company-owned account
  • Put a plan in place for loss or theft of devices: Reporting to the firm, freezing of the cell service, and remote wiping of the device are common steps

BYOD, CYOD, COPE, COBE: Whatever the acronym, get a policy in place

Bring Your Own Device. Choose Your Own Device. Corporate-owned, personally-enabled. Company-owned, business-only. Acronyms are as plentiful as the possibilities for your law firm’s technology policy.

And whether you choose to provide devices, or invite employees to provide their own, the time you spend waiting to address the issue with your staff through open discussions and a written policy is time you spend exposed to data breaches, employee wage and hour claims, and more. Smartphones and laptops aren’t going anywhere, so the time to deal with the issue and get a policy in place is now.

Law firm technology is changing

With the right tools, your firm can run efficiently so you can focus on what matters most. Learn more in our free guide, Why Law Firms Are Moving to the Cloud

Get the Guide

Categorized in: Technology