Drafting BYOD policies can be like having your lawyer write a prenuptial agreement for your fiancée to sign. It takes away some of the excitement of getting married and forces you to think about situations that you want ignore because they seem so unlikely and unpleasant. Many people who've gone through an ugly divorce without a prenup, however, will often tell you how much they wished they'd had one.
The same thing is true with BYOD policies. You don't want to think about all the ways that a BYOD program could lead to unanswered questions of liability or how certain violations will be handled, but it needs to be done.
Most BYOD policies focus on informing users what security tools need to be installed on their devices, which mobile management policies will restrict certain functionality, and how they're allowed to connect to corporate resources while in the office, at home, or in an airport waiting area. Those types of policies are important, which is why they get discussed often in IT consumerization circles.
There are, however, some topics that don't get addressed as often. For instance, what happens if a user's Android smartphone and iPad are stolen while she is attending a conference?
That situation brings up a host of issues that need to be addressed by a BYOD policy. IT needs to be notified so that the devices can be wiped - hopefully before the thief has a chance to access any business data on the devices. That addresses the immediate crisis, but what happens next?
She's still on the road, possibly abroad. In today's world, it's conceivable that she didn't bother to pack a laptop because she didn't see the need. How is she going to get work done at the conference?
She could buy a replacement device, but will that expense be her responsibility? Or should she be reimbursed for the cost since it was a business need at the time? Or should the company pay to overnight a company laptop to her?
More importantly, what happens when she gets home? Does the cost of replacing the Android phone and iPad fall on her shoulders alone? Should the company help offset the cost or even make the purchase for her? If she had just upgraded her phone, it might be cost prohibitive for her to buy an exact replacement, which might leave her choosing a less capable handset - and possibly a less secure or manageable one.
Looking at this hypothetical but completely realistic scenario, the solution seems easy to write into a BYOD policy - employees participating in the BYOD program need to purchase some form of insurance for their devices and submit proof of that insurance before they can enroll their device and access any corporate systems.
The type of insurance doesn't even really matter. It could an add-on to an umbrella policy for home, car, and life insurance. It could be a policy from a company like Safeware that specializes in insuring personal technology, most notably mobile devices. It could be a month-to-month add-on offered by the employee's mobile carrier. It shouldn't include extended warranties Apple's AppleCare Plus, however, as they only cover repair or replacement of damaged devices and don't address lost or stolen devices.
The point is that the policy ensures that each employee will be able to replace a lost, stolen, or damaged device used for work.
That solves the larger issue. Depending on where an employee is working when such a catastrophe strikes, it could even resolve the immediate issue. But having a contingency option already planned out in case such a resolution is also important.
Is this the only such scenario that needs to be considered? Not by a long shot, but thinking in these terms can help you identify similar challenges, consider the ways a policy requirement can prevent or mitigate them, and ultimately create a more solid framework ... even if you don't want to think about a catastrophic event occurring.