Premature resignation of employees participating in the program.
One of the first challenges i had to tackle while writing the plan to implement an employee-owned device program at my company. This was particularly going to be a problem when it came to the "Buy" version of BYOD. Take in mind the following scenario: One of your employees signs up to take part in your BYOD program and gets the standard stipend to buy his employee-owned notebook. Let's say your agreed stipend would be €1500,- for the device plus 3 years of OEM. The employee decides to buy a high-end €2000,- device. After a year, your employee suddenly resigns. He signed up for the 3 year program and you basically just lost a big sum of money your employee spent on the device. You also can't claim the notebook, because of it being your employees personal possession now (take in mind he spent €500,- on it himself too). The way Citrix dealt with this issue, was to retract the remaining amount spent on the device (pro rata) from the employee's last salary. Which sounds like a good solution, when you lives in America. In my current country of residence, this turned out to be much more tricky because of the way our law works. However it seemed possible in the end, it's really something to look into, and take up clearly in the BYOD contract which you sign two-ways before your employee enters the program.
How to deal with theft, damage or accidental loss of devices?
This question is more of an insurance problem than it really is a law-related issue. An important thing to look in to is how your company's insurance looks at devices that aren't company-owned. What if for example a fire breaks out in your office building, damaging a lot of property. Or what about burglary or other potential risks that are usually unforeseen. In the regular situation, insurance would probably cover at least part of the damage. But will this also be the case in a BYOD situation?
How about liability and responsibility when it comes to unwanted data and security risks?
When talking about BYOD, this is a subject that comes up often as a flaw in the concept. People often tell me an employee-owned device program increases the risks on bringing in illegal or malicious software and other unwanted data within your company's network. To a certain degree, they are probably right. Because devices are now used for both business and personal use, it does add a certain risk factor. But that doesn't necessarily mean that nothing can be done here. Other than technical measures (security, security, security), there are options in the legal part too. Something to take up in the contract would be for example rules against illegal software, music and movies. Other than that, employees can be required to meet a certain standard of security on their devices (think about encryption, anti-virus, updates, password requirements). Fact does remain that things like this can be difficult to enforce and control.
Business critical information
Nowadays, it has become quite normal for people to receive e-mail on not just notebooks, but also their smartphones. When an employee leaves your company, in many cases there is still a lot of company critical information saved on the mobile device. The same happens when a phone or notebook gets stolen or goes missing. There's definitely a risk of this information hitting the streets. At least in Dutch law, it states that by no means, companies are allowed to (remotely) erase data from an employee's personal device, even when the employee is resigning. Situations like this should be taken into account when you start forming the rules and contracts of your program.