Does your law firm have a device policy?
A device policy is essential for any law firm—and it’s best done sooner than later. Without one, it becomes an arduous task managing whose device has access to what firm information. Or even worse, what to do if a device is lost or stolen.
There are a number of options when it comes to device policies. By far, the two most viable ones for law firms are:
- Bring Your Own Device Policies (BYOD); and
- Corporate Owned, Personally Enabled (COPE).
In this post, we’ll look at the advantages and disadvantages of these two policies, so that you can get started on implementing one for your firm.
We all have device preferences
Most skilled professionals develop an affection, or even a cult-like obsession, with the tools of their trade. A surgeon might prefer a specific type of scalpel. A carpenter likely prefers a certain brand of tools. A lawyer, considering how much time is spent online, no doubt has a preference for tech goodies.
Ask any group of lawyers at a conference, and most will agree: they have a laptop, tablet, or smartphone they simply can’t live without.
So, what’s a law firm to do when evaluating device policies for their staff? There are two options:
- COPE with their preferences
- Invite them to BYOD
We’ll explore each one in more detail.
Two different types of device policies
Research shows that nearly half of respondents surveyed spend an average of five to six hours on their phones each day (outside of work-related use), with another 22% spending three to four hours. It’s no wonder that employees have strong preferences for the devices they use at work.
These preferences can and should affect what type of device policy you adopt at your law firm.
Device policy #1: COPE
COPE stands for corporate-owned, personally-enabled.
In the world of law firms, this means the firm provides a laptop and smartphone to the employee, who is then free to use said devices as they see fit. This is how many companies and firms have always operated.
COPE is a great policy. Yet, there’s the question of how to account for employee preferences when it comes to the type of devices they get. To overcome this barrier, many firms end up offering a menu of device options.
The obvious downside to a COPE device policy is cost. Though firms have traditionally foot the bill, today’s trend toward allowing employees to use their personal devices for work matters may look appealing.
Device policy #2: BYOD
A rising trend among employers is to implement a Bring Your Own Device (BYOD) policy—rather than expect staff to rely on a company-issued laptop or smartphone they may dislike.
There are a lot of upsides to BYOD programs, including:
- Cost (it’s free, though more IT support is often necessary)
- Employee happiness and satisfaction
- Increased productivity due to familiarity with the tools
Of course, personal devices are inherently less secure.
Do you, for example, want to risk employees bringing viruses to the company network? And what about lost devices—would the responsibility fall on the company or the individual to replace the device, and at what cost?
There are a host of legal issues that can arise. If the employee is non-exempt, they are more likely to access work after hours if emails are pinging them on a personal device that stays glued to their hand. Without a policy in place, this could put you on the hook for overtime or exposed to wage claims.
Get employee feedback before drafting your policies
The good news? Countless law firms and businesses manage to successfully handle these same issues—and so can you.
Before implementing a law firm device policy, discuss it with key staff members to get their input. This might be senior attorneys, paralegals, office managers, administrators, and IT staff, if your firm is large.
To decide on the right device plan, make sure to touch on:
- Concerns about security
- Staff members’ needs for software
- Any limitations you may want to apply to devices—such as the inability to access certain sites while on the firm’s network
Draft a realistic, living device policy
Once you have the input of everyone at your firm, it’s time to take your needs and financials into consideration. Depending on your budget, you may not be able to provide the sort of devices employees demand—especially those who want the latest technology.
If employees need the newest devices, BYOD might be your answer. On the other hand, employees might prefer to keep their work and personal lives separate, in which case a COPE device policy is a better strategy.
No matter the option you choose, the next step is to draft a plan that you can live with and that employees will follow. Your firm’s device policy should:
- Set clear rules on what is prohibited
- Outline what data on the devices your company may access
- Highlight what happens if a device is lost or stolen—or an employee leaves
When it comes to the last point, you’ll likely want to wipe the device, which simply requires mobile device management software.
Next, put the policy in writing and make sure employees understand it before signing. As issues arise and technology changes, remember to revisit and update the policy as needed.
What to include in a BYOD or COPE device policy
Obviously, you’ll want to restrict some apps and websites, especially on COPE devices. But BYOD demands a little more leeway.
It isn’t just about what apps and sites they visit—it’s also about how they connect.
How employees should access private data
Staff should be trained to use a VPN or a trusted Wi-Fi network to access any sensitive data. If your employees aren’t careful, client data may get compromised. The American Bar Association found that 25% of respondents had experienced a data breach at some point.
Your device policy should also disclose what data you’ll be monitoring, if any.
At a minimum, you’ll likely want to install mobile device management (MDM) software so that devices can be wiped if an employee leaves, or loses a device. MDM software can see what users are doing on their devices, so it’s important to be clear with employees on how far the software is set up to probe.
What to do if a device is requested for discovery or subpoenaed
An interesting point, brought up at the National Law Review, is discovery pursuant to litigation. This gets especially tricky if your firm employs a BYOD policy. That’s because courts can order your employees to turn over personal devices, if they’re likely to contain company information relevant to the litigation.
Given how much personal data is on our phones, that’s a concern for you and the employee. Consider addressing this possibility in your BYOD or COPE policy and in discussions with employees when brainstorming your policy.
What costs the firm will cover
Who pays the bills? We’re not talking about the device itself, but the service.
For BYOD policies, the employee is using their own device and has a cell service plan in place as well. Should you cover part, or all, of the employee’s data plan? Your decision will likely come down to your budget and the nature of the employment market you operate within. It might be worthwhile to pay for a few perks if it means keeping your staff around.
Some other things to consider addressing in your device policy:
- Encrypting your phone and laptop if they aren’t encrypted by default
- Enforcing a strong password policy and two-factor authentication wherever possible
- Backing up data to Clio, OneDrive, or another cloud-computing solution—preferably on a secure, company-owned account
- Putting a plan in place for loss or theft of devices: Reporting to the firm, freezing the cell service, and remotely wiping the device are common steps
BYOD or COPE: Whatever the acronym, get a policy in place
The time you spend waiting to define a device policy with your staff through open discussions and a written documentation is time you spend exposed to data breaches, employee wage and hour claims, and more. Smartphones and laptops aren’t going anywhere, so the time to deal with the issue and get a policy in place is now.
Want more? We cover similar topics in our cybersecurity for lawyers resource hub, such as:
- Cybersecurity insurance
- How to create a cybersecurity policy
- AI and cybersecurity