Employers should have appropriate policies and controls in place if they allow workers to bring their personal mobile devices to the office.

A first step to consider is why employers want to introduce a bring-your-own-device policy, and that can shape its provisions, experts say.

Aaron K. Tantleff, senior counsel with Foley & Lardner L.L.P. in Chicago, said, “You have to think about how you want to do it,” because some companies implement such policies to save money, while for others it is a recruiting tool or implemented for retention purposes.

While a policy for bringing personal smartphones and electronic tablets to work can be cost-effective, it also can be more expensive than not having one, depending on how the devices are supported. Companies also must determine who falls under the policy. While some firms allow anyone to bring their own devices to work, others do not allow workers who have access to restricted or confidential information, such as those in legal or human resources departments, he said.

Employers must be sure not to sacrifice control, said Jonathan T. Hyman, a partner with Kohrman Jackson & Krantz P.L.L. in Cleveland. “It might be something as simple as making sure a company retains the ability to remote-wipe the device if it's lost or stolen,” he said.

Philip L. Gordon, a shareholder with Littler Mendelson P.C. in Denver, said there are “virtual sandboxes” available that create a space within a personal device for encrypted corporate data and applications that have a separate password from the rest of the device.

%%BREAK%%

If an employee leaves the company or the device is lost or stolen, “that separate space can be removed from the device without having an impact on any of the nonbusiness information on the device,” Mr. Gordon said.

“Put employees on notice upfront that participation in the program is a privilege, not a right, and that, in order to enjoy the privilege, they need to agree to have” security controls installed on their personal devices to conduct company business or while on company premises, he said.

Employers also should require that the devices connecting to their networks meet certain criteria, such as having virus protection or that access is password-controlled, Mr. Tantleff said.

Company policies must be thoughtful, Mr. Tantleff said. If the policy is overly restrictive, “your employees will find ways to violate it.”

Peter S. Vogel, a partner with Gardere Wynne Sewell L.L.P. in Dallas, said many companies offer a stipend for part of the cost of employees' personal devices. If employees accept, “then it creates a different contractual obligation” enabling the firm to exercise more control, he said.